Adware:Win32/SideSearch is a Web Browser Helper Object (BHO) that inserts "sponsored links" to the left of retrieved search engine results in a search results page.
Installation
Adware:Win32/SideSearch may be installed via a Nullsoft Installation (NSIS) application. Once run, it may install several components and register itself as a BHO. The installer may also create an add-on Internet Explorer toolbar named “Ad Panel”.
The following files may be created:
<system folder>\mysidesearch_sidebar.dll
<system folder>\mysidesearch_sidebar_uninstall.exe
The following registry subkeys may be created:
HKEY_CURRENT_USER\Software\MySidesearch\affiliate
HKEY_LOCAL_MACHINE\Software\Classes\AppID\{8D71EEB8-A1A7-4733-8FA2-1CAC015C967D}
HKEY_LOCAL_MACHINE\Software\Classes\AppID\Sidebar.DLL
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C0B0250E-ED5D-4234-802D-AC0DA30CEC25}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DDFA1356-E6ED-42a5-9D62-93211D424A90}
HKEY_LOCAL_MACHINE\Software\Classes\Sidepanel.Panel.1
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{C6416898-DF97-4013-B22E-0A5D2A98DDF4}\1.0\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDFA1356-E6ED-42a5-9D62-93211D424A90}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MySidesearchSearchAssistant
When using a search engine, Win32/SideSearch displays a list of links on the left side of search results in Internet Explorer as "sponsored links". In some cases, the first link in the list displayed is the one that is actually sponsored by the search engine itself, with the following links being inserted by Win32/Sidesearch. In other cases, all of the sponsored links are inserted into the results page by Win32/Sidesearch.
When the user clicks on any of the sponsored links shown by SideSearch, it sends the information that the user is searching for to a remote location. In the wild, SideSearch has been observed contacting the following domains:
- searchtons.com
- search.epicentersearch.com
- sassysearch.com
The following images display the links inserted by this program into search results.
Example search for the phrase "krispy crème", without Win32/SideSearch:
Example search for the phrase "krispy crème", with Win32/SideSearch installed:
Analysis by Durga Kumar Varanasi
