Home / malwarePDF  

BrowserModifier:Win32/Pointfree


First posted on 16 February 2009.
Source: SecurityHome

Aliases :

BrowserModifier:Win32/Pointfree is also known as Also Known As:Adware:Win32/Pointfree (other), Win-Trojan/Banload.281025 (AhnLab), Downloader.Banload.RZI (AVG), W32/Banload.ABXH (Norman), Trojan.DL.Agent.EQJZ (VirusBuster).

Explanation :

BrowserModifier:Win32/Pointfree is a browser modifier that redirects users when invalid web site addresses or search terms are entered in the Microsoft Windows Internet Explorer address bar.

Symptoms
System ChangesThe following system changes may indicate the presence of BrowserModifier:Win32/Pointfree:

  • The presence of the following files:
    %ProgramFiles%pointfreecpf.pfi
    • %ProgramFiles%pointfreedypf.pfi%ProgramFiles%pointfreePFAX.ocx%ProgramFiles%pointfreePFD.exe%ProgramFiles%pointfreePFHelper.dll%ProgramFiles%pointfreePFInfo.pfi%ProgramFiles%pointfreePFR.exe%ProgramFiles%pointfreePFUpdate.exe%ProgramFiles%pointfreeversion.txt
  • The presence of the following registry subkeys:
    HKLMSOFTWARECLASSES{E6AC2A04-C1FF-4D0F-9E88-A9B53BF39684}
    HKLMSOFTWARECLASSESCLSID{BFFA5836-E2C0-410A-83ED-BA490DA6337A}
    HKLMSOFTWARECLASSESCLSID{E6AC2A04-C1FF-4D0F-9E88-A9B53BF39684}
    HKLMSOFTWARECLASSESINTERFACE{4200D8CC-CDE0-4F62-86AA-57FF2879495D}
    HKLMSOFTWARECLASSESINTERFACE{491DA1AE-3186-4942-91EE-1FD321D863D1}
    HKLMSOFTWARECLASSESPFAX.PFX
    HKLMSOFTWARECLASSESTYPELIB{4ED2633C-0CD0-41E5-8FCE-5D48569805E5}
    HKLMSOFTWARECLASSESTYPELIB{4ED2633C-0CD0-41E5-8FCE-5D48569805E5}1.0
    HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERBROWSER HELPER OBJECTS{E6AC2A04-C1FF-4D0F-9E88-A9B53BF39684}
  • When viewing Internet Explorer's Manage Add-ons, you may notice an entry such as this one:



    • BrowserModifier:Win32/Pointfree is a browser modifier that redirects users when invalid web site addresses or search terms are entered in the Microsoft Windows Internet Explorer address bar.

    Installation
    When Win32/Pointfree is installed, it creates the following files: %ProgramFiles%pointfreecpf.pfi%ProgramFiles%pointfreedypf.pfi%ProgramFiles%pointfreePFAX.ocx%ProgramFiles%pointfreePFD.exe%ProgramFiles%pointfreePFHelper.dll%ProgramFiles%pointfreePFInfo.pfi%ProgramFiles%pointfreePFR.exe%ProgramFiles%pointfreePFUpdate.exe%ProgramFiles%pointfreeversion.txt The registry is modified to execute Win32/Pointfree at each Windows start from the registry subkey HKLMSoftwareMicrosoftWindowsCurrentVersionRunPointfree. The registry is modified to execute Win32/Pointfree as a Web Browser Helper Object (BHO) from the following registry subkeys: HKLMSOFTWARECLASSES{E6AC2A04-C1FF-4D0F-9E88-A9B53BF39684}HKLMSOFTWARECLASSESCLSID{BFFA5836-E2C0-410A-83ED-BA490DA6337A}HKLMSOFTWARECLASSESCLSID{E6AC2A04-C1FF-4D0F-9E88-A9B53BF39684}HKLMSOFTWARECLASSESINTERFACE{4200D8CC-CDE0-4F62-86AA-57FF2879495D}HKLMSOFTWARECLASSESINTERFACE{491DA1AE-3186-4942-91EE-1FD321D863D1}HKLMSOFTWARECLASSESPFAX.PFXHKLMSOFTWARECLASSESTYPELIB{4ED2633C-0CD0-41E5-8FCE-5D48569805E5}HKLMSOFTWARECLASSESTYPELIB{4ED2633C-0CD0-41E5-8FCE-5D48569805E5}1.0HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERBROWSER HELPER OBJECTS{E6AC2A04-C1FF-4D0F-9E88-A9B53BF39684} The following additional registry subkeys are created:HKLMSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONUNINSTALLPOINTFREEHKLMSOFTWAREPOINTFREEUPDATE Additional InformationWhen a user enters an invalid Web site address or search terms into the Microsoft Windows Internet Explorer address bar, Win32/Pointfree intervenes and redirects the browser to a search site as shown in the example image below: If you use Internet Explorer's Manage Add-ons feature, you may notice an entry for Pointfree, such as in the example image below.

    Analysis by Aaron Hulett

    Last update 16 February 2009

     

    TOP

    Malware :