Content

Adware-Boran

Type
Program
SubType
Adware
Discovery Date
04/17/2006
Length
Minimum DAT
4742 (04/17/2006)
Updated DAT
5313 (06/09/2008)
Minimum Engine
5.1.00
Description Added
04/17/2006
Description Modified
06/02/2006 2:12 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.aspx  for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.aspx for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary:

This is not a virus or trojan. This is a program, that when active on a computer, can display pop-up advertising, and may also redirect browsers to websites controlled by the makers of this program.

Adware-Boran installs a BHO and adds a button in the tools menu option of Internet Explorer.

Installation:

Upon execution of this adware it creates a folder by name "update" at the location of its execution. Then the adware connects to 222.73.0.196 and downloads a file called setup.exe in the newly created folder "update" and executes this file.

Setup.exe creates a folder MMSAssist in C:\Program Files and drops a dll file called Mmsass~1.dll in this folder. Mmsass~1.dll is registered as a BHO. This also creates a button in the tools menu option in Internet Explorer.

After the BHO is installed, when the Internet Explorer is opened this connects to www.borlander.com.cn and www.borlander.cn sites.

The following registry keys are created.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191} @="Vision"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} @="stdup"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191} @="MMSAssist BHO"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32 @="C:\\PROGRA~1\\MMSASS~1\\Mmsass~1.dll"
"ThreadingModel"="Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} @="stdup"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\InprocServer32 @="C:\\WINDOWS\\System32\\stdup.dll"
"ThreadingModel"="Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D} @="IMMSAssist"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57} @="IAxObj"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0 @="MMSBho 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0\0\win32 @="C:\\PROGRA~1\\MMSASS~1\\Mmsass~1.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0 @="Ad 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\0\win32 @="C:\\WINDOWS\\System32\\stdup.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad.AxObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad.AxObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu

HKEY_LOCAL_MACHINE\SOFTWARE\MMSAssist
HKEY_LOCAL_MACHINE\SOFTWARE\Stdup

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>²ÊÐÅ·¢ËÍ<<
@="res://C:\\PROGRA~1\\MMSASS~1\\Mmsass~1.dll/mms.htm"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
"{6671A433-5C3D-463d-A7CF-5587F9B7E191}"=dword:00002001

Adds the following service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StdService

Adds the following folders

[execution location]\Update
c:\Program Files\MMSAssist
c:\Program Files\MMSAssist\updmms
c:\Program Files\MMSAssist\updmmsex

Adds the following files

[execution location]\Update\~up.ini
[execution location]\Update\setup.exe
[execution location]\Update\Update.ini

c:\Program Files\MMSAssist\mms.ini
c:\Program Files\MMSAssist\Mmsass~1.dll
c:\Program Files\MMSAssist\NSIS.Library.RegTool.v2.0.exe
c:\Program Files\MMSAssist\update.ini
c:\Program Files\MMSAssist\updmms\mmsstate.ini
c:\Program Files\MMSAssist\updmms\update.ini
c:\Program Files\MMSAssist\updmmsex\extern.ini

 

Symptoms

Method of Infection

Variants

Variants

    N/A

All Information

Overview -

Aliases

  • Downloader.Trojan (Symantec)
  • TROJ_SMALL.BPH (Trend)
  • Trojan-Downloader.Win32.Small.chq (Kaspersky)

Characteristics

Characteristics -

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.aspx  for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.aspx for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary:

This is not a virus or trojan. This is a program, that when active on a computer, can display pop-up advertising, and may also redirect browsers to websites controlled by the makers of this program.

Adware-Boran installs a BHO and adds a button in the tools menu option of Internet Explorer.

Installation:

Upon execution of this adware it creates a folder by name "update" at the location of its execution. Then the adware connects to 222.73.0.196 and downloads a file called setup.exe in the newly created folder "update" and executes this file.

Setup.exe creates a folder MMSAssist in C:\Program Files and drops a dll file called Mmsass~1.dll in this folder. Mmsass~1.dll is registered as a BHO. This also creates a button in the tools menu option in Internet Explorer.

After the BHO is installed, when the Internet Explorer is opened this connects to www.borlander.com.cn and www.borlander.cn sites.

The following registry keys are created.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191} @="Vision"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} @="stdup"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191} @="MMSAssist BHO"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32 @="C:\\PROGRA~1\\MMSASS~1\\Mmsass~1.dll"
"ThreadingModel"="Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} @="stdup"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\InprocServer32 @="C:\\WINDOWS\\System32\\stdup.dll"
"ThreadingModel"="Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D} @="IMMSAssist"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57} @="IAxObj"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0 @="MMSBho 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}\1.0\0\win32 @="C:\\PROGRA~1\\MMSASS~1\\Mmsass~1.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0 @="Ad 1.0 Type Library"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\0\win32 @="C:\\WINDOWS\\System32\\stdup.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad.AxObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad.AxObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu

HKEY_LOCAL_MACHINE\SOFTWARE\MMSAssist
HKEY_LOCAL_MACHINE\SOFTWARE\Stdup

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>²ÊÐÅ·¢ËÍ<<
@="res://C:\\PROGRA~1\\MMSASS~1\\Mmsass~1.dll/mms.htm"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
"{6671A433-5C3D-463d-A7CF-5587F9B7E191}"=dword:00002001

Adds the following service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StdService

Adds the following folders

[execution location]\Update
c:\Program Files\MMSAssist
c:\Program Files\MMSAssist\updmms
c:\Program Files\MMSAssist\updmmsex

Adds the following files

[execution location]\Update\~up.ini
[execution location]\Update\setup.exe
[execution location]\Update\Update.ini

c:\Program Files\MMSAssist\mms.ini
c:\Program Files\MMSAssist\Mmsass~1.dll
c:\Program Files\MMSAssist\NSIS.Library.RegTool.v2.0.exe
c:\Program Files\MMSAssist\update.ini
c:\Program Files\MMSAssist\updmms\mmsstate.ini
c:\Program Files\MMSAssist\updmms\update.ini
c:\Program Files\MMSAssist\updmmsex\extern.ini

 

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A