Application.MWS

SYMPTOMS:

A toolbar for Internet Explorer and Outlook Express named MyWebSearch.
A process with the name "mwsoemon.exe" listed under TaskManager's "Processes" list.

TECHNICAL DESCRIPTION:

MyWebSearch Toolbar is a customizable Internet Explorer search toolbar which comes with some other tools like: screen-savers, pop-up blocker, cursors.
It comes bundled with these various applications in an installer that has no interaction with the user, if you run the installer it will not ask you nothing and therefore you don't actually have a choice in installing it.


When this adware is installed, it performs the following actions:

a) Creates it's default instalation directory :
%PROGRAMFILES%\MyWebSearch

b) Creates the following files :

%PROGRAM FILES%\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3BKGERR.JPG
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3CJPEG.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3DTACTL.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3HISTSW.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3POPSWT.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3REPROX.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3RESTUB.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3SCHMON.EXE
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3SPACER.WMV
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3WALLPP.DAT
%PROGRAM FILES%\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3HTML.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3IDLE.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3SKIN.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
%PROGRAM FILES%\MyWebSearch\bar\1.bin\MWSBAR.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\MWSOEMON.EXE
%PROGRAM FILES%\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\MWSOESTB.DLL
%PROGRAM FILES%\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

c) Creates the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive\Outlook
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive\bar\Switches
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products\ScreenSaver
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products\Settings\Promos
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products\Settings\SmileyCentralBtn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Web Search Bar with val [rundll32
C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Web Search Bar\MyWebSearch Email
Plugin] with val [%PROGRAM FILES%\MYWEBS~1\bar\1.bin\mwsoemon.exe]

d) It adds a toolbar named "MyWebSearch" to InternetExplorer
e) Runs one or more of the following: C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe

Removal instructions:

Please let BitDefender disinfect your computer.

ANALYZED BY:

Mihai Cimpoesu, Virus Researcher