ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 29 July 2009, 05:26:19
Processing time: 7 min 10 sec
Submitted sample:

File MD5: 0x84F4BD1A0936BCA16329A812221CAB12
File SHA-1: 0x03FCB13F93DEE499B495793143D90358EE742881
Filesize: 644,992 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%ProgramFiles%\Fast Browser Search\IE\basis.xml %ProgramFiles%\Fast Browser Search\IE\fbsSearchProvider.xml %ProgramFiles%\Search Guard Plus\fbsSearchProvider.xml	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2	c:\users\public\MyWebTattoo.exe	734,080 bytes	MD5: 0x74221C9CB98A6D7C2ECFF81DAA8F40B0 SHA-1: 0xF9DD8EC3C04C19BFF071E8D71AFD24A340E9BD97
3	[file and pathname of the sample #1]	644,992 bytes	MD5: 0x84F4BD1A0936BCA16329A812221CAB12 SHA-1: 0x03FCB13F93DEE499B495793143D90358EE742881

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%ProgramFiles%\Search Guard Plus
%ProgramFiles%\Search Guard PlusU
%ProgramFiles%\Fast Browser Search
%ProgramFiles%\Fast Browser Search\IE
%ProgramFiles%\Search Guard PlusU\Tmp
%ProgramFiles%\SGPSA
c:\users
c:\users\public

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
MyWebTattoo.exe	C:\users\public\MyWebTattoo.exe	757,760 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	700,416 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0626A63-410B-45E2-99A1-3F2475B2D695}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Guard Plus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Guard Plus Updater
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBSB07183.TBSB07183Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}
HKEY_CURRENT_USER\Software\FBSearch
HKEY_CURRENT_USER\Software\SGPUpdater

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}]

(Default) = "Fast Browser Search Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}]

(Default) = "Fast Browser Search Toolbar Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]

Tabs = "http://www.fastbrowsersearch.com/new-tab/?v=4&tid=0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0626A63-410B-45E2-99A1-3F2475B2D695}]

tid = "0"
v = "4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SGPUpdater = "%ProgramFiles%\Search Guard PlusU\sgpUpdaters.exe"
FBSearch = "%ProgramFiles%\Search Guard Plus\SearchGuardPlus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Guard Plus]

DisplayName = "Search Guard Plus (My Web Tattoo)"
UninstallString = "%ProgramFiles%\Search Guard Plus\uninstalSGP.exe"
DisplayIcon = "%ProgramFiles%\Search Guard Plus\SearchGuardPlus.ico"
Publisher = "Make The Web Better, LLC"
DisplayVersion = "2.0"
HelpLink = "http://www.searchguardplus.com/Uninstall.aspx"
URLInfoAbout = "http://www.Make-the-web-better.com"
HelpTelephone = "1-800-831-8940"
Contact = "info@make-the-web-better.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Guard Plus Updater]

DisplayName = "Search Guard Plus Updater (My Web Tattoo)"
UninstallString = "%ProgramFiles%\Search Guard PlusU\uninstalSGPU.exe"
DisplayIcon = "%ProgramFiles%\Search Guard PlusU\SGPU.ico"
Publisher = "Make The Web Better, LLC"
DisplayVersion = "2.0"
HelpLink = "http://www.searchguardplus.com/Uninstall.aspx"
URLInfoAbout = "http://www.Make-the-web-better.com"
HelpTelephone = "1-800-831-8940"
Contact = "info@make-the-web-better.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBSB07183.TBSB07183Toolbar]

DisplayName = "Fast Browser Search (My Web Tattoo)"
DisplayIcon = "%ProgramFiles%\Fast Browser Search\IE\uninstall.exe"
Publisher = "Make The Web Better, LLC"
DisplayVersion = "2.0"
HelpLink = "http://www.fastbrowsersearch.com/fbsuninstall.aspx"
URLInfoAbout = "http://www.Make-the-web-better.com"
HelpTelephone = "1-800-831-8940"
Contact = "info@make-the-web-better.com"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}]

