ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 20 March 2009, 07:04:23
Processing time: 7 min 9 sec
Submitted sample:

File MD5: 0x929B3F6B83145DF1DE07E97375A82C48
File SHA-1: 0x728E9F94DFF6976C0E4833C22F9387A98FA80B73
Filesize: 597,888 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	597,888 bytes	MD5: 0x929B3F6B83145DF1DE07E97375A82C48 SHA-1: 0x728E9F94DFF6976C0E4833C22F9387A98FA80B73

The following directories were created:

%ProgramFiles%\Fast Browser Search
%ProgramFiles%\Fast Browser Search\IE

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	618,496 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBSB07183.TBSB07183Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TBSB07183.TBSB07183Toolbar]

DisplayName = "Fast Browser Search (My Web Tattoo)"
DisplayIcon = "%ProgramFiles%\Fast Browser Search\IE\uninstall.exe"
Publisher = "Make The Web Better, LLC"
DisplayVersion = "2.0"
HelpLink = "http://www.Make-the-web-better.com"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}]

DisplayName = "Fast Browser Search"
URL = "http://www.fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c=web&s=DSP&v=4"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]

DefaultScope = "{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}"

Other details

To mark the presence in the system, the following Mutex object was created:

_!SHMSFTHISTORY!_

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.mywebtattoo.com	80	(null)	(null)
www.fastbrowsersearch.com	80	www.fastbrowsersearch.com	www.fastbrowsersearch.com

The following GET requests were made:

_utilities/toolbar-confirm-installation.aspx
_utilities/index.jpg

The data identified by the following URL was then requested from the remote web server:

http://www.mywebtattoo.com/_downloads/cab/v2a/FBStoolbar.cab

Downloaded File Summary:

Download details:

Download retrieved: 20 March 2009 07:11:35
Processing time: 7 min 41 sec
Downloaded sample:

File MD5: 0xA9C1842FBABB7886A673E00BAD82CAEB
File SHA-1: 0xA59283F3C72F8200141F9F85B99F3FA50D28067D
Filesize: 2,244,608 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\Fast Browser Search\IE\about.html	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%ProgramFiles%\Fast Browser Search\IE\affid.dat	3 bytes	MD5: 0x1ED5D897530AE02C71C7B6E1B350FFF1 SHA-1: 0x9DA7206A00D30CAC507FFD71359706D42C5222BD	(not available)
3	%ProgramFiles%\Fast Browser Search\IE\basis.xml	18,187 bytes	MD5: 0x4FD568CAE7A5F3D5F130AE1ABA5B0665 SHA-1: 0xD64DDFC654AAAC9B95D5740F5271FDD76938F334	(not available)
4	%ProgramFiles%\Fast Browser Search\IE\ClearRecycleBin.exe	9,088 bytes	MD5: 0x308FF3E3EA9796ABA2EF7141CCD0C16F SHA-1: 0x8710CBFC9F8D26671504EC9E7326E52F511571D8	(not available)
5	%ProgramFiles%\Fast Browser Search\IE\error.html	519 bytes	MD5: 0x62360BDDA99A8FBFC53AD1ED4F8A58DA SHA-1: 0x0C26C863088ADA7DC1D8A142F0B8E03263787AC4	(not available)
6	%ProgramFiles%\Fast Browser Search\IE\FastBrowserSearchProtection.exe %ProgramFiles%\Fast Browser SearchP\FastBrowserSearchProtection.exe	325,504 bytes	MD5: 0x5CB5C2DC1D9D9934D2943C4B0C6F06B5 SHA-1: 0xB1B17E440C45DC195407700F6947EB9E68F99758	(not available)
7	%ProgramFiles%\Fast Browser Search\IE\FBSPlugin.dll %ProgramFiles%\Fast Browser SearchP\FBSPlugin.dll	188,416 bytes	MD5: 0x8CBF8F46E4462C6DC78001EF94121A08 SHA-1: 0x8F3B488AD4AF5706A816D338C42844D391EE3645	(not available)
8	%ProgramFiles%\Fast Browser Search\IE\FbsSearchProtectionInstall.exe	72,064 bytes	MD5: 0xA2EB5A5989AADB67DFDF5898E60DF34A SHA-1: 0x8D7CF25F766DA0FBEFFDB455B81FF8341905B919	(not available)
9	%ProgramFiles%\Fast Browser Search\IE\FbsSearchProtectionInstallVista.exe	53,632 bytes	MD5: 0xBE03A2437456B8709A9B9EB1E7236AF8 SHA-1: 0x38C50EFF7207F55E365C408AB26B551960298C02	(not available)
10	%ProgramFiles%\Fast Browser Search\IE\FbsSearchProtectionUnInstall.exe %ProgramFiles%\Fast Browser SearchP\FbsSearchProtectionUnInstall.exe	72,064 bytes	MD5: 0xB5093172EE26399120FB788E5DF1ECF4 SHA-1: 0xB2BCEB794207167351F74EBD92FC27E9E1BC6A2F	packed with Obsidium [Kaspersky Lab]
11	%ProgramFiles%\Fast Browser Search\IE\FBStoolbar.crc	379 bytes	MD5: 0xD86D276BAC6E86C50244081D0EC78DC9 SHA-1: 0xE6DEEB6B92FEFF5DE86AD6E80998648155459817	(not available)
12	%ProgramFiles%\Fast Browser Search\IE\FBStoolbar.dll	2,436,096 bytes	MD5: 0x714E6CA49846FD098823C741ABB60855 SHA-1: 0x2E2A9603B43187CB29E4B382C3ADB5FC5102E45B	(not available)
13	%ProgramFiles%\Fast Browser Search\IE\FBStoolbar.inf	3,743 bytes	MD5: 0x1D8A18341FB3AC2FD64DDDA11E085823 SHA-1: 0x5D9C2DC1CF568873EA3AE1A896CC10A2AE61B88A	(not available)
14	%ProgramFiles%\Fast Browser Search\IE\icons.bmp	966,810 bytes	MD5: 0x8A5B983A386D688427A6DEF421B36D72 SHA-1: 0x3E7361F2E4925DE2419887AFA8B1F669F6B8FEA1	(not available)
15	%ProgramFiles%\Fast Browser Search\IE\info.txt	79 bytes	MD5: 0x735D1E38B6C4D96E9EB14899A94604E5 SHA-1: 0x37981303188A02B8BC1EE6E2D821CCDC55F9D97A	(not available)
16	%ProgramFiles%\Fast Browser Search\IE\local.xml	53 bytes	MD5: 0xD6AF5B585E266CC8DD08210C9A1FEEB7 SHA-1: 0x68A2D635ECBE8FDD4D11BFB3634256A770ECCA02	(not available)
17	%ProgramFiles%\Fast Browser Search\IE\MTWBtoolbar.html	2,036 bytes	MD5: 0x0DCAF5F6E72217B8B956C6A2828AE56C SHA-1: 0xD6BFA1116C3ACABE2E2FBBDC191CAFB71141F5A8	(not available)
18	%ProgramFiles%\Fast Browser Search\IE\options.html	13,938 bytes	MD5: 0x0BA53BA17D2EED65803A041596595A4B SHA-1: 0x6C7C4401E915F9A99464F914C2F12D39B8A82931	(not available)
19	%ProgramFiles%\Fast Browser Search\IE\searchbutton1.gif	954 bytes	MD5: 0x939B353D77D82F929B434BF00DE6A827 SHA-1: 0x814B0C275FBE42B2ADF38B43F487E59FF022A70F	(not available)
20	%ProgramFiles%\Fast Browser Search\IE\searchbutton2.gif	954 bytes	MD5: 0x87649DBABA9FCDA5E69F1D7A4B8472B8 SHA-1: 0x5B789C648086D4D0C5A27F9BD6C8D41DC6F2EA82	(not available)
21	%ProgramFiles%\Fast Browser Search\IE\tbhelper.dll	357,888 bytes	MD5: 0xD568FA4C3E6A9DFA16602729EAB86178 SHA-1: 0xF0D81E55DEF89BBC069A3067938796E6F5373D7C	(not available)
22	%ProgramFiles%\Fast Browser Search\IE\tbs_include_script_003175.js	2,029 bytes	MD5: 0xA9B1DDBFDE348D37E7C39BA94B988E61 SHA-1: 0xF411A645E14B6C6EAEA1CC6BDA1CC4125BAEF183	(not available)
23	%ProgramFiles%\Fast Browser Search\IE\tbs_include_script_005064.js	2,465 bytes	MD5: 0x0B353778BDBF0DC15048989778D015F0 SHA-1: 0x8C949347D6D84EB8F54E540EFE711CBF400468AC	(not available)
24	%ProgramFiles%\Fast Browser Search\IE\tbs_include_script_012817.js	2,115 bytes	MD5: 0x4C002EED7F65F404C4A8F851DFA4DF61 SHA-1: 0xA968E400537486E85669D8A763DF2B11C03AEEF4	(not available)
25	%ProgramFiles%\Fast Browser Search\IE\Toolbar Help.htm	304 bytes	MD5: 0xB34B78CBD11B6429AC4B67297DE39A94 SHA-1: 0x3642CE13829CC79BBB943C47E1E1641C58A8A879	(not available)
26	%ProgramFiles%\Fast Browser Search\IE\uninstall.exe	70,528 bytes	MD5: 0x3D49B83572C660F58E9C27DAD0AA6D06 SHA-1: 0x9C5C9EB0F2F4E98A9F63010EFCF1744F55A73D4F	(not available)
27	%ProgramFiles%\Fast Browser Search\IE\Unreg.dll	147,456 bytes	MD5: 0xFFE14CF72901BA21A87EB22AA50AB640 SHA-1: 0x57D55316DCAD3948EE2D1D12143DACAB2F7B8527	(not available)
28	%ProgramFiles%\Fast Browser Search\IE\update.exe	62,336 bytes	MD5: 0x41D98A762106C2EB10D31B68EB3AD0FF SHA-1: 0x660046E0C6ABBD46BD2B2F47AB158F8D71AE46AF	(not available)
29	%ProgramFiles%\Fast Browser Search\IE\version.txt	69 bytes	MD5: 0xEA684DDF8F162EC5E35C2F80623331DB SHA-1: 0xF117355431937A0BC7E73C33911A6BA650ED1F9F	(not available)
30	[file and pathname of the sample #1]	2,244,608 bytes	MD5: 0xA9C1842FBABB7886A673E00BAD82CAEB SHA-1: 0xA59283F3C72F8200141F9F85B99F3FA50D28067D	(not available)

