Adware/MyWebSearch
Analysis
[Adware/MyWebSearch]
The details for the MyWebSearch Installer are:
File Name: MyWebSearchSetup2.0.4.0.exe
File Size: 2,541,560 bytes
Digital Signature: ASK JEEVES INC.
The details for the MyWebSearch executables are:
File Name: F3SCHMON.EXE
File Size: 65,536 bytes
Description: Fun Web Products History Swatter
Company Name: FunWebProducts.com
Internal Name: f3schmon
Product Name: History Swatter
File Version: 1.0.0.47
Product Version: 2,0,0,0
File Name: M3SKPLAY.EXE
File Size: 24,576 bytes
Description: MyWebSearch Skin Player
Company Name: MyWebSearch.com
Internal Name: m3SkPlay
Product Name: My Web Search Skin Tools
File Version: 1.0.3.2
Product Version: 1,0,3,2
File Name: MWSOEMON.EXE
File Size: 28,672 bytes
Description: My Web Search Email Plugin
Company Name: MyWebSearch.com
Internal Name: msoemon
Product Name: My Web Search Bar for Internet Explorer, email clients, and messenger clients
File Version: 1.2.2.2
Product Version: 2,0,1,0
Description of Adware
Adware/MyWebSearch as well as FunWeb are programs authored by Ask Jeeves, a wholly owned subsidiary of IAC/InterActiveCorp. MyWebSearch takes the form of a full system integration. That is, MyWebSearch components interact with many existing programs within a host. These include, Internet browsing software, Microsoft Outlook Express, Microsoft Office, MSN Messenger, among others. Upon executing the Internet browsing software the MyWebSearch network is notified of the browser being opened. The program then makes connections to cfg.mywebsearch.com to perform any necessary updates to MyWebSearch components. Should an update be found, it will be performed silently. The toolbar will be built using data from imgfarm.com. All interaction with toolbar components, including searches performed are reported to the MyWebSearch network. The MyWebSearch network then produces in-line advertisements. The EULA and Privacy Policies at the time of writing state that MyWebSearch will "evaluate only on an aggregate basis" any data received.
System alterations upon installation:
Upon executing the installer many system changes occur. MyWebSearch does not however produce a standard, user-visible installer. All MyWebSearch applications and components will be installed silently. Upon accessing MyWebSearch.com, one is able to view a very lengthy EULA and privacy agreement.
Many files are added to the system during the install of MyWebSearch. These include:
[Documents and Settings Directory]\Administrator\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
[Documents and Settings Directory]\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
[Program Files Directory]\MyWebSearch\bar\1.bin\F3BKGERR.JPG
[Program Files Directory]\MyWebSearch\bar\1.bin\F3CJPEG.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3DTACTL.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3HISTSW.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3POPSWT.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
[Program Files Directory]\MyWebSearch\bar\1.bin\F3REPROX.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3RESTUB.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3SCHMON.EXE
[Program Files Directory]\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\F3SPACER.WMV
[Program Files Directory]\MyWebSearch\bar\1.bin\F3WALLPP.DAT
[Program Files Directory]\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
[Program Files Directory]\MyWebSearch\bar\1.bin\M3HTML.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\M3IDLE.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
[Program Files Directory]\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\M3SKIN.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
[Program Files Directory]\MyWebSearch\bar\1.bin\MWSBAR.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\MWSOEMON.EXE
[Program Files Directory]\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\MWSOESTB.DLL
[Program Files Directory]\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
[Program Files Directory]\MyWebSearch\bar\Game\CHECKERS.F3S
[Program Files Directory]\MyWebSearch\bar\Game\CHESS.F3S
[Program Files Directory]\MyWebSearch\bar\Game\REVERSI.F3S
[Program Files Directory]\MyWebSearch\bar\Settings\s_pid.dat
[Program Files Directory]\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
[Windows System Directory]\f3PSSavr.scr
Many registry keys are added, including:
HKEY_CLASSES_ROOT\FunWebProducts.HistoryKillerScheduler
HKEY_CLASSES_ROOT\FunWebProducts.HistorySwatterControlBar
HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu
HKEY_CLASSES_ROOT\FunWebProducts.IECookiesManager
HKEY_CLASSES_ROOT\FunWebProducts.KillerObjManager
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CLSID
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel\CurVer
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1
HKEY_CLASSES_ROOT\MyWebSearch.HTMLPanel.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\sources
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch
There are also hundreds of registry values added. Among these are values in registry keys that will cause MyWebSearch components to automatically execute upon boot.
A MyWebSearch component responsible for interaction with the Internet browsing, e-mail client, and messaging software remains resident in memory after the installation process. The process is named MWSOEMON.EXE
Cookies are added to facilitate Internet browser tracking.
Adware Behavior
The MyWebSearch toolbar will relay any interaction with it to the MyWebSearch network. This includes the results of any and all searches performed, or any use of the MyWebSearch toolbar.
MyWebSearch will add components, including a toolbar to the Internet browsing software, Microsoft mail clients, and MSN Messenger.
The software will also create inline ads within while browsing the web.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |