Win32/AdWare.BetterSurf [Threat Name] go to Threat

Win32/AdWare.BetterSurf.A [Threat Variant Name]

Category adware,riskware
Size 487007 B
Detection created Nov 20, 2013
Detection database version 9072
Aliases Adware.BL (Symantec)
Short description

Win32/AdWare.BetterSurf.A is an adware - an application designed for delivery of unsolicited advertisements. The file is run-time compressed using NSIS .

Installation

The adware is usually bundled within installation packages of various legitimate software.


The adware is a malicious

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Internet Explorer

extension/plugin. When executed, the adware creates the following files:

  • %programfiles%\­BetterSurf\­ch\­Chrome.crx
  • %programfiles%\­BetterSurf\­ff\­BetterSurf.xpi
  • %programfiles%\­BetterSurf\­ff\­build.cmd
  • %programfiles%\­BetterSurf\­ff\­install.rdf
  • %programfiles%\­BetterSurf\­ff\­chrome\­content\­firefox.js
  • %programfiles%\­BetterSurf\­ff\­chrome\­content\­inject.js
  • %programfiles%\­BetterSurf\­ff\­chrome\­content\­overlay.xul
  • %programfiles%\­BetterSurf\­ff\­chrome.manifest
  • %programfiles%\­BetterSurf\­ie\­BetterSurf.dll
  • %temp%\­%variable%.tmp\­aminsis.dll

A string with variable content is used instead of %variable% .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Google\­Chrome\­Extensions\­dedmngkbaffkenlfdcbganndoghblmap]
    • "path" = "%programfiles%\­BetterSurf\­ch\­Chrome.crx"
    • "version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Mozilla\­Firefox\­Extensions]
    • "xz123@ya456.com" = "%programfiles%\­BetterSurf\­ff"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{6E3C6B04-08FE-43BC-8E50-F90285024DEA}]
    • "(Default)" = "BetterSurf"
    • "NoExplorer" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{6E3C6B04-08FE-43BC-8E50-F90285024DEA}]
    • "(Default)" =  "BetterSurf"
    • "InprocServer32" = "%programfiles%\­BetterSurf\­ie\­BetterSurf.dll"
    • "ThreadingModel" = "Apartment"
    • "TypeLib" = "{0113A098-06EA-4776-A011-D75590778F1E}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­Interface\­{462862BE-9A5C-49A5-9CBD-A649EAC63645}]
    • "(Default)" =  "IBetterSurfBHO"
    • "ProxyStubClsid" = "{00020424-0000-0000-C000-000000000046}"
    • "ProxyStubClsid32" = "{00020424-0000-0000-C000-000000000046}"
    • "TypeLib" = "{0113A098-06EA-4776-A011-D75590778F1E}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­TypeLib\­{0113A098-06EA-4776-A011-D75590778F1E}\­1.0]
    • "(Default) = "BetterSurfLib"
    • "0/win32" = "%programfiles%\­BetterSurf\­ie\­BetterSurf.dll"
    • "FLAGS" = 0
    • "HELPDIR" = "%programfiles%\­BetterSurf\­ie"

The adware keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­BetterSurf\­Components]
Information stealing

The following information is collected:

  • URLs visited
  • keywords entered into search engines
Other information

The adware program is designed to deliver various advertisements to the user's systems.


The adware can modify network traffic.


The programs affected include the following:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Internet Explorer

The adware acquires data and commands from a remote computer or the Internet.


The adware may display the following messages:

  • Together we fight Cancer! With each click on adverts you like, we redirect advertisement fees to fight cancer. Giving has never been easier!
  • We plant trees to offset paper waste every time you print, using funds from this advert.

Please enable Javascript to ensure correct displaying of this content and refresh this page.