DisplayName = "Fast Browser Search"
URL = "http://www.fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c=web&s=DSP&v=4"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]

DefaultScope = "{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}"

[HKEY_CURRENT_USER\Software\FBSearch]

v = "4"
toolbar_id = "{00000000-0000-0000-0000-000000000000}"
Version = "2"

[HKEY_CURRENT_USER\Software\SGPUpdater]

tid = "0"

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page = "http://www.tattoodle.com?tid=0&v=12"

Other details

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.fastbrowsersearch.com	80	www.fastbrowsersearch.com	www.fastbrowsersearch.com
www.tattoodle.com	80	(null)	(null)

The following GET requests were made:

?tid=0&v=12
index.jpg

The data identified by the following URLs was then requested from the remote web server:

http://www.fastbrowsersearch.com/_utilities/get-toolbar-v.aspx?toolbarid={00000000-0000-0000-0000-000000000000}
localhost
http://mwt.secure.miisolutions.net/install/cab/xp/FBStoolbar.cab

Downloaded File Summary:

Download details:

Download retrieved: 29 July 2009 05:33:29
Processing time: 6 min 49 sec
Downloaded sample:

File MD5: 0x38C2C19BFFD73099010BFDBBCB2C5354
File SHA-1: 0x83F22B9F9B05A5B14F50703162182532B8B057A8
Filesize: 2,285,568 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	c:\mtwb.dat	8,192 bytes	MD5: 0x2E11A94149A5A8C221DAD86F797E9B70 SHA-1: 0xAECCE927B24B04679D1103D9F99E30211AE8A305
2	%ProgramFiles%\Fast Browser Search\1.bat	130 bytes	MD5: 0x254AB91255B6E8BFF967BE2E799EE7BA SHA-1: 0x596B8D684B246592D8397918334205CF3D5697F0
3	%ProgramFiles%\Fast Browser Search\about.html	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
4	%ProgramFiles%\Fast Browser Search\affid.dat	3 bytes	MD5: 0x1ED5D897530AE02C71C7B6E1B350FFF1 SHA-1: 0x9DA7206A00D30CAC507FFD71359706D42C5222BD
5	%ProgramFiles%\Fast Browser Search\basis.xml	16,776 bytes	MD5: 0x7A4F33E3A4F9DBC218816720C7CC155B SHA-1: 0xE4B585307F6B4ABBE718F7E9CAD60A038F1B1A7A
6	%ProgramFiles%\Fast Browser Search\BHO.dll	732,672 bytes	MD5: 0xAC6C8E14913A6736FF66D8F8DE024408 SHA-1: 0xD8806A1B52FD4F6C5A3BEE54B1BAAE42B56A0E7C
7	%ProgramFiles%\Fast Browser Search\ClearRecycleBin.exe	9,088 bytes	MD5: 0x308FF3E3EA9796ABA2EF7141CCD0C16F SHA-1: 0x8710CBFC9F8D26671504EC9E7326E52F511571D8
8	%ProgramFiles%\Fast Browser Search\error.html	519 bytes	MD5: 0x62360BDDA99A8FBFC53AD1ED4F8A58DA SHA-1: 0x0C26C863088ADA7DC1D8A142F0B8E03263787AC4
9	%ProgramFiles%\Fast Browser Search\FBSPlugin.dll	108,416 bytes	MD5: 0xEFB8BA6C68D332B7555F49DF02EF344D SHA-1: 0x9E4046744E4822930A8A240F7C44B07022C2E559
