Threat behavior
Spyware:Win32/SafeSurfing is a multi-component program that may generate a number of pop-up advertisements, redirect Web browser activity and dynamically return non-contextual advertisements based on search keywords entered to the browser by an affected user.
Installation
Win32/SafeSurfing may be present on an affected system using any of the following file names:
<system folder>\installerv5.exe
<system folder>\installerv5a.exe
<system folder>\irasyncd.exe
<system folder>\lanbrup.exe
<system folder>\netsync.exe
<system folder>\netverchk.exe
<system folder>\richup.exe
<system folder>\rsmuninst.exe
<system folder>\trafficsector_installerv5a.exe
<system folder>\trafficsector_installerv5b.exe
<system folder>\irsmpknl.dll
<system folder>\irismon.dll
<system folder>\mpbwmnhb.dll
<system folder>\rastmon.dll
<system folder>\redtrsha.dll
<system folder>\richedtr.dll
<system folder>\rsyncmon.dll
<system folder>\tcblkclp.dll
<system folder>\vbrundll.dll
When this program is installed, the registry is modified to run a copy of Win32/SafeSurfing at each Windows start, as in the following example:
Adds value: irasyncd
With data: <system folder>\irasyncd.exe
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Additional registry entries may be created to assist loading Win32/SafeSurfing as a BHO when a Web browser is launched. Various registry values added during an installation of Win32/SafeSurfing are listed below (for example):
HKEY_CLASSES_ROOT\Var3.RsyncHlpr
HKEY_CLASSES_ROOT\Var3.RsyncHlpr.1
HKEY_CLASSES_ROOT\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
HKEY_CLASSES_ROOT\CLSID\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{95C60327-8E17-44D6-98EB-7EB70CC606DD}
HKEY_LOCAL_MACHINE\Software\Classes\Var9.IRiras.1
HKEY_LOCAL_MACHINE\Software\Classes\Var9.IRiras
HKEY_LOCAL_MACHINE\SoftWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
HKEY_LOCAL_MACHINE\SoftWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{197B8CA4-E215-46DD-8F33-E0544A80E5C4}
HKEY_LOCAL_MACHINE\SoftWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
HKEY_LOCAL_MACHINE\SoftWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95C60327-8E17-44D6-98EB-7EB70CC606DD}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RASmon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RSyncMon
HKEY_LOCAL_MACHINE\Software\RASmon
HKEY_LOCAL_MACHINE\Software\RSyncMon
Analysis by Jireh Sanico
Prevention