Win32/Adware.Hengbang [Threat Name] go to Threat
Win32/Adware.Hengbang.AA [Threat Variant Name]
| Category | adware |
| Size | 431104 B |
| Signature database version | 5368 (Aug 15, 2010) |
| Aliases | Worm.Win32.AutoRun.ibh (Kaspersky) |
| TrojanDropper:Win32/Henbang.A (Microsoft) | |
| Adware.Henbang (Symantec) |
Short description
Win32/Adware.Hengbang.AA is a adware that redirects results of online search engines to specific web sites. It is able to spread via removable media.
Installation
When executed the adware copies itself in the following locations:
- %system%\web.dat
- %system%\winweb.exe
The adware creates the following files:
- %system%\webad.dll (94208 B, Win32/Adware.Hengbang.AA)
- %system%\iconhandle.dll (91648 B, Win32/Adware.Hengbang.AA)
The following Registry entries are set:
- [HKEY_CLASSES_ROOT\AppID\{DD0AD1D0-6C36-4894-B38E-9E5D3392114D}]
- "(Default)" = "iconhandle"
- [HKEY_CLASSES_ROOT\AppID\iconhandle.DLL]
- "AppID" = "{DD0AD1D0-6C36-4894-B38E-9E5D3392114D}"
- [HKEY_CLASSES_ROOT\iconhandle.seticon.1]
- "(Default)" = "seticon Class"
- [HKEY_CLASSES_ROOT\iconhandle.seticon.1\CLSID]
- "(Default)" = "{AEFA7E78-CF7E-4550-829F-2C786A0070BF}"
- [HKEY_CLASSES_ROOT\iconhandle.seticon]
- "(Default)" = "seticon Class"
- [HKEY_CLASSES_ROOT\iconhandle.seticon\CLSID]
- "(Default)" = "{AEFA7E78-CF7E-4550-829F-2C786A0070BF}"
- [HKEY_CLASSES_ROOT\iconhandle.seticon\CurVer]
- "(Default)" = "iconhandle.seticon.1"
- [HKEY_CLASSES_ROOT\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}]
- "(Default)" = "seticon Class"
- [HKEY_CLASSES_ROOT\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\ProgID]
- "(Default)" = "iconhandle.seticon.1"
- [HKEY_CLASSES_ROOT\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\VersionIndependentProgID]
- "(Default)" = "iconhandle.seticon"
- [HKEY_CLASSES_ROOT\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\InProcServer32]
- "(Default)" = "%system%\iconhandle.dll"
- "ThreadingModel" = "Apartment"
- [HKEY_CLASSES_ROOT\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\TypeLib]
- "(Default)" = "{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}"
- [HKEY_CLASSES_ROOT\txtfile\shellEx\IconHandler]
- "(Default)" = "{AEFA7E78-CF7E-4550-829F-2C786A0070BF}"
- [HKEY_CLASSES_ROOT\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0]
- "(Default)" = "iconhandle 类型库"
- [HKEY_CLASSES_ROOT\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0\FLAGS]
- "(Default)" = "0"
- [HKEY_CLASSES_ROOT\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0\0\win32]
- "(Default)" = "%system%\iconhandle.dll"
- [HKEY_CLASSES_ROOT\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0\HELPDIR]
- "(Default)" = "%system%"
- [HKEY_CLASSES_ROOT\Interface\{72397142-9352-4A45-99AD-2EF143072AC0}]
- "(Default)" = "Iseticon"
- [HKEY_CLASSES_ROOT\Interface\{72397142-9352-4A45-99AD-2EF143072AC0}\ProxyStubClsid]
- "(Default)" = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_CLASSES_ROOT\Interface\{72397142-9352-4A45-99AD-2EF143072AC0}\ProxyStubClsid32]
- "(Default)" = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_CLASSES_ROOT\Interface\{72397142-9352-4A45-99AD-2EF143072AC0}\TypeLib]
- "(Default)" = "{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}"
- "Version" = "1.0"
- [HKEY_CLASSES_ROOT\AppID\{F6136F5A-4C58-40C7-8DFC-945F5570CB79}]
- "(Default)" = "ad"
- [HKEY_CLASSES_ROOT\AppID\ad.DLL]
- "AppID" = "{F6136F5A-4C58-40C7-8DFC-945F5570CB79}"
- [HKEY_CLASSES_ROOT\ad.h.1]
- "(Default)" = "h class"
- [HKEY_CLASSES_ROOT\ad.h.1\CLSID]
- "(Default)" = "{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}"
- [HKEY_CLASSES_ROOT\ad.h]
- "(Default)" = "h class"
- [HKEY_CLASSES_ROOT\ad.h\CLSID]
- "(Default)" = "{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}"
- [HKEY_CLASSES_ROOT\ad.h\CurVer]
- "(Default)" = "ad.h.1"
- [HKEY_CLASSES_ROOT\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}]
- "(Default)" = "h class"
- [HKEY_CLASSES_ROOT\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\ProgID]
- "(Default)" = "ad.h.1"
- [HKEY_CLASSES_ROOT\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\VersionIndependentProgID]
- "(Default)" = "ad.h"
- [HKEY_CLASSES_ROOT\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\InprocServer32]
- "(Default)" = "%system%\webad.dll"
- [HKEY_CLASSES_ROOT\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\TypeLib]
- "(Default)" = "{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}"
- [HKEY_CLASSES_ROOT\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0]
- "(Default)" = "ad 1.0 类型库"
- [HKEY_CLASSES_ROOT\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0\FLAGS
- "(Default)" = "0"
- [HKEY_CLASSES_ROOT\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0\0\win32]
- "(Default)" = "%system%\webad.dll"
- [HKEY_CLASSES_ROOT\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0\HELPDIR
- "(Default)" = "%system%"
- [HKEY_CLASSES_ROOT\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53}]
- "(Default)" = "ih"
- [HKEY_CLASSES_ROOT\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53}\ProxyStubClsid]
- "(Default)" = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_CLASSES_ROOT\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53}\ProxyStubClsid32]
- "(Default)" = "{00020424-0000-0000-C000-000000000046}"
- [HKEY_CLASSES_ROOT\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53}\TypeLib]
- "(Default)" = "{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}"
- "Version" = "1.0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}]
Spreading on removable media
Win32/Adware.Hengbang.AA is a adware that spreads via removable media.
The adware copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.
Other information
Win32/Adware.Hengbang.AA is a adware that redirects results of online search engines to specific web sites.
The adware interferes with communication when any of the following sites is accessed:
- http://www.google.cn/
- http://www.baidu.com/
The adware affects the behavior of the following applications:
- Internet Explorer
The user may be redirected to one of the following Internet web sites:
- http://www.google.cn/search?q=%original_query%&sa=Google+%CB%D1%CB%F7&client=pub-9647544675692062&forid=1&prog=aff&ie=GB2312&oe=GB2312&hl=zh-CN