Content

Adware-SideFind

Type
Program
SubType
Adware
Discovery Date
03/14/2005
Minimum DAT
4446 (03/14/2005)
Updated DAT
4957 (02/06/2007)
Minimum Engine
5.1.00
Description Added
03/14/2005
Description Modified
03/21/2005 4:32 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Installation

Upon execution of the file, a side bar is added to Internet Explorer as browser helper object (BHO) and a sidebar toggle button is also added to IE toolbar.

The updated copy of sidefind.exe is always downloaded when network access is present. The Side bar hijacks internet explorer to show its own search results. The search words are silently transmitted in order to show the relevant Ad oriented search results.

The application does not show any information about the EULA or Privacy policy. The main executable does not carry the company name however one of the dropped DLLs i.e. sidefind.dll carry company name as IST (makers of adware-ISTbar).

It has been observed that it contacts following websites

File and Resgistry changes

It creates following files upon execution

The downloaded files are stored in “c:\program files\sidefind” folder.

  • File name: sidefind.dll (Size: 89,600 bytes)
    MD5: FC 90 D8 C2 38 CC 50 19 EA 58 4E CA 7D F1 07 CF
  • File name: sfbho.dll (Size: 96,256 bytes)
    MD5: 6D 14 46 42 77 D4 3B CF 63 CD 5A 03 2E F2 7A 17

It registers the DLL as Browser Helper objects to Internet Explorer

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\InprocServer32\: "C:\Program Files\SideFind\sidefind.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}\InprocServer32\: "C:\Program Files\SideFind\sfbho.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671}\1.0\0\win32\: "C:\Program Files\SideFind\sidefind.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA}\1.0\0\win32\: "C:\Program Files\SideFind\sfbho.dll"           
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\SideFind\UninstallString: ""C:\Program Files\Sidefind\update\sidefind.exe" /remove"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SideFind\
    webautosearch: "true"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807}\Icon: "C:\PROGRA~1\SideFind\sidefind.dll,201"
  • HKLM\SOFTWARE\SideFind\PathBHO: "C:\Program Files\SideFind\sfbho.dll"
  • HKLM\SOFTWARE\SideFind\PathDLL: "C:\Program Files\SideFind\sidefind.dll"
  • HKLM\SOFTWARE\SideFind\PathEXE: "C:\Program Files\Sidefind\update\sidefind.exe"
  • HKLM\SOFTWARE\SideFind\SearchSite:
    http://www.sidefind.com/results.php?target=_external&

Following image shows how the adware hijacks the browser to show its own results in a "side-bar".

Aliases

Aliases

    N/A