10	%ProgramFiles%\Fast Browser Search\fbsProtection.xml	3,960 bytes	MD5: 0xA44824FD8FF53C946FF30E38CBDBC56C SHA-1: 0x497CCE661A0721002EB388B6C3BE93D103632139
11	%ProgramFiles%\Fast Browser Search\FbsSearchProvider.xml	474 bytes	MD5: 0xE57AAD1B724A7114E876E1647724E1DB SHA-1: 0xCA7E30A7A25FE2EF297898E70C9F0E123D4DBF3D
12	%ProgramFiles%\Fast Browser Search\FbsSearchProviderIE8.exe	54,144 bytes	MD5: 0xCFC672504647698776FFA58E9BAD66C0 SHA-1: 0x7228DFD3465AD9975EBDDC09E8B2B41AB387F2AB
13	%ProgramFiles%\Fast Browser Search\FBStoolbar.dll	2,602,368 bytes	MD5: 0x1D548D4B91809ABF18D029B76717EA55 SHA-1: 0x9116E078055DC05A10012F105BEDAC37FD1D95C7
14	%ProgramFiles%\Fast Browser Search\fbstoolbar.jar	311,085 bytes	MD5: 0x96C1502C50C87B28111EE654D3044A1F SHA-1: 0x1DDFDA12512E2A0657A2AE539AAE30064CAE90F2
15	%ProgramFiles%\Fast Browser Search\fbstoolbar.manifest	146 bytes	MD5: 0xA8D871F2A6D7C6AF705A7781F65B309D SHA-1: 0xBD0AB839DB21B42F04EDD878D2081C44A1EB772E
16	%ProgramFiles%\Fast Browser Search\icons.bmp	151,830 bytes	MD5: 0x427A7620FCFF3481A1715F724F6C5A2A SHA-1: 0xFABE897F1B79D360C7EAAD8D50A1635C2310EDC8
17	%ProgramFiles%\Fast Browser Search\info.txt	79 bytes	MD5: 0x735D1E38B6C4D96E9EB14899A94604E5 SHA-1: 0x37981303188A02B8BC1EE6E2D821CCDC55F9D97A
18	%ProgramFiles%\Fast Browser Search\local.xml	53 bytes	MD5: 0xD6AF5B585E266CC8DD08210C9A1FEEB7 SHA-1: 0x68A2D635ECBE8FDD4D11BFB3634256A770ECCA02
19	%ProgramFiles%\Fast Browser Search\logobg.bmp	9,776 bytes	MD5: 0xB1FE309441B3C14C7204FE75621F8820 SHA-1: 0x3246EF919A969815B2C9AF2BEB63E3A008ECABDD
20	%ProgramFiles%\Fast Browser Search\MTWBtoolbar.html	2,036 bytes	MD5: 0x0DCAF5F6E72217B8B956C6A2828AE56C SHA-1: 0xD6BFA1116C3ACABE2E2FBBDC191CAFB71141F5A8
21	%ProgramFiles%\Fast Browser Search\search.bmp	4,844 bytes	MD5: 0xE025378FD0225449DB279E1564C794C0 SHA-1: 0xDCB236FB32FAA8E99FFB7A5B1482FDAEE10D5325
22	%ProgramFiles%\Fast Browser Search\SearchGuardPlus.exe	194,432 bytes	MD5: 0xB30283642397451F2F4840DBBFB00E85 SHA-1: 0xB4C8D4A707B25C0E5FA40E67751BECDA4CC1A9A9
23	%ProgramFiles%\Fast Browser Search\SearchGuardPlus.ico	1,150 bytes	MD5: 0xF798CCEF21D6912C05912A9BAF818F78 SHA-1: 0x5837FC7192C222ED7D9C905555A9087A7D9EE4D1
24	%ProgramFiles%\Fast Browser Search\SGPU.ico	1,150 bytes	MD5: 0xA77D980E310B90E1285FB4932CEDDB73 SHA-1: 0xC3FF0BA39591BC6C936ACFBFB17A39D6D4A33C0D
25	%ProgramFiles%\Fast Browser Search\sgpUpdater.exe	307,584 bytes	MD5: 0x51C81E3C5CFC8EF2226A258F08B0B58A SHA-1: 0x45E12C78FB502B0848130823A7A8A28B2522AD8F
26	%ProgramFiles%\Fast Browser Search\sgpUpdater.xml	3,710 bytes	MD5: 0x6E826DFD837401122B2124052668FF47 SHA-1: 0x2EE3EF62B1F52D97BDA9016A0029E7CEEFCD327A
