Home / malwarePDF  

Adware.SuperFish


First posted on 26 February 2015.
Source: SecurityHome

Aliases :

Adware.SuperFish is also known as Visual Discovery.

Explanation :

Adware.SuperFish is an adware program that inserts advertisements into web pages.
The program adds browser extensions to Internet Explorer, FireFox, and Chrome.

The adware, called Visual Discovery and made by an Israeli company called Superfish, scans Web pages for retail products and inserts ads that offer similar products at lower prices. Many retail websites use secure HTTPS connections, but Visual Discovery breaks those connections; as a result, users who think they're connecting to Amazon.com may instead be giving their credit-card numbers to a criminal somewhere else.

Superfish was prev-installed on some consumer notebooks shipped by lenovo in a short window between October and December 2014.

Digital certificates are long encryption keys that guarantee Web security; they tell you that you are indeed connecting to the Bank of America site, for example. Because Superfish swaps in its own certificate, there is no guarantee for the user that he really is connected to Bank of America instead of a criminal site spoofing Bank of America. (The Superfish hijack affects Internet Explorer and Google Chrome, but not Mozilla Firefox, which uses its own certificate system.)

Once executed, the program creates the following files:
%ProgramFiles%WindowShopperSettings.xml
%ProgramFiles%WindowShopperSuperfish.dll
%ProgramFiles%WindowShopperUninstall.exe
%ProgramFiles%WindowShopperWSHelper.dll
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0ackground.js
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0ackground.js~
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0icon_128.png
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0icon_16.png
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0icon_48.png
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0manifest.json
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0one-time-run.js
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0sfcode.js
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0sfcode.js~
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0user.js
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0user.js.old
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0user.js~
%UserProfile%Application DataLocalGoogleChromeUser DataDefaultExtensions[VARIABLE]1.2.0.15_0zepto.min.js
%UserProfile%Application DataLocalMicrosoftInternet ExplorerDOMStore[VARIABLE]www.superfish[1].xml
%UserProfile%Application DataRoamingMicrosoftWindowsStart MenuProgramsWindowShopperUninstall.lnk
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comchromesuperfishcontentabout-showme.xul
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comchromesuperfishcontentstatus-bar-superfish.js
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comchromesuperfishcontentstatus-bar-superfish.xul
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comchromesuperfishskinspecialsavings_logo.png
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comchromesuperfishskinsuperfish_logo.png
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comchromesuperfishskinThumbs.db
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comchrome.manifest
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comcomponents
sSuperfishComponent.js
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comcomponents
sSuperfishComponent.js.old
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comdefaultspreferencespref.js
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.cominstall.rdf
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comSettings.xml
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comsfStatistics.xml
%UserProfile%Application DataRoamingMozillaFirefoxProfiles[VARIABLE].defaultextensionssuperfish@superfish.comuser.js
%System%VisualDiscovery.ini
%System%VisualDiscoveryOff.ini
%ProgramFiles%LenovoVisualDiscovery
%Windir%TempVisualDiscovery.log
%Windir%TempVisualDiscoveryr.log
%System%DriversVDWFP64.sys
%System%DriversVDWFP.sys
%UserProfile%Local SettingsTempVisualDiscoveryr.log


The program also creates the following registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREClassesAppIDSuperfishIEAddon.DLL
HKEY_LOCAL_MACHINESOFTWAREClassesAppID{51B4D471-086A-4137-AD28-84EED05088AE}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{A69A551A-1AAE-4B67-8C2E-52F8B8A19504}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{4CCDB009-EC10-4696-9991-419D39D3D1DD}
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{E1EF512D-604D-4776-AF11-410704DA1911}
HKEY_LOCAL_MACHINESOFTWAREClassesSuperfishIEAddon.BHObject
HKEY_LOCAL_MACHINESOFTWAREClassesSuperfishIEAddon.BHObject.1
HKEY_LOCAL_MACHINESOFTWAREClassesSuperfishIEAddon.ExtentionUI
HKEY_LOCAL_MACHINESOFTWAREClassesSuperfishIEAddon.ExtentionUI.1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{A69A551A-1AAE-4B67-8C2E-52F8B8A19504}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWindowShopper
HKEY_CURRENT_USERSoftwareAppDataLowSoftwareWindowShopper
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDOMStoragesuperfish.com
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDOMStoragewww.superfish.com
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesROOTCertificatesC864484869D41D2B0D32319C5A62F9315AAF2CBD
HKEY_LOCAL_MACHINESOFTWARELenovoVisualDiscovery
HKEY_LOCAL_MACHINESOFTWAREVisualDiscovery
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSuperfish Inc. VisualDiscovery
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataContainer
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataContainer.1
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataController.1
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataController
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataTable
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataTable.1
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataTableFields
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataTableFields.1
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataTableHolder
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.DataTableHolder.1
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.LSPLogic
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.LSPLogic.1
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.ReadOnlyManager
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.ReadOnlyManager.1
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.WFPController
HKEY_LOCAL_MACHINESOFTWAREClassesVisualDiscoveryLib.WFPController.1
HKEY_LOCAL_MACHINESOFTWAREClassesAppIDVisualDiscovery.exe

Last update 26 February 2015

 

TOP

Malware :