Virus

Adware/MyWebSearch

Analysis

[Adware/MyWebSearch]


The details for the MyWebSearch Installer are:

File Name: MyWebSearchSetup2.0.4.0.exe
File Size: 2,541,560 bytes
Digital Signature: ASK JEEVES INC.


The details for the MyWebSearch executables are:

File Name: F3SCHMON.EXE
File Size: 65,536 bytes
Description: Fun Web Products History Swatter
Company Name: FunWebProducts.com
Internal Name: f3schmon
Product Name: History Swatter
File Version: 1.0.0.47
Product Version: 2,0,0,0

File Name: M3SKPLAY.EXE
File Size: 24,576 bytes
Description: MyWebSearch Skin Player
Company Name: MyWebSearch.com
Internal Name: m3SkPlay
Product Name: My Web Search Skin Tools
File Version: 1.0.3.2
Product Version: 1,0,3,2

File Name: MWSOEMON.EXE
File Size: 28,672 bytes
Description: My Web Search Email Plugin
Company Name: MyWebSearch.com
Internal Name: msoemon
Product Name: My Web Search Bar for Internet Explorer, email clients, and messenger clients
File Version: 1.2.2.2
Product Version: 2,0,1,0


Description of Adware

Adware/MyWebSearch as well as FunWeb are programs authored by Ask Jeeves, a wholly owned subsidiary of IAC/InterActiveCorp. MyWebSearch takes the form of a full system integration. That is, MyWebSearch components interact with many existing programs within a host. These include, Internet browsing software, Microsoft Outlook Express, Microsoft Office, MSN Messenger, among others. Upon executing the Internet browsing software the MyWebSearch network is notified of the browser being opened. The program then makes connections to cfg.mywebsearch.com to perform any necessary updates to MyWebSearch components. Should an update be found, it will be performed silently. The toolbar will be built using data from imgfarm.com. All interaction with toolbar components, including searches performed are reported to the MyWebSearch network. The MyWebSearch network then produces in-line advertisements. The EULA and Privacy Policies at the time of writing state that MyWebSearch will "evaluate only on an aggregate basis" any data received.


System alterations upon installation:

  • Upon executing the installer many system changes occur. MyWebSearch does not however produce a standard, user-visible installer. All MyWebSearch applications and components will be installed silently. Upon accessing MyWebSearch.com, one is able to view a very lengthy EULA and privacy agreement.

  • Many files are added to the system during the install of MyWebSearch. These include:
    [Documents and Settings Directory]\Administrator\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    [Documents and Settings Directory]\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3BKGERR.JPG
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3CJPEG.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3DTACTL.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3HISTSW.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3POPSWT.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3REPROX.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3RESTUB.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3SCHMON.EXE
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3SPACER.WMV
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3WALLPP.DAT
    [Program Files Directory]\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3HTML.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3IDLE.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3SKIN.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
    [Program Files Directory]\MyWebSearch\bar\1.bin\MWSBAR.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    [Program Files Directory]\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\MWSOESTB.DLL
    [Program Files Directory]\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
    [Program Files Directory]\MyWebSearch\bar\Game\CHECKERS.F3S
    [Program Files Directory]\MyWebSearch\bar\Game\CHESS.F3S
    [Program Files Directory]\MyWebSearch\bar\Game\REVERSI.F3S
    [Program Files Directory]\MyWebSearch\bar\Settings\s_pid.dat
    [Program Files Directory]\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    [Windows System Directory]\f3PSSavr.scr

  • Many registry keys are added, including:
    HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler
    HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar
    HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu
    HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager
    HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager
    HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton
    HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel
    HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CLSID
    HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CurVer
    HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1
    HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1\CLSID
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dat
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\sources
    HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch

  • There are also hundreds of registry values added. Among these are values in registry keys that will cause MyWebSearch components to automatically execute upon boot.

  • A MyWebSearch component responsible for interaction with the Internet browsing, e-mail client, and messaging software remains resident in memory after the installation process. The process is named MWSOEMON.EXE

  • Cookies are added to facilitate Internet browser tracking.

  • A toolbar and BHO are added to Internet Explorer.


Adware Behavior

  • The MyWebSearch toolbar will relay any interaction with it to the MyWebSearch network. This includes the results of any and all searches performed, or any use of the MyWebSearch toolbar.

  • MyWebSearch will add components, including a toolbar to the Internet browsing software, Microsoft mail clients, and MSN Messenger.

  • The software will also create inline ads within while browsing the web.