Trojan.Funweb.A
( AdWare.Win32.FunWeb.e
Application/FunWeb )
|
Spreading:
|
medium
|
|
|
Damage:
|
very low
|
|
Size:
|
~120 KB
|
|
Discovered:
|
2005 Dec 14
|
SYMPTOMS:
Presence of the following file:
- %ProgramFiles%\FunWebProducts\Installr\[random-number].bin\F3EZSETP.DLL
Presence of the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts\
- HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start\
- HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1\
- HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\
- HKEY_CLASSES_ROOT\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\
- HKEY_CLASSES_ROOT\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\
- HKEY_CLASSES_ROOT\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\
TECHNICAL DESCRIPTION:
Once executed:
- drops a file named "F3EZSETP.DLL" in %ProgramFiles%\FunWebProducts\Installr\[random-number].bin
- registers that file as a Browser Helper Object (BHO).
- downloads components/updates from internet.
Removal instructions:
a) Please let BitDefender disinfect your files.
b) Manualy delete
- %ProgramFiles%\FunWebProducts\Installr\[random-number].bin\F3EZSETP.DLL
and the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts\
- HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start\
- HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1\
- HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\
- HKEY_CLASSES_ROOT\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\
- HKEY_CLASSES_ROOT\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\
- HKEY_CLASSES_ROOT\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\
ANALYZED BY:
Sorin Ciorceri ,virus researcher
Cart