27	%ProgramFiles%\Fast Browser Search\SGPUpdaterS.exe	67,456 bytes	MD5: 0x775BF57ECA4912AB05CA0424F2D958A1 SHA-1: 0x81C0430B13E7060131F80664805F711E620A1779
28	%ProgramFiles%\Fast Browser Search\tbhelper.dll	368,000 bytes	MD5: 0xA8614DC48236B927E22B01EE44A86C44 SHA-1: 0xE563CB34EA5B176F52A5F9D66135EB8CDCD87D1D
29	%ProgramFiles%\Fast Browser Search\tbs_include_script_003175.js	2,029 bytes	MD5: 0xA9B1DDBFDE348D37E7C39BA94B988E61 SHA-1: 0xF411A645E14B6C6EAEA1CC6BDA1CC4125BAEF183
30	%ProgramFiles%\Fast Browser Search\tbs_include_script_005064.js	2,465 bytes	MD5: 0x0B353778BDBF0DC15048989778D015F0 SHA-1: 0x8C949347D6D84EB8F54E540EFE711CBF400468AC
31	%ProgramFiles%\Fast Browser Search\tbs_include_script_012817.js	2,059 bytes	MD5: 0xC8BCB83929949828FA0F52FFD30C51CB SHA-1: 0xF8E3DFFEDC9F52AEABD85601108A224F5CCC29E1
32	%ProgramFiles%\Fast Browser Search\Toolbar Help.htm	304 bytes	MD5: 0xB34B78CBD11B6429AC4B67297DE39A94 SHA-1: 0x3642CE13829CC79BBB943C47E1E1641C58A8A879
33	%ProgramFiles%\Fast Browser Search\uninstall.exe	165,760 bytes	MD5: 0xEE210E283C2888A91E431DC17CF3F665 SHA-1: 0x7284E874AAE21EB94847A6BEC4FFEB332D3B8D8F
34	%ProgramFiles%\Fast Browser Search\uninstalSGP.exe	554,368 bytes	MD5: 0x5037BE9E910B002D1E6DD5FEA28E143C SHA-1: 0x6F2643FD4083ADA89203302D2A44F6E8FC44BDF2
35	%ProgramFiles%\Fast Browser Search\uninstalSGPU.exe	553,856 bytes	MD5: 0xC02A8969F0CD1AD23B9B4988213D3B6D SHA-1: 0x74BBD774052A03F900CC85124E2563B1B993901A
36	%ProgramFiles%\Fast Browser Search\update.exe	62,336 bytes	MD5: 0x41D98A762106C2EB10D31B68EB3AD0FF SHA-1: 0x660046E0C6ABBD46BD2B2F47AB158F8D71AE46AF
37	%ProgramFiles%\Fast Browser Search\version.txt	69 bytes	MD5: 0x424373003194364AD278A0ED69D9E0A4 SHA-1: 0x8F805F939E238FEF205F64417CB537BD60D182A8
38	[file and pathname of the sample #1]	2,285,568 bytes	MD5: 0x38C2C19BFFD73099010BFDBBCB2C5354 SHA-1: 0x83F22B9F9B05A5B14F50703162182532B8B057A8

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\Fast Browser Search

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	2,347,008 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}
HKEY_CURRENT_USER\Software\FBSearch

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]

Tabs = "http://www.fastbrowsersearch.com/new-tab/?v=9&tid=0"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}]

DisplayName = "Fast Browser Search"
URL = "http://fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c=web&s=DSP&v=9"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]

DefaultScope = "{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}"

[HKEY_CURRENT_USER\Software\FBSearch]

ProgramPath = "%ProgramFiles%\fast browser search\"
Disable = 0x00000000

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.