Follow:

 

Adware:Win32/SideSearch


Adware:Win32/SideSearch is a Web Browser Helper Object (BHO) that inserts "sponsored links" to the left of retrieved search engine results in a search results page.


What to do now

Adware:Win32/SideSearch may place an uninstaller entry in "Add or Remove Programs" in Control Panel. The entry name may be called "MySideSearch Assistant" or similar. If an uninstaller is not available or if you do not want to use the uninstaller that is provided, use Microsoft Windows Defender or another up-to-date scanning and removal tool to detect and remove Adware:Win32/SideSearch and other unwanted software from your computer. For more information, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Adware:Win32/SideSearch is a Web Browser Helper Object (BHO) that inserts "sponsored links" to the left of retrieved search engine results in a search results page.
Installation
Adware:Win32/SideSearch may be installed via a Nullsoft Installation (NSIS) application. Once run, it may install several components and register itself as a BHO. The installer may also create an add-on Internet Explorer toolbar named “Ad Panel”.
 
The following files may be created:
<system folder>\mysidesearch_sidebar.dll
<system folder>\mysidesearch_sidebar_uninstall.exe
 
The following registry subkeys may be created:
HKEY_CURRENT_USER\Software\MySidesearch\affiliate
HKEY_LOCAL_MACHINE\Software\Classes\AppID\{8D71EEB8-A1A7-4733-8FA2-1CAC015C967D}
HKEY_LOCAL_MACHINE\Software\Classes\AppID\Sidebar.DLL
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C0B0250E-ED5D-4234-802D-AC0DA30CEC25}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DDFA1356-E6ED-42a5-9D62-93211D424A90}
HKEY_LOCAL_MACHINE\Software\Classes\Sidepanel.Panel.1
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{C6416898-DF97-4013-B22E-0A5D2A98DDF4}\1.0\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDFA1356-E6ED-42a5-9D62-93211D424A90}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MySidesearchSearchAssistant
 
When using a search engine, Win32/SideSearch displays a list of links on the left side of search results in Internet Explorer as "sponsored links". In some cases, the first link in the list displayed is the one that is actually sponsored by the search engine itself, with the following links being inserted by Win32/Sidesearch. In other cases, all of the sponsored links are inserted into the results page by Win32/Sidesearch.
 
When the user clicks on any of the sponsored links shown by SideSearch, it sends the information that the user is searching for to a remote location. In the wild, SideSearch has been observed contacting the following domains:
  • searchtons.com
  • search.epicentersearch.com
  • sassysearch.com
 
The following images display the links inserted by this program into search results.
Example search for the phrase "krispy crème", without Win32/SideSearch:
 
Example search for the phrase "krispy crème", with Win32/SideSearch installed:
 
 
 
Analysis by Durga Kumar Varanasi

Symptoms

System Changes
The following system changes may indicate the presence of Adware:Win32/SideSearch:
  • Presence of the following files:
    <system folder>\mysidesearch_sidebar.dll
    <system folder>\mysidesearch_sidebar_uninstall.exe
  • Presence of an entry in "Add or Remove Programs" named "MySideSearch Assistant" or similar
  • Presence of the following registry subkeys:
    HKEY_CURRENT_USER\Software\MySidesearch\affiliate
    HKEY_LOCAL_MACHINE\Software\Classes\AppID\{8D71EEB8-A1A7-4733-8FA2-1CAC015C967D}
    HKEY_LOCAL_MACHINE\Software\Classes\AppID\Sidebar.DLL
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C0B0250E-ED5D-4234-802D-AC0DA30CEC25}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DDFA1356-E6ED-42a5-9D62-93211D424A90}
    HKEY_LOCAL_MACHINE\Software\Classes\Sidepanel.Panel.1
    HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{C6416898-DF97-4013-B22E-0A5D2A98DDF4}\1.0\
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDFA1356-E6ED-42a5-9D62-93211D424A90}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MySidesearchSearchAssistant

Prevention


Alert level: Medium
This entry was first published on: May 07, 2008
This entry was updated on: Aug 11, 2008

This threat is also detected as:
  • AdWare.Win32.SideSearch (other)
  • Adware.SideSearch (AVG)
  • Backdoor.Ruledor.E (BitDefender)
  • Win32/Adware.SideSearch (ESET)
  • not-a-virus:AdWare.Win32.ClearSearch.f (Kaspersky)
  • Adware-SideSearch (McAfee)
  • Backdoor:Win32/Ruledor.E (Microsoft)
  • SideSearch.AY (Norman)
  • Adware.SideSearch (Symantec)
  • BKDR_RULEDOR.E (Trend Micro)