BrowserModifier:Win32/E404 is a Web Browser Helper Object (BHO) that takes advantage of invalid or mistyped web site addresses entered in the browser, by redirecting those attempts to Web sites containing adware.
Installation
BrowserModifier:Win32/E404 is installed by a dropper, or installer. When the Win32/E404 installer is run, it drops a library file as '%ProgramFiles%\helper\helper<digit>.dll'. The dropped library is registered to run as a BHO using REGSRV32.EXE in a command shell, using the following instruction:
regsrv32.exe /s %ProgramFiles%\helper\helper<digit>.dll
The net result of registering the library as a BHO are the creation of numerous registry values, including the following:
Adds value: (default)
With data: e404mgr class
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr.1
Adds value: (default)
With data: {f10587e9-0e47-4cbe-84ae-7dd20b8684bb}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr.1\CLSID
Adds value: (default)
With data: e404mgr class
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr
Adds value: (default)
With data: {f10587e9-0e47-4cbe-84ae-7dd20b8684bb}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr\CLSID
Adds value: (default)
With data: e404.e404mgr.1
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\E404.e404mgr\CurVer
Adds value: (default)
With data: e404mgr class
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
Adds value: (default)
With data: e404.e404mgr.1
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\ProgID
Adds value: (default)
With data: e404.e404mgr
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\VersionIndependentProgID
Adds value: (default)
With data: %ProgramFiles%\helper\helper<digit>.dll
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\InprocServer32
Adds value: (default)
With data: {e63648f7-3933-440e-b4f6-a8584dd7b7eb}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\TypeLib
Adds value: (default)
With data: e404 helper
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
Adds value: (default)
With data: e404 1.0 type library
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
Adds value: (default)
With data: 0
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
Adds value: (default)
With data: %ProgramFiles%\helper\helper<digit>.dll
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
Adds value: (default)
With data: %ProgramFiles%\helper\
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
Adds value: (default)
With data: ie404mgr
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{F7D09218-46D7-4D3D-9B7F-315204CD0836}
Adds value: (default)
With data: {00020424-0000-0000-c000-000000000046}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
Adds value: (default)
With data: {00020424-0000-0000-c000-000000000046}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
Adds value: (default)
With data: {e63648f7-3933-440e-b4f6-a8584dd7b7eb}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
Next, the installer drops a copy of itself as 'lsass.exe' into the Windows folder, and registers the dropped copy to run at each Windows start. Note, that a valid Windows operating system file already exists as 'lsass.exe' in the Windows system folder.
Adds value: lsass
With data: %WinDir%\lsass.exe
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The dropped file 'lsass.exe' masquerades as 'AVP - spyware removal module'.
Lastly, the BHO installer drops a Batch script as 'c:\temp2.bat' and executes it. The Batch script attempts to persistently delete the installer program as a cleanup process.
The installed BHO takes advantage of invalid or mistyped Internet Web addresses entered in the browser, redirecting those attempts to Web sites containing adware.
