Threat behavior
Adware:Win32/BonziBUDDY is a program that may deliver unwanted advertisements and ask users for personal information. Some variants may also modify the browser start page without informing the user.
Installation
Adware:Win32/BonziBUDDY may drop the following folder and files:
- %ProgramFiles%\bonzibuddy\
- %ProgramFiles%\bonzibuddy\bonzibdy.exe
- %ProgramFiles%\bonzibuddy\bbsmartsetup.exe
- <system folder>\webcompassbar.dll
- <system folder>\bonzitapfilters.dll
- %windows%\msagent\chars\bonzi.acs
It also installs the following shortcuts:
- %USERPROFILE%\Desktop\BonziBUDDY.lnk
- %USERPROFILE%\Start Menu\Programs\Startup\BonziBUDDY.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\BonziBUDDY\BonziBUDDY.lnk
Some variants of Adware:Win32/BonziBUDDY may modify the browser home page to "bonzi.com" upon installation. To do this, these variants modify the following registry entry:
Modifies value: "Start Page"
With data: "http:// www. bonzi. com/bonzibuddy/startpage.asp"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
As part of its installation process, it may also create the following registry subkeys:
- HKLM\Software\bonzi software
- HKCU\Software\vb and vba program settings\bonzibuddy
- HKCU\Software\Microsoft\Windows\Currentversion\uninstall\bonzibuddy
It may also register itself as an application by adding the following subkeys:
- HKLM\Software\Classes\clsid\{f4900f5d-055f-11d4-8f9b-00104ba312d6}
- HKLM\Software\Classes\typelib\{f4900f5d-055f-11d4-8f9b-00104ba312d6}
Additional Information
Adware:Win32/BonziBUDDY may appear in the computer as a talking purple monkey or green parrot, who gives Internet surfing suggestions and asks for user information. It may appear similar to the following examples:
It may generate unwanted pop-up advertisements and promote the "bonzi.com" website.
Analysis by Elda Dimakiling
Prevention
