Win32/Adware.Hengbang [Threat Name] go to Threat

Win32/Adware.Hengbang.AA [Threat Variant Name]

Category adware
Size 431104 B
Detection created Aug 15, 2010
Signature database version 5368
Aliases Worm.Win32.AutoRun.ibh (Kaspersky)
  TrojanDropper:Win32/Henbang.A (Microsoft)
  Adware.Henbang (Symantec)
Short description

Win32/Adware.Hengbang.AA is a adware that redirects results of online search engines to specific web sites. It is able to spread via removable media.

Installation

When executed the adware copies itself in the following locations:

  • %system%\­web.dat
  • %system%\­winweb.exe

The adware creates the following files:

  • %system%\­webad.dll (94208 B, Win32/Adware.Hengbang.AA)
  • %system%\­iconhandle.dll (91648 B, Win32/Adware.Hengbang.AA)

The following Registry entries are set:

  • [HKEY_CLASSES_ROOT\­AppID\­{DD0AD1D0-6C36-4894-B38E-9E5D3392114D}]
    • "(Default)" = "iconhandle"
  • [HKEY_CLASSES_ROOT\­AppID\­iconhandle.DLL]
    • "AppID" = "{DD0AD1D0-6C36-4894-B38E-9E5D3392114D}"
  • [HKEY_CLASSES_ROOT\­iconhandle.seticon.1]
    • "(Default)" = "seticon Class"
  • [HKEY_CLASSES_ROOT\­iconhandle.seticon.1\­CLSID]
    • "(Default)" = "{AEFA7E78-CF7E-4550-829F-2C786A0070BF}"
  • [HKEY_CLASSES_ROOT\­iconhandle.seticon]
    • "(Default)" = "seticon Class"
  • [HKEY_CLASSES_ROOT\­iconhandle.seticon\­CLSID]
    • "(Default)" = "{AEFA7E78-CF7E-4550-829F-2C786A0070BF}"
  • [HKEY_CLASSES_ROOT\­iconhandle.seticon\­CurVer]
    • "(Default)" = "iconhandle.seticon.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{AEFA7E78-CF7E-4550-829F-2C786A0070BF}]
    • "(Default)" = "seticon Class"
  • [HKEY_CLASSES_ROOT\­CLSID\­{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\­ProgID]
    • "(Default)" = "iconhandle.seticon.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\­VersionIndependentProgID]
    • "(Default)" = "iconhandle.seticon"
  • [HKEY_CLASSES_ROOT\­CLSID\­{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\­InProcServer32]
    • "(Default)" = "%system%\­iconhandle.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\­TypeLib]
    • "(Default)" = "{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}"
  • [HKEY_CLASSES_ROOT\­txtfile\­shellEx\­IconHandler]
    • "(Default)" = "{AEFA7E78-CF7E-4550-829F-2C786A0070BF}"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\­1.0]
    • "(Default)" = "iconhandle 类型库"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\­1.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\­1.0\­0\­win32]
    • "(Default)" = "%system%\­iconhandle.dll"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\­1.0\­HELPDIR]
    • "(Default)" = "%system%"
  • [HKEY_CLASSES_ROOT\­Interface\­{72397142-9352-4A45-99AD-2EF143072AC0}]
    • "(Default)" = "Iseticon"
  • [HKEY_CLASSES_ROOT\­Interface\­{72397142-9352-4A45-99AD-2EF143072AC0}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{72397142-9352-4A45-99AD-2EF143072AC0}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{72397142-9352-4A45-99AD-2EF143072AC0}\­TypeLib]
    • "(Default)" = "{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}"
    • "Version" = "1.0"
  • [HKEY_CLASSES_ROOT\­AppID\­{F6136F5A-4C58-40C7-8DFC-945F5570CB79}]
    • "(Default)" = "ad"
  • [HKEY_CLASSES_ROOT\­AppID\­ad.DLL]
    • "AppID" = "{F6136F5A-4C58-40C7-8DFC-945F5570CB79}"
  • [HKEY_CLASSES_ROOT\­ad.h.1]
    • "(Default)" = "h class"
  • [HKEY_CLASSES_ROOT\­ad.h.1\­CLSID]
    • "(Default)" = "{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}"
  • [HKEY_CLASSES_ROOT\­ad.h]
    • "(Default)" = "h class"
  • [HKEY_CLASSES_ROOT\­ad.h\­CLSID]
    • "(Default)" = "{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}"
  • [HKEY_CLASSES_ROOT\­ad.h\­CurVer]
    • "(Default)" = "ad.h.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}]
    • "(Default)" = "h class"
  • [HKEY_CLASSES_ROOT\­CLSID\­{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\­ProgID]
    • "(Default)" = "ad.h.1"
  • [HKEY_CLASSES_ROOT\­CLSID\­{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\­VersionIndependentProgID]
    • "(Default)" = "ad.h"
  • [HKEY_CLASSES_ROOT\­CLSID\­{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\­InprocServer32]
    • "(Default)" = "%system%\­webad.dll"
  • [HKEY_CLASSES_ROOT\­CLSID\­{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\­TypeLib]
    • "(Default)" = "{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\­1.0]
    • "(Default)" = "ad 1.0 类型库"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\­1.0\­FLAGS
    • "(Default)" = "0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\­1.0\­0\­win32]
    • "(Default)" = "%system%\­webad.dll"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\­1.0\­HELPDIR
    • "(Default)" = "%system%"
  • [HKEY_CLASSES_ROOT\­Interface\­{78D814F1-9774-4F37-B7F9-CD8F88558B53}]
    • "(Default)" = "ih"
  • [HKEY_CLASSES_ROOT\­Interface\­{78D814F1-9774-4F37-B7F9-CD8F88558B53}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{78D814F1-9774-4F37-B7F9-CD8F88558B53}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{78D814F1-9774-4F37-B7F9-CD8F88558B53}\­TypeLib]
    • "(Default)" = "{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}"
    • "Version" = "1.0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}]
Spreading on removable media

Win32/Adware.Hengbang.AA is a adware that spreads via removable media.


The adware copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.

Other information

Win32/Adware.Hengbang.AA is a adware that redirects results of online search engines to specific web sites.


The adware interferes with communication when any of the following sites is accessed:

  • http://www.google.cn/
  • http://www.baidu.com/

The adware affects the behavior of the following applications:

  • Internet Explorer

The user may be redirected to one of the following Internet web sites:

  • http://www.google.cn/search?q=%original_query%&sa=Google+%CB%D1%CB%F7&client=pub-9647544675692062&forid=1&prog=aff&ie=GB2312&oe=GB2312&hl=zh-CN

Please enable Javascript to ensure correct displaying of this content and refresh this page.