ZHPDiag – Module O69 (SBI)

/ Modules / Through / 4 minutes of reading
266
5/5 - (1 votes)

ZHPDiag – Module O69 (SBI)

ZHPDIAG – MODULE O69 (SBI)

Linked to the SBI (Search Browser Infection) module, the O69 module of ZHPDiag aims to search for redirects from internet browsers.

At the beginning of the creation of the module, the search was limited to the Mozilla/Firefox browser. its purpose was to check the presence of the Yoog search engine in the user's 'plugIn' folder as well as in their 'prefs.js' preferences file.

Subsequently, the module changed its name to do a broader search by extending it to other malware search engines.

An additional search is made in the key “Internet Explorer\SearchScopes“. SearchScopes allows you to specify Internet search providers. The value data “DefaultScope” contains the CLSID which will point to the default search provider.

– The default search provider will be identified in the list by the presence of the string [DefaultScope] as for example for Google:
O69 – SBI: SearchScopes {6A1806CD-94D4-4689-BA73-E35EA1EA9990} [DefaultScope] – (Google) – https://www.google.com

– The search is carried out in the Registry keys:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] 
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] 
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] 
[HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]

– It is easy for an attacker to use an ADM program to create a CLSID with a URL value pointing to their own search engine and then modify the default value “DefaultScope“. This type of redirection is notably used by well-known engines such as recherche.us, Yoog or Ask.com.

ZHPDiag Overview

—\\ Yoog Infection Research (SYI) (O69)
O69 – SYI: C:\Documents and Settings\{userName}\Application Data\Mozilla\Firefox\Profiles\{random}.default\searchplugins\Yoog Search.xml
O69 – SYI: C:\Users\{userName}\AppData\Roaming\Mozilla\Firefox\Profiles\{random}.default\searchplugins\Yoog Search.xml
O69 – SYI: prefs.js [{userName} – {random}.default] user_pref(“browser.search.selectedEngine”, “Yoog Search”);

–\\ Search Infection Browser (SBI) (O69) v1.25.1347
O69 – SBI: C:\Documents and Settings\{userName}\Application Data\Mozilla\Firefox\Profiles\{random}.default\searchplugins\askcom.xml
O69 – SBI: prefs.js [{userName} – {random}.default] user_pref(“browser.search.selectedEngine”, “Ask Search”);

—\\Search Browser Infection (SBI) (O69) v1.26.18
O69 – SBI: SearchScopes {CF739809-1C6C-47C0-85B9-569DBB141420} – (Ask Search) – https://toolbar.ask.com
O69 – SBI: SearchScopes {67A2568C-7A0A-4EED-AECC-B5405DE63B64} [DefaultScope] – (Google) – https://www.google.com
O69 – SBI: SearchScopes {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] – (@ieframe.dll,-12512) – https://search.live.com

—\\Search Browser Infection (SBI) (O69)
O69 – SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} – (WebSearch) – https://websearch.mocaflix.com
O69 – SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] – (WebSearch) – https://websearch.searchrocket.info
O69 – SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] – (WebSearch) – https://websearch.wisesearch.info

MBAM equivalence

Infected Registry data item(s):
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (https://findgala.com/?&uid=1002&q={searchTerms}) Good: (https://www .Google.com/)

Examples of diversion

The “DefaultScope” value data includes the CLSID which will point to the default search provider 'findgala.com' which is a site known to be dangerous.
O69 – SBI: SearchScopes {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] – (Bing) – https://findgala.com

Trojan: Troj/Zbot-JS
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\
“URL”=”https://fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c=web&s=DSP&v=9″

BrowserModifier:Win32/MindQuizSearch
Added value: “DisplayName”
With data: “Bing”
Added value: “FaviconURLFallback”
With data: https://www.bing.com/favicon.ico
Added value: “SuggestionsURLFallback”
With data: “https://api.bing.com/qsml.aspx?query={searchTerms}&market={Language}&form=IE8SSC&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}”
“URL”=”https://tmq.bingstart.com/s/?q={searchTerms}&iesrc=IE-SearchBox&site=Bing&cfg=2-168-0-1nUEv”
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E5F5D888-2587-E012-A817-7038F5690F26}

ZHPFix Action (Case No. 1)

O69 – SBI: SearchScopes [{HiveName}] {CLSIDKey} [DefaultScope] – () – {DataKey}

{HiveName}: Name of the hive (HKCU,HKCR,HKUS).
{Key}: Registry Key [HKEY_USERS\…\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CLSIDKey}]
{CLSIDKey}: Under key {Key}
{DataKey}: Value data “URL” of the key {CLSIDKey}.

1) Replace the data {DataKey} with “https://www.Google.com/”
2) Delete the key {CLSIDKey} si malware.

ZHPFix Action (Case No. 2)

O69 – SBI: prefs.js [{userName} – {random}.default] user_pref( {Line} );

{Line}: Line of the preference file.

1) The linene {Line} is placedn comment and becomes inactive when reloading the browser preferences file.

ZHPFix Action (Case No. 3)

O69 – SBI: {FileName}

1) Delete the file {FileName}

ZHPFix Report (Example)

Lines entered:
O69 – SBI: SearchScopes [HKCU] {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59} – (Web Search) – https://search.imesh.com
O69 – SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} – (Messenger Plus Live France Customized Web Search) – https://search.conduit.com

Report of ZHPFix v1.12.3143 by Nicolas Coolman, Update of 01/09/2010

========== Registry Data Element(s) ==========
O69 – SBI: SearchScopes [HKCU] {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59} – (Web Search) – https://search.imesh.com => Data replaced successfully
O69 – SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} – (Messenger Plus Live France Customized Web Search) – https://search.conduit.com => Data replaced successfully

========== Summary ==========
2: Registry data element(s)

Links

Microsoft: How to create custom .adm files
Understanding and Working in Protected Mode Internet Explorer (Microsoft)
Adding Entries to the Standard Context Menu

Share
Tweet
whatsapp
Share
Pin it

About the Author

Nicolas Coolman is a French IT and IT security expert with a degree in software engineering. It specializes in scanning and disinfecting malware, including adware, ransomware, Trojans and other types of unwanted software. Nicolas Coolman is also the creator of several computer security tools, such as "ZHPCleaner" and "ZHPDiag", which are widely used by users to scan and clean malware from their Windows operating systems. Nicolas Coolman is very active in the IT security community and regularly shares his knowledge and findings on his website and on security forums. His expertise is recognized by many users and IT professionals, and he is considered a reference in the field of combating malware.

Similar publications

Back to top