AdWare.Win32.FunWeb.ci
From Total Malware Info
The description for AdWare.Win32.FunWeb.ci was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services .
|
AdWare.Win32.FunWeb.ci
|
|
|
Last edited: |
18.8.2010 |
This malicious program is a part of another malicious program for advertising. It Is DLL Windows (PE-DLL file). Its size is 254,065 bytes. It is written in C++.
Payload
The library is one of the components of the program "My Web Search Toolbar". This program is a search toolbar for Internet Explorer and Mozilla Firefox. The program tracks the search queries entered by the user, and sends the results in HTTP-requests to the following servers:
http://imgfarm.com http://smileycreator.com http://kazulah.com http://mywebsearch.com http://iwon.com http://popularscreensavers.com http://cursormania.com http://myfuncards.com http://zwinky.com http://webfetti.com http://smileycentraldev.com http://funwebproductsdev.com http://smileycentral.com http://funwebproducts.com
The search panel looks like:
The considered library is stored in the system as
%Program Files%\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
it contains a functionality that registrates the malicious program in the system registry, as well as search and updates mechanisms. It creates the following registry keys:
[HKLM\SOFTWARE\FunWebProducts\Installer]
"PluginPath" = "%WorkDir%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@funwebproducts.com/Plugin]
"Description" = "Fun Web Products Plugin"
"Path" = "%WorkDir%\NPFunWeb.dll"
"vendor" = "Fun Web Products"
"version" = "1.1.0.0"
[HKLM\SOFTWARE\MozillaPlugins\@funwebproducts.com/Plugin\MimeTypes\application/x-f3-funwebplugin]
"Description" = "Fun Web Products Plugin"
"Suffixes" = "f3p"
[HKCR\FunWebProductsInstaller.Start.1]
"(Default)" = "Fun Web Products Installer Start"
[HKCR\FunWebProductsInstaller.Start.1\CLSID]
"(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}"
[HKCR\FunWebProductsInstaller.Start]
"(Default)" = "Fun Web Products Installer Start"
[HKCR\FunWebProductsInstaller.Start\CLSID]
"(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}"
[HKCR\FunWebProductsInstaller.Start\CurVer]
"(Default)" = "FunWebProductsInstaller.Start.1"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}]
"(Default)" = "Fun Web Products Installer Start"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\ProgID]
"(Default)" = "FunWebProductsInstaller.Start.1"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\VersionIndependentProgID]
"(Default)" = "FunWebProductsInstaller.Start"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\InprocServer32]
"(Default)" = "<full path to the trojan's file>"
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB}"
[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0]
"(Default)" = "Installer 1.0 Type Library"
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\0\win32]
"(Default)" = "<full path to the trojan's file>\1"
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\HELPDIR]
"(Default)" = "<full path to the trojan's file>\"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "If3InstallerStart"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "_If3InstallerStartEvents"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"Version" = "1.0"
Updates are download through the following links:
http://dp.smileycentral.com/download/redir.jhtml?dest=faqs&product=kazulah http://dp.smileycentral.com/download/redir.jhtml?dest=privacy&product=kazulah
At the time of writing the files over the links were not accessible.
Removal Instructions
If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:
- Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
-
Delete the registry keys:
[HKLM\SOFTWARE\FunWebProducts\Installer] "PluginPath" = "%WorkDir%" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}] "(Default)" = "" [HKLM\SOFTWARE\MozillaPlugins\@funwebproducts.com/Plugin] "Description" = "Fun Web Products Plugin" "Path" = "%WorkDir%\NPFunWeb.dll" "vendor" = "Fun Web Products" "version" = "1.1.0.0" [HKLM\SOFTWARE\MozillaPlugins\@funwebproducts.com/Plugin\MimeTypes\application/x-f3-funwebplugin] "Description" = "Fun Web Products Plugin" "Suffixes" = "f3p" [HKCR\FunWebProductsInstaller.Start.1] "(Default)" = "Fun Web Products Installer Start" [HKCR\FunWebProductsInstaller.Start.1\CLSID] "(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}" [HKCR\FunWebProductsInstaller.Start] "(Default)" = "Fun Web Products Installer Start" [HKCR\FunWebProductsInstaller.Start\CLSID] "(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}" [HKCR\FunWebProductsInstaller.Start\CurVer] "(Default)" = "FunWebProductsInstaller.Start.1" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}] "(Default)" = "Fun Web Products Installer Start" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\ProgID] "(Default)" = "FunWebProductsInstaller.Start.1" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\VersionIndependentProgID] "(Default)" = "FunWebProductsInstaller.Start" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\InprocServer32] "(Default)" = "" "ThreadingModel" = "Apartment" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus] "(Default)" = "0" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus\1] "(Default)" = "131473" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\TypeLib] "(Default)" = "{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB}" [HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\Version] "(Default)" = "1.0" [HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0] "(Default)" = "Installer 1.0 Type Library" [HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\FLAGS] "(Default)" = "0" [HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\0\win32] "(Default)" = " \1" [HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\HELPDIR] "(Default)" = " \" [HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}] "(Default)" = "If3InstallerStart" [HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid] "(Default)" = "{00020424-0000-0000-C000-000000000046}" [HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32] "(Default)" = "{00020424-0000-0000-C000-000000000046}" [HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib] "(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}" [HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}] "(Default)" = "_If3InstallerStartEvents" [HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid] "(Default)" = "{00020420-0000-0000-C000-000000000046}" [HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32] "(Default)" = "{00020420-0000-0000-C000-000000000046}" [HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib] "(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}" [HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib] "Version" = "1.0" - Clear the Temporary Internet Files directory, which may contain infected files.
- Perform a full system scan using an antivirus with updated anti-virus databases.
Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
You can order a description for any computer malware, virus, trojan or worm.
