Threat behavior
CnsMin installs a browser helper object (BHO) that redirects Internet Explorer searches to a Chinese search portal. CnsMin may be installed without adequate user consent. It may prevent its files from being removed or restore files that have been removed. When installed, CnsMin may do any or all of the following:
- Create a folder containing a shortcut in the All Users program folder:
C:\Documents and Settings\All Users\Start Menu\Programs\chinese keyword
- Create a folder named '3721' in the Program Files folder and install the following files:
notifier.dll
%ProgramFiles%\3721\patch03.dll
%ProgramFiles%\3721\scrblock.dll
%ProgramFiles%\3721\3721\alrex.dll
%ProgramFiles%\3721\3721\cns1.exe
%ProgramFiles%\3721\3721\repair.dll
- Add the following registry subkey in order to run as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CnsMinKP - Modify the following registry subkeys in order to run automatically each time Windows starts:
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Value: CnsMinKP
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: CnsMin
Value: assistse
Value: helper.dll
- Add the subkey {D157330A-9EF3-49F8-9A67-4141AC41ADD4} to each of the following:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
- Add the following subkeys:
{00000000-0000-0001-0001-596BAEDD1289}
{507F9113-CD77-4866-BA92-0E86DA3D0B97}
{59BC54A2-56B3-44a0-93E5-432D58746E26}
{5D73EE86-05F1-49ed-B850-E423120EC338}
{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
{FD00D911-7529-4084-9946-A29F1BDF4FE5}
{BB936323-19FA-4521-BA29-ECA6A121BC78}
to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
- Create or modify the following registry entries:
HKEY_CLASSES_ROOT\ADKiller.ADKillerObj.1
HKEY_CLASSES_ROOT\clsid\{118CE65F-5D86-4AEA-A9BD-94F92B89119F}
HKEY_CLASSES_ROOT\clsid\{178DA2CB-5660-42F4-B2E1-2815401C5910}
HKEY_CLASSES_ROOT\clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
HKEY_CLASSES_ROOT\clsid\{47387079-DA8D-48AB-98C7-0017812D51EA}
HKEY_CLASSES_ROOT\clsid\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}
HKEY_CLASSES_ROOT\clsid\{6d8f256b-6ab8-4398-8f86-1e56207db77a}
HKEY_CLASSES_ROOT\clsid\{ca92b524-bc8a-4610-bd2c-6bd3e28155d0}
HKEY_CLASSES_ROOT\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}
HKEY_CLASSES_ROOT\clsid\{DDDE2452-AF9E-4577-AE6C-465DBCB54D49}
HKEY_CLASSES_ROOT\clsid\{e5e4e352-6947-44ee-a420-db84efd3fe93}
HKEY_CLASSES_ROOT\FFlash.FlashObjectInterface
HKEY_CLASSES_ROOT\FFlash.FlashObjectInterface.1
HKEY_CLASSES_ROOT\InsIII.brins
HKEY_CLASSES_ROOT\InsIII.brins.1
HKEY_CLASSES_ROOT\Installer.brins
HKEY_CLASSES_ROOT\interface\{df692509-d9ef-48a0-9cd0-3aa5b81f6f68}
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{ca92b524-bc8a-4610-bd2c-6bd3e28155d0}
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{e5e4e352-6947-44ee-a420-db84efd3fe93}
HKEY_CLASSES_ROOT\typelib\{a5adeae7-a8b4-4f94-9128-bf8d8db5e927}
HKEY_CLASSES_ROOT\ZsMod.AxObj
HKEY_CLASSES_ROOT\ZsMod.AxObj.1
HKEY_CURRENT_USER\Software\3721
HKEY_CURRENT_USER\Software\3721\CnsMin
HKEY_LOCAL_MACHINE\SOFTWARE\3721
HKEY_LOCAL_MACHINE\SOFTWARE\3721\CnsMin
HKEY_LOCAL_MACHINE\SOFTWARE\3721\CnsMin\CnsMinEx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Assist.EasyAssist
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoLive.Live
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoLive.Live.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BhoObj.AxObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{9EB2B422-C9EE-46C4-A471-1E79C7517B1D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{ABEC6103-F6AC-43A3-834F-FB03FBA339A2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{b835c273-3522-4cc6-92ec-75cc86678da4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{B83FC273-3522-4CC6-92EC-75CC86678DA4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{BB936323-19FA-4521-BA29-ECA6A121BC78}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{d157330a-9ef3-49f8-9a67-4141ac41add4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{DB4F72F5-FA97-4424-A8CD-758FEAE6861F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\clsid\{EF1D17A9-089F-40cc-8D64-7324CDEBA0DB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FFlash.FlashObjectInterface
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FFlash.FlashObjectInterface.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\typelib\{aab6bce3-1df6-4930-9b14-9ca79dc8c267}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{00000000-0000-0001-0001-596BAEDD1289}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{507F9113-CD77-4866-BA92-0E86DA3D0B97}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{59BC54A2-56B3-44a0-93E5-432D58746E26}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5d73ee86-05f1-49ed-b850-e423120ec338}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ecf2e268-f28c-48d2-9ab7-8f69c11ccb71}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{fd00d911-7529-4084-9946-a29f1bdf4fe5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\app management\arpcache\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\app management\arpcache\cnsmin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DDDE2452-AF9E-4577-AE6C-465DBCB54D49}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF1D17A9-089F-40cc-8D64-7324CDEBA0DB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks\{b83fc273-3522-4cc6-92ec-75cc86678da4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cnsmin
Prevention