Follow:

 

BrowserModifier:Win32/Zwangi


Microsoft security software detects and removes this unwanted software.

This browser modifier makes changes to your Internet browser.

It can change your search engine results and show you pop-up ads.

Find out more about how and why we identify unwanted software.



What to do now

This program poses a high threat to your PC.

This program may create an uninstaller that can be accessed from the Control Panel. Running this uninstaller might remove some or all of the files related to the program:

  • For Windows 8, open the Start screen, type Uninstall and then go to Settings. In the search results, go to Uninstall a program.
  • For Windows 7 and Vista, open the Start menu and navigate to Control Panel then Programs and then Uninstall a Program.
  • For XP, open the Start menu and navigate to Control Panel then Add or Remove Programs.
  • Choose the program you want to remove, and then click or tap Uninstall or Uninstall/Change and follow the prompts.

The entry for this program may be called Zwangi 1.0 build 127.

If an uninstaller is not available, does not work properly, or you do not want to use it, you can use the following free tools to detect and remove this program and other unwanted software from your PC:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/Zwangi creates the following folders and files using the following format:

  • Folder:
  • File names:
    • <Screen name>.dll
    • <Screen name>.exe
    • Uninstall.exe

where <Screen name> can be any of the names listed below:

  • BarDiscover
  • BarQuery
  • BasicScan
  • BrowserDiscover
  • BrowserQuery
  • BrowserQuest
  • BrowserSeek
  • BrowserZinc
  • Findbasic
  • FindXplorer
  • Kwanzy
  • KwinzySrch
  • QueryBar
  • QueryBrowse
  • QueryBrowser
  • QueryBrwSearch
  • QueryExplorer
  • QueryScan
  • QueryService
  • QuestBasic
  • QuestBrowse
  • QuestBrowser
  • QuestBrwSearch
  • QuestDns
  • QuestResult
  • QuestScan
  • QuestService
  • QuestUrl
  • ResulCmd
  • ResultBar
  • ResultBrowse
  • ResultBrowser
  • ResultDns
  • ResultScan
  • ResultTool
  • ResultUrl
  • ScanBasic
  • ScanQuery
  • Seekapp
  • SeekappSrch
  • SeekDns
  • SeekeenSrch
  • SeekService
  • SpaceQuery
  • TabDiscover
  • TabQuery
  • Weemi
  • WinkZink
  • Wyeke
  • Wyyo
  • ZinkSeek
  • Zinkzo
  • Zwangie
  • ZwangiSearch
  • ZwangiSrch
  • ZwankySearch
  • Zwunzi

For example:

You can see some examples of different names used by Win32/Zwangi in the Uninstall Wizards below:

It also drops the following file under the %APPDATA%\<Screen name> folder:

  • zwangi127.exe

The names of the initial dropped file also depend on the screen name and the software version; it uses the following format:

  • <Screen name><version>.exe

For example:

  • zwangi127.exe
  • questbrowse126.exe

Win32/Zwangi then creates the following registry entries as part of its installation routine:

In subkey: HKLM\Software\<Screen name>
Sets value: "Cid"
With data: " 15bf554626ae4a81a3a9a064ccdac23c"
Sets value: "DllPath"
With data: "%ProgramFiles%\<Screen name>\<Screen name>.dll"
Sets value: "Partner"
With data: "<Screen name><version>"
Sets value: "Primary"
With data: "23, 35, 00, 00"
Sets value: "ShowBarSign"
With data: "00, 00, 00, 00"
Sets value: "ShowToolbarButton"
With data: "00, 00, 00, 00"
Sets value: "Src"
With data: "<Screen name>"
Sets value: "Version"
With data: "1B, 00, 01, 00"

In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Uninstall\<Screen name>
Sets value: "Display name"
With data: "<screen name> <version> <build number>"

Win32/Zwangi installs itself as a service by creating the following registry keys and its associated entries:

Adds subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_<Screen name>_SERVICE

In subkey: HKLM\SYSTEM\ControlSet001\Services\ZwangiSearch Service
Sets value: "Description"
With data: "Update and control for<Screen name>"
Sets value: "Display name"
With data: " <Screen name>Search Service"
Sets value: "ErrorControl"
With data: "00, 00, 00, 00"
Sets value: "ImagePath"
With data: "%APPDATA%\<Screen name>Search\<Screen name><version>.exe" "%ProgramFiles%\<Screen name>Search\<Screen name>.dll"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Start"
With data: "02, 00, 00, 00"
Sets value: "Type"
With data: "10, 00, 00, 00"

