Adware.Hao123.To.172544
種類
Adware
危険度/拡散度
/
発見日
[korea] 2009-12-21 [Foreign] 0000-00-00
Virobot対応
2010-01-06 [Able to detect & repair]
[Symptom of Infection]

[Adware.Hao123.To.172544] is an Adware that modifies a certain registry value for executing the malicious codes.

- Modify Internet Explorer's start page.
- Change Internet Explorer's tools menu language to Chinese and add 
hao123.cn to tools.
- Add itself to registry for auto-execution on system reboot.

[PIC 1] Modified Internet Explorer's start page



[PIC 2] Internet Explorer's Tools



<Related Malicious Codes>


Adware.Xiaoliu

Adware.eMessageServer

<Related URL>

hxxp://d.(...).com/aztj.htm

hxxp://js.users.51.la/2366423.js

hxxp://web.51.(...)/go.asp?(...)http%3A//d.(...).com/aztj.htm

hxxp://d.(...).com/set.htm

hxxp://js.users.51.la/2366427.js

hxxp://web.51.(...)/go.asp?(...)http%3A//d.(...).com/set.htm

hxxp://d.(...).com/setup.exe

hxxp://web.51.(...)/go.asp?(...)http%3A//d.(...).com/set.htm

<File>

[Adware.Hao123.To.172544] creates files like below.

(System Folder)\oemlinkicon.ico

(System Folder)\shdoclcw.dll

(System Folder)\Storm2.exe

(System Folder)\Update.exe

[Adware.Hao123.To.172544] deletes, modifies below files.

(System Folder)\dllcache\shdoclc.dll

<Registry>

[Adware.Hao123.To.172544] creates registries like below.

 

HKLM\SOFTWARE\Classes\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon

Value: oemlinkicon.ico
HKLM\SOFTWARE\Classes\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}

Value: ?址大全
HKLM\SOFTWARE\Classes\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}

Name: InfoTip

Value: ?址大全
HKLM\SOFTWARE\Classes\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag

Name: Command

Value: ?址大全
HKLM\SOFTWARE\Classes\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag

Name: Param1

Value: hxxp://www.123456.cn/?start
HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping

Name: {6096E38F-5AC1-4391-8EC4-75DFA92FB32F}

Value: 0x00002001


HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Name: WBOpen

Value: (System Folder)\Storm2.exe

-      Before       -

HKCU\Software\Microsoft\Internet Explorer\Main

Name: Start Page

Value: about:blank

HKLM\SOFTWARE\Classes\txtfile\shell\open\command

Value: %SystemRoot%\system32\NOTEPAD.EXE %1

 

-      After      -

HKCU\Software\Microsoft\Internet Explorer\Main

Name: Start Page

Value: hxxp://www.123456.cn/?u

HKLM\SOFTWARE\Classes\txtfile\shell\open\command

Value: d:\Browsers.exe %1

<Notation>

- "
(System Folder)" could be different by OS and generally this is "C:WindowsSystem32".

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.


2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.


a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)


b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)


3. How to scan the virus.


a. Run your ViRobot, and choose all files in scan option.
- ViRobot Desktop 5.x : [Tools] -> [Configuration] -> [Spyware/Adware Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check


b. Repair all viruses detected.