Threat behavior
Adware:Win32/ISearch is a web Browser Helper Object (BHO) that redirects web browser searches to the site 'isearch.com'.
Installation
Win32/ISearch is installed either directly from the ISearch web site, or via social engineering from third party web sites.
During installation, the following files and folders are created:
%windir%\idlemg.exe
<system folder>\isearch\
<system folder>\toolbar_.dll
<system folder>\Cache\Mte0mza6odoxmg.exe
<system folder>\povdnrai.exe
%ProgramFiles%\lbeczfrb\lbeczfrb.exe
%USERPROFILE%\Desktop\isearch.com.url
toolbar.dll
cmdinst.exe
Numerous registry values are created.
Adds value: {1C78AB3F-A857-482E-80C0-3A1E5238A565}
To subkeys:
HKEY_CLASSES_ROOT\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\toolbar\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iSearch Toolbar_is1
HKEY_CURRENT_USER\Software\iSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iSearch.Object.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iSearch.Object
HKEY_CURRENT_USER\Software\iSearch\iSearch Toolbar
HKEY_CURRENT_USER\Software\iSearch\iSearch Toolbar\tb_items
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&iSearch The Web
Analysis by Subratam Biswas
Prevention