In the wild, we have observed Win32/Zwangi running on the following browsers:

  • Firefox 3.6
  • Google Chrome Beta
  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
Program behavior

Changes browsing behavior

When you enter keywords in the browser address bar, Win32/Zwangi turns it into an Internet search box by opening a search results page in its own webpage, like the following:

  • questbrowse.com
  • weemi.com
  • zwangi.com

The address bar is the usual location in which the URL is typed.

Win32/Zwangi may also replace or override the error page that is normally displayed when the browser accesses a web address that cannot be resolved (HTTP error 404).

Displays pop-up messages

Win32/Zwangi might display popup messages related to the following keywords:

  • agent
  • agente
  • amo
  • amore
  • amour
  • arte
  • artes
  • arts
  • asta
  • auction
  • auktion
  • book
  • boutique
  • call
  • chat
  • chiesa
  • church
  • cia
  • ciao
  • ciaq
  • club
  • clube
  • compare
  • dds
  • deporte
  • ditta
  • dvd
  • eglise
  • enchere
  • escola
  • escuela
  • esporte
  • famiglia
  • familia
  • familie
  • famille
  • family
  • find
  • free
  • game
  • ges
  • gmbh
  • golf
  • gratis
  • gratuit
  • hola
  • iglesia
  • igreja
  • inc
  • jeu
  • jogo
  • juego
  • kids
  • kirche
  • kunst
  • laden
  • law
  • legge
  • lei
  • leilao
  • ley
  • liebe
  • llc
  • llp
  • loi
  • loja
  • love
  • ltd
  • makler
  • map
  • med
  • movie
  • mp3
  • phone
  • recht
  • reise
  • resto
  • school
  • schule
  • scifi
  • scuola
  • search
  • shop
  • soc
  • spiel
  • sport
  • stock
  • subasta
  • tec
  • tech
  • tel
  • test
  • tienda
  • travel
  • turismo
  • verein
  • viagem
  • viaje
  • video
  • voyage
  • weather

Analysis by Michael Johnson, Zarestel Ferrer & Wei Li


Symptoms

The following could indicate that you have this program on your PC:

  • You have these files:
    <Screen name>.dll
    <Screen name>.exe
    Uninstall.exe

    Where <Screen name> may be:

    • BarDiscover
    • BarQuery
    • BasicScan
    • BrowserDiscover
    • BrowserQuery
    • BrowserQuest
    • BrowserSeek
    • BrowserZinc
    • Findbasic
    • FindXplorer
    • Kwanzy
    • KwinzySrch
    • QueryBar
    • QueryBrowse
    • QueryBrowser
    • QueryBrwSearch
    • QueryExplorer
    • QueryScan
    • QueryService
    • QuestBasic
    • QuestBrowse
    • QuestBrowser
    • QuestBrwSearch
    • QuestDns
    • QuestResult
    • QuestScan
    • QuestService
    • QuestUrl
    • ResulCmd
    • ResultBar
    • ResultBrowse
    • ResultBrowser
    • ResultDns
    • ResultScan
    • ResultTool
    • ResultUrl
    • ScanBasic
    • ScanQuery
    • Seekapp
    • SeekappSrch
    • SeekDns
    • SeekeenSrch
    • SeekService
    • SpaceQuery
    • TabDiscover
    • TabQuery
    • Weemi
    • WinkZink
    • Wyeke
    • Wyyo
    • ZinkSeek
    • Zinkzo
    • Zwangie
    • ZwangiSearch
    • ZwangiSrch
    • ZwankySearch
    • Zwunzi

  • You see this key in your registry:
    HKLM\SYSTEM\ControlSet001\Services\ZwangiSearch Service

Prevention


Alert level: High
First detected by definition: 1.65.411.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Sep 05, 2009
This entry was first published on: Sep 16, 2009
This entry was updated on: Aug 24, 2014

This threat is also detected as:
  • Mal/BHO-S (Sophos)
  • Spyware.Screenspy (Symantec)