Home / malware Adware:Win32/Torangcomz
First posted on 09 August 2011.
Source: SecurityHomeAliases :
Adware:Win32/Torangcomz is also known as Keyword Search (other).
Explanation :
Adware:Win32/Torangcomz is adware that collects data associated with user web browsing habits and send the collected information to a remote server without adequate user consent. The collected data is used to serve targeted advertising to the affected user. Adware:Win32/Torangcomz may also download other files.
Top
Adware:Win32/Torangcomz is adware that collects data associated with user web browsing habits and send the collected information to a remote server without adequate user consent. The collected data is used to serve targeted advertising to the affected user. Adware:Win32/Torangcomz may also download other files.
Installation
Once installed, Adware:Win32/Torangcomz is present as the following files and subfolder:
- %ProgramFiles%\Keyword Search\torangcomz.dll
- %ProgramFiles%\Keyword Search\uninstall.exe
During installation of this adware, data is created in the following registry subkeys to run the adware when the web browser is launched:
HKCR\AppID\torangcomz.DLL
HKCR\AppID\{610EBFCC-8014-4224-8789-FA7E8E705569}
HKCR\CLSID\{31A0D938-3055-46BA-8919-59E44E0D7E51}
HKCR\CLSID\{E5C7860B-FC70-4634-ACAB-C70DF2F5292A}
HKCR\Interface\{56629120-4142-4A6F-8477-D0BB63F64838}
HKCR\Interface\{F40A6CB2-4096-4343-BB1E-5AC8763338FA}
HKCR\torangcomz.TorangBand
HKCR\torangcomz.torangcomz
HKCR\torangcomz.torangcomz.1
HKCR\TypeLib\{5AA0041F-B508-4A51-85C7-B59FBCA8C750}
HKCU\Software\Keyword Search
HKLM\SOFTWARE\Classes\AppID\torangcomz.DLL
HKLM\SOFTWARE\Classes\AppID\{610EBFCC-8014-4224-8789-FA7E8E705569}
HKLM\SOFTWARE\Classes\CLSID\{31A0D938-3055-46BA-8919-59E44E0D7E51}
HKLM\SOFTWARE\Classes\CLSID\{E5C7860B-FC70-4634-ACAB-C70DF2F5292A}
HKLM\SOFTWARE\Classes\Interface\{56629120-4142-4A6F-8477-D0BB63F64838}
HKLM\SOFTWARE\Classes\Interface\{F40A6CB2-4096-4343-BB1E-5AC8763338FA}
HKLM\SOFTWARE\Classes\torangcomz.TorangBand
HKLM\SOFTWARE\Classes\torangcomz.torangcomz
HKLM\SOFTWARE\Classes\torangcomz.torangcomz.1
HKLM\SOFTWARE\Classes\TypeLib\{5AA0041F-B508-4A51-85C7-B59FBCA8C750}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31A0D938-3055-46BA-8919-59E44E0D7E51}
HKLM\SOFTWARE\Keyword Search
During installation, the registry is modified so that Adware:Win32/Torangcomz is visible as "Keyword Search" in the list of installed programs on an affected computer.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Keyword Search
Sets value: "DisplayName"
With data: "Keyword Search Uninstall"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Keyword Search
Sets value: "UninstallString"
To data: "%ProgramFiles%\Keyword Search\uninstall.exe"
Adware:Win32/Torangcomz contacts the domain "torangcomz.com" to get a list of web search engines and save it as the following:
%AppData%\torangcomz_query_list.txt
When retrieving the list, Adware:Win32/Torangcomz reports installation details using a server side script, as in the following example:
<site>/query_list.php?ver=X.X.X.X&instdate=XXXXXXX&seq=X&pid=home&mac=XXXXXX
Using the retrieved list, the adware monitors user-entered keyword searches. At the time of this writing, the list contained the following web search domains:
- naver.com
- duam.com
- yahoo.com
- torangcomz.com
- myoverture.co.kr
- search.naver.com,query
- kr.search.yahoo.com
- search.daum.net
- nate.com
Adware:Win32/Torangcomz may download code updates of "torangcomz.dll" from "down.torangcomz.com".
Analysis by Zarestel Ferrer
Last update 09 August 2011
