Threat behavior
BrowserModifier:Win32/CommonName may be present as a Web Browser Helper Object (BHO) and may change the Internet Explorer search page. BrowserModifier:Win32/CommonName is usually bundled with other programs.
Installation
BrowserModifier:Win32/CommonName is usually installed in the Program Files folder as the following:
- %Program Files%\CommonName\AddressBar\babe.dat
- %Program Files%\CommonName\AddressBar\cnbabe.dll
- %Program Files%\CommonName\AddressBar\comwiz.exe
- %Program Files%\CommonName\AddressBar\createbookmark.htm
- %Program Files%\CommonName\AddressBar\createnote.htm
- %Program Files%\CommonName\AddressBar\dfs.dat
- %Program Files%\CommonName\AddressBar\emaillink.htm
- %Program Files%\CommonName\AddressBar\navigate.htm
- %Program Files%\CommonName\AddressBar\unins.exe
- %Program Files%\CommonName\AddressBar\winnet.exe
It creates the following registry entry so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "winnet"
With data: "%Program Files%\CommonName\AddressBar\winnet.exe"
It may also create an uninstall registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CommonName
Sets value: "UninstallString"
With data: "%Program Files%\CommonName\AddressBar\unins.exe"
It installs "cnbabe.dll" as a BHO:
Creates subkey: HKCR\BabeIE.AgentIE
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000000}
Sets value: "@"
With data: "BabeIE"
In subkey: HKCR\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
Sets value: "@"
With data: "%Program Files%\CommonName\AddressBar\cnbabe.dll"
Execution
Displays advertisements
BrowserModifier:Win32/CommonName displays advertisements when the user searches for certain keywords using an online search engine.
Analysis by Francis Allan Tan Seng
Prevention
