Threat behavior
BrowserModifier:Win32/Fotomoto.A may be present as a Web Browser Helper Object (BHO) and may download unwanted software.
Installation
BrowserModifier:Win32/Fotomoto.A is variant of B2Search (also known as eZula). It uses a Ukrainian music band named "Fotomoto" to lure users to install unwanted BHO components that download popup advertisements from various sources. BrowserModifier:Win32/Fotomoto.A is a component of
BrowserModifier:Win32/Fotomoto and it may be installed manually by a user enticed to execute it as a useful or wanted program.
During installation, the installer may drop the following files:
- <system folder>\nsge.dll
- <system folder>\adzgalore-remove.exe
- %APPDATA%\Microsoft\crypto\rsa\s-1-5-21-1659004503-920026266-1343024091-500\18388e03ded8d4b58d6f72e3a67be7ca_b25ca6b5-6a2b-4341-a863-da8dd7afbc1d
The installer may modify the registry to execute the dropped DLL whenever Internet Explorer is launched.
Adds value: (default)
With data: "adzgalore"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{95dea78a-5f23-eebc-ba0d-f6edd5b83120}
Adds value: (default)
With data: "<system folder>\nsge.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{95dea78a-5f23-eebc-ba0d-f6edd5b83120}\InProcServer32
The registry may be modified to stop the BHO executing within the Windows shell Explorer process.
Adds value: "NoExplorer"
With data: """"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95dea78a-5f23-eebc-ba0d-f6edd5b83120}
The installer may add an entry to the "Add or remove programs" list in the Control Panel by making the following registry modification:
Adds value: "DisplayName"
With data: "browser optimizer adzgalore"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\adzgalore
Additional Information
BrowserModifier:Win32/Fotomoto.A may connect to the web site 'adgalore.biz' to send information relative to the success or failure of the Win32/Fotomoto installation.
Analysis by Tim Liu
Prevention
