Virus

Adware/SEP

Analysis

The installer when executed will create a folder SEP in C:\Program Files.  It then extracts the following files:

sep.dll
uninst.exe

Registry is updated with a new key SEP.Band and SEP.Searchy into the following path:

HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes

Also, a Browser Helper Object is inserted to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

Also, a Browser Helper Object is inserted to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

After installing, the Adware sends an HTTP get to queue.searchreslt.com. This pvoides a notification to that server that another machine has installed this adware.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option