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%ProgramFiles%\Fast Browser SearchP
%ProgramFiles%\Fast Browser Search
%ProgramFiles%\Fast Browser Search\IE

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
FastBrowserSearchProtection.exe	%ProgramFiles%\fast browser searchp\fastbrowsersearchprotection.exe	319,488 bytes
clearrecyclebin.exe	%ProgramFiles%\fast browser search\ie\clearrecyclebin.exe	24,576 bytes
fbssearchprotectioninstallvista.exe	%ProgramFiles%\fast browser search\ie\fbssearchprotectioninstallvista.exe	65,536 bytes
fbssearchprotectionuninstall.exe	%ProgramFiles%\fast browser search\ie\fbssearchprotectionuninstall.exe	81,920 bytes
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	2,265,088 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fast Browser SearchP
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}
HKEY_CURRENT_USER\Software\FBSearch

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

FBSearch = "%ProgramFiles%\Fast Browser SearchP\FastBrowserSearchProtection.exe"

so that FastBrowserSearchProtection.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

DeleteDir[CD8] Fast Browser SearchP = "cmd.exe /C RD /S /Q C:\PROGRA~1\FASTBR~2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fast Browser SearchP]

DisplayName = "Fast Browser Search Protection"
UninstallString = "%ProgramFiles%\Fast Browser SearchP\FbsSearchProtectionUnInstall.exe"
DisplayIcon = "%ProgramFiles%\Fast Browser SearchP\FbsSearchProtectionUnInstall.exe"
Publisher = "Make The Web Better, LLC"
DisplayVersion = "2.0"
HelpLink = "http://www.Make-the-web-better.com"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}]

DisplayName = "Fast Browser Search"
URL = "http://fastbrowsersearch.com/results/results.aspx?q={searchTerms}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]

DefaultScope = "{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex objects were created:

my_start_mutex
_SHuassist.mtx

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.fastbrowsersearch.com	80	www.fastbrowsersearch.com	www.fastbrowsersearch.com

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.