Threat behavior
BrowserModifier:Win32/CNNIC enables Chinese keyword searching in Internet Explorer and adds support for other applications to use Chinese domain names that registered with CNNIC (China Internet Network Information Center). This program is often installed as part of a shareware or freeware program, with or without user consent. BrowserModifier:Win32/CNNIC also contains a kernel driver that protects its files and registry settings from being modified or deleted. The program also includes automatic self-update functionality.
Installation
BrowserModifier:Win32/CNNIC may create the following files during installation:
%USERPROFILE%\local settings\temp\setup.exe
%USERPROFILE%\local settings\temp\setup\cdn.dll
%USERPROFILE%\local settings\temp\setup\cdndet.dll
%USERPROFILE%\local settings\temp\setup\cdnglo.dll
%USERPROFILE%\local settings\temp\setup\cdnins.dll
%USERPROFILE%\local settings\temp\setup\cdnprh.dll
%USERPROFILE%\local settings\temp\setup\cdnprot.sys
%USERPROFILE%\local settings\temp\setup\cdnspie.dll
%ProgramFiles%\cnnic\cdn\cdn.dll
%ProgramFiles%\cnnic\cdn\cdnaux.dll
%ProgramFiles%\cnnic\cdn\cdncmd.dll
%ProgramFiles%\cnnic\cdn\cdncol.dll
%ProgramFiles%\cnnic\cdn\cdnctr.exe
%ProgramFiles%\cnnic\cdn\cdndet.dll
%ProgramFiles%\cnnic\cdn\cdndrag.dll
%ProgramFiles%\cnnic\cdn\cdnforie.dll
%ProgramFiles%\cnnic\cdn\cdnglo.dll
%ProgramFiles%\cnnic\cdn\cdnins.dll
%ProgramFiles%\cnnic\cdn\cdnns.dll
%ProgramFiles%\cnnic\cdn\cdnprh.dll
%ProgramFiles%\cnnic\cdn\cdnprot.sys
%ProgramFiles%\cnnic\cdn\cdnrenew.exe
%ProgramFiles%\cnnic\cdn\cdnsign.dll
%ProgramFiles%\cnnic\cdn\cdnspie.dll
%ProgramFiles%\cnnic\cdn\cdnswp.exe
%ProgramFiles%\cnnic\cdn\cdntdns.dll
%ProgramFiles%\cnnic\cdn\cdnuc.exe
%ProgramFiles%\cnnic\cdn\cdnunins.exe
%ProgramFiles%\cnnic\cdn\cdnup.exe
%ProgramFiles%\cnnic\cdn\cdnuplib.dll
%ProgramFiles%\cnnic\cdn\client.dll
%ProgramFiles%\cnnic\cdn\idnconv.dll
%ProgramFiles%\cnnic\cdn\idnconvs.dll
%ProgramFiles%\cnnic\cdn\iesrch.dll
%ProgramFiles%\cnnic\cdn\imaconv.dll
%ProgramFiles%\cnnic\cdn\imaoe.dll
%ProgramFiles%\cnnic\cdn\imaol.dll
%ProgramFiles%\cnnic\cdn\rbtnhtm.cab
%ProgramFiles%\cnnic\cdn\update\cdndet.dll
%ProgramFiles%\cnnic\cdn\update\cdnforie.dll
%ProgramFiles%\cnnic\cdn\update\cdnglo.dll
%ProgramFiles%\cnnic\cdn\update\cdnprh.dll
%ProgramFiles%\cnnic\cdn\update\cdnprot.sys
%ProgramFiles%\cnnic\cdn\update\cdnrenew.exe
%ProgramFiles%\cnnic\cdn\update\cdnspie.dll
%ProgramFiles%\cnnic\cdn\update\cdntdns.dll
%ProgramFiles%\cnnic\cdn\update\cdntran.sys
%ProgramFiles%\cnnic\cdn\update\cdnup.exe
%ProgramFiles%\cnnic\cdn\update\cdnuplib.dll
%ProgramFiles%\cnnic\cdn\update\imaoe.dll
%ProgramFiles%\cnnic\cdn\update\wmhlpr.dll
%ProgramFiles%\cnnic\cdncdnctr.exe
The following files may also be dropped to the Windows system folder:
<system folder>\cdn.dll
<system folder>\cdnns.dll
<system folder>\drivers\cdnprot.sys
<system folder>\drivers\cdntran.sys
BrowserModifier:Win32/CNNIC may create the following registry entries:
HKEY_LOCAL_MACHINE\Software\Classes\Cdn.CdnObj
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{9A578C98-3C2F-4630-890B-FC04196EF420}
HKEY_LOCAL_MACHINE\Software\Classes\MailParserSvr.MailParser.1
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{461A86F7-A29D-460A-80D5-52979AA6C46D}
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{8CDCBBA0-4BE1-4199-8389-1B19ED41D3E8}
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F5824EFB-728A-4726-A5A5-85A68B20EDC3}
HKEY_CURRENT_USER\Software\CNNIC
HKEY_LOCAL_MACHINE\Software\Classes\WMHlpr.WMEvtSink.1
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{35980F6E-A137-4E50-953D-813BB8556899}
HKEY_LOCAL_MACHINE\Software\Classes\CndnIEHelper.Alive
HKEY_LOCAL_MACHINE\Software\Classes\CndnIEHelper.CndnIEHlprObj.1
HKEY_LOCAL_MACHINE\Classes\clsid\{F411F2F2-8D8F-41B1-B9D3-4D849ADFE38A}
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\CdnClient
HKEY_LOCAL_MACHINE\Software\Classes\WMHlpr.WMHlprObj
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{9A578C98-3C2F-4630-890B-FC04196EF420}
HKEY_LOCAL_MACHINE\Software\Classes\MailParserSvr.InspectorHandler.1
HKEY_LOCAL_MACHINE\Software\Classes\CndnIEHelper.CndnIEHlprObj
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping {35980F6E-A137-4E50-953D-813BB8556899}
HKEY_LOCAL_MACHINE\Software\Classes\WMHlpr.WMHlprObj.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run CdnCtr
HKEY_LOCAL_MACHINE\Software\Classes\WMHlpr.WMEvtSink
HKEY_LOCAL_MACHINE\Software\Classes\CdnForIE.IEHlprObj.1
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\Software\Classes\ieupbho.bho
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run SearchNet_Up
HKEY_LOCAL_MACHINE\Software\Classes\CndnIEHelper.Alive.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35980F6E-A137-4E50-953D-813BB8556899}
HKEY_LOCAL_MACHINE\Software\Classes\MailParserSvr.MailParser
HKEY_LOCAL_MACHINE\Software\Classes\MailParserSvr.InspectorHandler
HKEY_LOCAL_MACHINE\Software\Classes\Cdn.CdnObj.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run renewup
HKEY_LOCAL_MACHINE\Software\CNNIC
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdnprot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cdntran
HKEY_LOCAL_MACHINE\System\controlset001\services\cdnprot
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{352E3B3A-CAB5-4DBC-B940-C7F84D0447D8}
HKEY_LOCAL_MACHINE\Software\Classes\ieupbho.bho.1
HKEY_CURRENT_USER SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\Software\Classes\CdnForIE.IEHlprObj
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35980F6E-A137-4E50-953D-813BB8556899}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{352E3B3A-CAB5-4DBC-B940-C7F84D0447D8}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5824EFB-728A-4726-A5A5-85A68B20EDC3}
Prevention