Installation
Win32/Zwangi creates the following folders and files using the following format:
- Folder:
- File names:
- <Screen name>.dll
- <Screen name>.exe
- Uninstall.exe
where <Screen name> can be any of the names listed below:
-
BarDiscover
-
BarQuery
-
BasicScan
-
BrowserDiscover
-
BrowserQuery
-
BrowserQuest
-
BrowserSeek
-
BrowserZinc
-
Findbasic
-
FindXplorer
-
Kwanzy
-
KwinzySrch
-
QueryBar
-
QueryBrowse
-
QueryBrowser
-
QueryBrwSearch
-
QueryExplorer
-
QueryScan
-
QueryService
-
QuestBasic
-
QuestBrowse
-
QuestBrowser
-
QuestBrwSearch
-
QuestDns
-
QuestResult
-
QuestScan
-
QuestService
-
QuestUrl
-
ResulCmd
-
ResultBar
-
ResultBrowse
-
ResultBrowser
-
ResultDns
-
ResultScan
-
ResultTool
-
ResultUrl
-
ScanBasic
-
ScanQuery
-
Seekapp
-
SeekappSrch
-
SeekDns
-
SeekeenSrch
-
SeekService
-
SpaceQuery
-
TabDiscover
-
TabQuery
-
Weemi
-
WinkZink
-
Wyeke
-
Wyyo
-
ZinkSeek
-
Zinkzo
-
Zwangie
-
ZwangiSearch
-
ZwangiSrch
-
ZwankySearch
-
Zwunzi
For example:
- Folders:
- Files:
- zwangi.dll
- zwangi.exe
- uninstall.exe
- Folders:
- Files:
- questbrwsearch.dll
- questbrwsearch.exe
- uninstall.exe
You can see some examples of different names used by Win32/Zwangi in the Uninstall Wizards below:
It also drops the following file under the %APPDATA%\<Screen name> folder:
The names of the initial dropped file also depend on the screen name and the software version; it uses the following format:
-
<Screen name><version>.exe
For example:
-
zwangi127.exe
-
questbrowse126.exe
Win32/Zwangi then creates the following registry entries as part of its installation routine:
In subkey: HKLM\Software\<Screen name>
Sets value: "Cid"
With data: " 15bf554626ae4a81a3a9a064ccdac23c"
Sets value: "DllPath"
With data: "%ProgramFiles%\<Screen name>\<Screen name>.dll"
Sets value: "Partner"
With data: "<Screen name><version>"
Sets value: "Primary"
With data: "23, 35, 00, 00"
Sets value: "ShowBarSign"
With data: "00, 00, 00, 00"
Sets value: "ShowToolbarButton"
With data: "00, 00, 00, 00"
Sets value: "Src"
With data: "<Screen name>"
Sets value: "Version"
With data: "1B, 00, 01, 00"
In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Uninstall\<Screen name>
Sets value: "Display name"
With data: "<screen name> <version> <build number>"
Win32/Zwangi installs itself as a service by creating the following registry keys and its associated entries:
Adds subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_<Screen name>_SERVICE
In subkey: HKLM\SYSTEM\ControlSet001\Services\ZwangiSearch Service
Sets value: "Description"
With data: "Update and control for<Screen name>"
Sets value: "Display name"
With data: " <Screen name>Search Service"
Sets value: "ErrorControl"
With data: "00, 00, 00, 00"
Sets value: "ImagePath"
With data: "%APPDATA%\<Screen name>Search\<Screen name><version>.exe" "%ProgramFiles%\<Screen name>Search\<Screen name>.dll"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Start"
With data: "02, 00, 00, 00"
Sets value: "Type"
With data: "10, 00, 00, 00"
In the wild, we have observed Win32/Zwangi running on the following browsers:
-
Firefox 3.6
-
Google Chrome Beta
-
Internet Explorer 6
-
Internet Explorer 7
-
Internet Explorer 8
Program behavior
Changes browsing behavior
When you enter keywords in the browser address bar, Win32/Zwangi turns it into an Internet search box by opening a search results page in its own webpage, like the following:
-
questbrowse.com
-
weemi.com
-
zwangi.com
The address bar is the usual location in which the URL is typed.
Win32/Zwangi may also replace or override the error page that is normally displayed when the browser accesses a web address that cannot be resolved (HTTP error 404).
Displays pop-up messages
Win32/Zwangi might display popup messages related to the following keywords:
-
agent
-
agente
-
amo
-
amore
-
amour
-
arte
-
artes
-
arts
-
asta
-
auction
-
auktion
-
book
-
boutique
-
call
-
chat
-
chiesa
-
church
-
cia
-
ciao
-
ciaq
-
club
-
clube
-
compare
-
dds
-
deporte
-
ditta
-
dvd
-
eglise
-
enchere
-
escola
-
escuela
-
esporte
-
famiglia
-
familia
-
familie
-
famille
-
family
-
find
-
free
-
game
-
ges
-
gmbh
-
golf
-
gratis
-
gratuit
-
hola
-
iglesia
-
igreja
-
inc
-
jeu
-
jogo
-
juego
-
kids
-
kirche
-
kunst
-
laden
-
law
-
legge
-
lei
-
leilao
-
ley
-
liebe
-
llc
-
llp
-
loi
-
loja
-
love
-
ltd
-
makler
-
map
-
med
-
movie
-
mp3
-
phone
-
recht
-
reise
-
resto
-
school
-
schule
-
scifi
-
scuola
-
search
-
shop
-
soc
-
spiel
-
sport
-
stock
-
subasta
-
tec
-
tech
-
tel
-
test
-
tienda
-
travel
-
turismo
-
verein
-
viagem
-
viaje
-
video
-
voyage
-
weather
Analysis by Michael Johnson, Zarestel Ferrer & Wei Li