Win32/Zwangi is the detection for a program that runs as a service in the background and modifies Web browser settings to visit a particular Web site.
Installation
Win32/Zwangi creates one of the following groups of folders and accompanying files:
-
%AppData%\Zwangisearch\zwangi<3 digit number>.exe
-
%ProgramFiles%\ZwangiSearch\zwangi.dll
-
%ProgramFiles%\ZwangiSearch\uninstall.exe
-
%ProgramFiles%\ZwangiSearch\zwangi.exe
- %AppData%\Findbasic\findbasic<3 digit number>.exe
-
%ProgramFiles%\Findbasic\Findbasic.dll
-
%ProgramFiles%\Findbasic\uninstall.exe
-
%ProgramFiles%\Findbasic\Findbasic.exe
-
%AppData%\SeekService\seekservice<3 digit number>.exe
-
ProgramFiles%\SeekService\SeekService.dll
-
ProgramFiles%\SeekService\uninstall.exe
-
ProgramFiles%\SeekService\SeekService.exe
-
%AppData%\BrowserQuest\BrowserQuest<3 digit number>.exe
-
ProgramFiles%\BrowserQuest\BrowserQuest.dll
-
ProgramFiles%\BrowserQuest\uninstall.exe
-
ProgramFiles%\BrowserQuest\BrowserQuest.exe
-
%AppData%\BarDiscover\BarDiscover<3 digit number>.exe
-
ProgramFiles%\BarDiscover\BarDiscover.dll
-
ProgramFiles%\BarDiscover\uninstall.exe
-
ProgramFiles%\BarDiscover\BarDiscover.exe
-
%AppData%\Seekdns\Seekdns<3 digit number>.exe
-
ProgramFiles%\Seekdns\Seekdns.dll
-
ProgramFiles%\Seekdns\uninstall.exe
-
ProgramFiles%\Seekdns\Seekdns.exe
-
%AppData%\SpaceQuery\SpaceQuery<3 digit number>.exe
-
ProgramFiles%\SpaceQuery\SpaceQuery.dll
-
ProgramFiles%\SpaceQuery\uninstall.exe
-
ProgramFiles%\SpaceQuery\SpaceQuery.exe
-
%AppData%\TabQuery\TabQuery<3 digit number>.exe
-
ProgramFiles%\TabQuery\TabQuery.dll
-
ProgramFiles%\TabQuery\uninstall.exe
-
ProgramFiles%\TabQuery\TabQuery.exe
The registry is modified to run the installed components as a Web Browser Helper Object. In the example registry modifications below, "<Zwangi name>" references names such as "ZwangiSearch", "Findbasic", "SeekService", "BrowserQuest", "BarDiscover", "SpaceQuery" or "TabQuery":
Adds value: "Cid"
With data: "<Unique class ID>"
Adds value: "DllPath"
With data: "%ProgramFiles%\<Zwangi name>\<Zwangi file name>"
Adds value: "Partner"
With data: "<Zwangi file name>"
Adds value: "Primary"
With data: "<value>"
Adds value: "ShowBarSign"
With data: "00, 00, 00, 00"
Adds value: "ShowToolbarButton"
With data: "00, 00, 00, 00"
Adds value: "Src"
With data: "<Zwangi name>"
Adds value: "Version"
With data: "<hexadecimal value>"
To subkey: HKLM\Software\<Zwangi name>
Adds value: "DisplayName"
With data: "<Zwangi name><version>"
To subkey: HKLM\Software\Microsoft\Windows\Currentversion\Uninstall\<Zwangi name>
The registry is modified to run Win32/Zwangi as a service by creating values and data within the following subkey:
HKLM\SYSTEM\CurrentControlSet\Services\<Zwangi name> Service\
HKLM\SYSTEM\ControlSet001\Services\<Zwangi name> Service\
Additional Information
When you enter keywords in your web browser address bar, Win32/Zwangi uses the values and performs a search by opening a search results page in "<domain>", where "<domain>" was observed to be one of the following domain names:
- www.zwangi.com
- www.findbasic.com
- www.seekservice.net
- www.bardiscover.com
- www.seekdns.com
- www.spacequery.com
- www.tabquery.com
The address bar is the usual location in which the URL is typed. Win32/Zwangi may also replace or override the error page that is normally displayed when the browser accesses a Web address that cannot be resolved (HTTP error 404).
Analysis by Wei Li