Content

FFSearcher.dll

Type
Trojan
SubType
-
Discovery Date
07/03/2009
Length
49,152 bytes
Minimum DAT
5665 (07/03/2009)
Updated DAT
5665 (07/03/2009)
Minimum Engine
5.1.00
Description Added
07/03/2009
Description Modified
07/03/2009 12:19 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

The dll is dropped to the following location and injected into svchost.exe process:

  • %system%\netcfgx.dll:Zone.Identifier

The following files are also dropped and loaded them as system drivers. The files are then deleted:

  • %windows%\win32k.sys:1
  • %windows%\win32k.sys:2

The following registry value are modified to make the dll loaded on windows startup:

  • HKEY_CLASSES_ROOT\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32  "(Default)"=%system%\netcfgx.dll:Zone.Identifier

The trojan contacts wxtr812.com to get config info and saves the data to the following file:

  • %Documents and Settings%\All Users\Documents\gifnoc.xtx

It then moniters the web browser and attempts to redirect searches in Google to the site in config file.

Symptoms

  • Presence of aforementioned file and registry values.
  • Presence of connections to the aforementioned address.

Method of Infection

The file is dropped by FFSearcher

Removal

All Users :
Use specified engine and DAT files for detection. For repair to complete, the system must be rebooted.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for DLL components dropped by FFSearcher

Characteristics

Characteristics -

The dll is dropped to the following location and injected into svchost.exe process:

  • %system%\netcfgx.dll:Zone.Identifier

The following files are also dropped and loaded them as system drivers. The files are then deleted:

  • %windows%\win32k.sys:1
  • %windows%\win32k.sys:2

The following registry value are modified to make the dll loaded on windows startup:

  • HKEY_CLASSES_ROOT\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32  "(Default)"=%system%\netcfgx.dll:Zone.Identifier

The trojan contacts wxtr812.com to get config info and saves the data to the following file:

  • %Documents and Settings%\All Users\Documents\gifnoc.xtx

It then moniters the web browser and attempts to redirect searches in Google to the site in config file.

Symptoms

Symptoms -

  • Presence of aforementioned file and registry values.
  • Presence of connections to the aforementioned address.

Method of Infection

Method of Infection -

The file is dropped by FFSearcher

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection. For repair to complete, the system must be rebooted.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A