SecurityHome.eu Adware:Win32/BHO.G

Home / malware PDF

Adware:Win32/BHO.G

First posted on 24 May 2010.
Source: SecurityHome
Aliases :
Adware:Win32/BHO.G is also known as Adware Toolbar.HV (AVG), Win32/Lifze.H (ESET), AdWare.Win32.BHO (Ikarus).
Explanation :
Adware:Win32/BHO.G is detection for an adware application installed as a Web browser helper object (BHO) as a component of Adware:Win32/SmartAdsSolutions. The adware displays advertisements based on Web surfing habits.
Top

Adware:Win32/BHO.G is detection for an adware application installed as a Web browser helper object (BHO) as a component of Adware:Win32/SmartAdsSolutions. The adware displays advertisements based on Web surfing habits. InstallationAdware:Win32/BHO.G is installed by Adware:Win32/SmartAdsSolutions as the following files:
%temp%\nslf.tmp\cnclb.dll

<system folder>\kukomlfi.dll
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. The registry is modified to run the installed BHO components when the Web browser is launched. HKLM\SOFTWARE\Classes\adHlpr.adHlpr.1.0
HKLM\SOFTWARE\Classes\adHlpr.adHlpr In the wild, we have observed the following registry modifications to run the BHO components: Adds value: "{3C7FE4B2-7917-4B27-B594-6EB424F3D527}"In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ Adds value: "{42722F46-E922-4DFA-BA96-5F8FD0CB7C51}"In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ Adds value: "(default)"With data: "smartads browser enhancer kukomlfi"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{42722F46-E922-4DFA-BA96-5F8FD0CB7C51} Adds value: "(default)"With data: "adhlpr object"To subkey: HKLM\SOFTWARE\Classes\adHlpr.adHlpr.1.0 Adds value: "(default)"With data: "{7be99c54-a75a-491f-b684-fd5e8e990e98}"To subkey: HKLM\SOFTWARE\Classes\adHlpr.adHlpr.1.0\CLSID Adds value: "(default)"With data: "adhlpr object"To subkey: HKLM\SOFTWARE\Classes\adHlpr.adHlpr Adds value: "(default)"With data: "{7be99c54-a75a-491f-b684-fd5e8e990e98}"To subkey: HKLM\SOFTWARE\Classes\adHlpr.adHlpr\CLSID Adds value: "(default)"With data: "adhlpr.adhlpr.1.0"To subkey: HKLM\SOFTWARE\Classes\adHlpr.adHlpr\CurVer Adds value: "(default)"With data: "adhlpr object"To subkey: HKLM\SOFTWARE\Classes\CLSID\{7BE99C54-A75A-491F-B684-FD5E8E990E98} Adds value: "(default)"With data: "adhlpr.adhlpr.1.0"To subkey: HKLM\SOFTWARE\Classes\CLSID\{7BE99C54-A75A-491F-B684-FD5E8E990E98}\ProgID Adds value: "(default)"With data: "adhlpr.adhlpr"To subkey: HKLM\SOFTWARE\Classes\CLSID\{7BE99C54-A75A-491F-B684-FD5E8E990E98}\VersionIndependentProgID Adds value: "(default)"With data: "<system folder>\kukomlfi.dll"To subkey: HKLM\SOFTWARE\Classes\CLSID\{7BE99C54-A75A-491F-B684-FD5E8E990E98}\InprocServer32 Adds value: "(default)"With data: "{a9722a0d-365f-47d2-b70b-37d046316d99}"To subkey: HKLM\SOFTWARE\Classes\CLSID\{7BE99C54-A75A-491F-B684-FD5E8E990E98}\TypeLib Adds value: "(default)"With data: "<system folder>\kukomlfi.dll"To subkey: HKLM\SOFTWARE\Classes\CLSID\{42722F46-E922-4DFA-BA96-5F8FD0CB7C51}\InprocServer32 Adds value: "(default)"With data: "adhlpr.adhlpr.1.0"To subkey: HKLM\SOFTWARE\Classes\CLSID\{42722F46-E922-4DFA-BA96-5F8FD0CB7C51}\ProgID Adds value: "(default)"With data: "{a9722a0d-365f-47d2-b70b-37d046316d99}"To subkey: HKLM\SOFTWARE\Classes\CLSID\{42722F46-E922-4DFA-BA96-5F8FD0CB7C51}\TypeLib Adds value: "(default)"With data: "adhlpr.adhlpr"To subkey: HKLM\SOFTWARE\Classes\CLSID\{42722F46-E922-4DFA-BA96-5F8FD0CB7C51}\VersionIndependentProgID Adds value: "(default)"With data: "adhlpr object"To subkey: HKLM\SOFTWARE\Classes\CLSID\{42722F46-E922-4DFA-BA96-5F8FD0CB7C51} Adds value:€afltId"With data: "orgnl"To subkey: HKLM\SOFTWARE\Classes\AppID\{A9722A0D-365F-47D2-B70B-37D046316D99}\instl\Data Additional InformationAdware:Win32/SmartAdsSolutions may add an entry named "Smart-Ads-Solutions" in the list of installed Windows applications, visible in "Control Panel\Programs\Programs and Features". This entry is also visible in registry modifications made by the adware installer. Adds value: €œDisplayName"With data: "smartads browser enhancer"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Ads-Solutions Adds value: "InstallDir"With data: "%program_files%\smart-ads-solutions\smartads\1.5.2.0"To subkey: HKLM\SOFTWARE\Smart-Ads-Solutions\SmartAds\Instl

Analysis by Wei Li
Last update 24 May 2010

TOP

Malware :

Last 20

Adware:Win32/BHO.G

Aliases :

Explanation :

Malware :

Family: