1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Spyware Descriptions
  6. Adware:W32/Superjuan

Adware:W32/Superjuan

Name : Adware:W32/Superjuan
Category:Spyware
Type:Adware
Platform:W32

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Additional Details

Superjuan is an adware that is installed as a Browser Helper Object (BHO).


Installation

The dll file is usually located in the windows system folder with a random file name and implements the following autorun entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   [random string] = "rundll32.exe [adware filename].dll, run"

Activity

While active, the adware can perform the  following actions:

  • Display advertisement pop up depending on the search made
  • Redirect user to a different website
  • Trick user to install rogue application
  • May track search strings on various search engines
  • Lowers security level on internet zones

The adware also lowers the Security level settings on Microsoft Internet Explorer's Security Zones.


Activity

The adware tracks search queries made on a defined list of strings, then either displays adware or redirects the query. The adware tracks queries made on these websites:

  • websearch.com
  • usseek.com
  • sensis.com.au
  • searchmiracle.com
  • neon.org.uk
  • mirago.co.uk
  • wesearchall.com
  • search.about.com
  • mywebsearch.com
  • mysearch.myway.com
  • netster.com
  • lb1.netster.com
  • vivisimo.com
  • search.netzero.net
  • search.netscape.com
  • search.aol
  • recherche.aol.fr
  • query.nytimes.com
  • mamma.com
  • lycos
  • kanoodle.com
  • jayde.com
  • hotbot.com
  • search.dmoz.org
  • www.excite.co.jp
  • web.ask
  • url.searchuk.com
  • uk.searchengine.com
  • excite.co.jp
  • infoseek.co.jp
  • search.looksmart.com
  • findsearch.net
  • destinationadult.com
  • 7search.com
  • s.teoma.com
  • search.xtramsn.co.nz
  • search.wanadoo.co.uk
  • search.sympatico.msn.ca
  • search.msn
  • search.earthlink.net
  • search.daum.net
  • reference.com
  • instafinder.com
  • goguides.org
  • gigablast.com
  • comcast.net
  • bbc.co.uk
  • ask.com/web
  • altavista.com
  • alltheweb.com
  • alexa.com
  • quizrocket.com
  • microsoft.com
  • facebook.com
  • live.com
  • msn.com
  • myspace
  • youtube
  • adultfriendfinder
  • yahoo
  • google

When the user searches on a defined website, the adware may contact a server to obtain an address or data containing an advertisement. The adware then launches a new web browser instance, which is in this format:

  • http://[Address]/?source=[string value]&affid=[value created by adware]&guid=[value created by adware]&rid=[value created by adware]

Where [Address] is an IP address or domain returned by a contacted server, giving the location of advertisement data.

The searches made by the user may also be redirected to the following address:

  • http://[Address]/go/?cmp=system32&uid=[value created by adware]&lid="user search string"&url=[original search address result]&superjuan...

Where [Address] in this case is dependent on a hard coded variant. Some possible addresses are:

  • http://89.188.16.10/go/
  • http://89.188.16.16/go/
  • http://65.243.103.60/go/
  • http://65.243.103.62/go/
  • http://65.243.103.56/go/

The adware is known to be associated with several rogue applications. The adware may redirect the user to an online scanning website, which may trick the user into installing a rogue application. Some representative screenshots of rogue applications can be seen below:





Several variants of these rogue applications may also contact a website containing a script that downloads and execute a rogue installer program.


Registry

During installation, several registry entries may be temporarily created, in order to facilitate the adware's tracking functionality.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan
  • HKEY_LOCAL_MACHINE\Software\Microsoft\MS Track System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Juan
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Con
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jsearchcount
  • HKEY_LOCAL_MACHINE\Software\Microsoft\jn_tr_<8 random character or number>

It adds the DLL file name ton the Appinit startup:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
   AppInit_DLLs = "{existing entries} [adware filename].dll"

And keys to register the adware as a Browser Helper Object (BHO):
  • CLSID registry key
   HKEY_CLASSES_ROOT\CLSID\{[selected CLSID from the list]}
  • CLSID file entry
   HKEY_CLASSES_ROOT\CLSID\{{selected CLSID from the list}}\InprocServer32
   Default = [adware filename].dll
  • Browser Helper Object-added registry key entry
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper\{[selected CLSID from the list]}

These are the CLSID that the adware may use:
  • {B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
  • {849B9523-785F-4014-9CAF-079FB4A74C61}
  • {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA}
  • {F18F04B0-9CF1-4b93-B004-77A288BEE28B}
  • {0676CC61-CDC5-447e-AAFC-9D886EC820EB}
  • {7797F524-B819-42d0-B35A-0DACAF93E977}
  • {013A653B-49A6-4f76-8B68-E4875EA6BA54}
  • {14FD9304-A270-4d8c-B696-6B7DA0C1DF56}
  • {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
  • {3FD6B99C-A275-46ea-8FD1-3D63986E51E4}
  • {7DA39570-5FD2-4f18-94B4-20730CB3F727}
  • {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}
  • {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}
  • {337C54C9-80C1-4de2-93CD-AAA510834074}
  • {D38439EC-4A7F-42b4-90C2-D810D7778FDD}
  • {57E218E6-5A80-4f0c-AB25-83598F25D7E9}
  • {67C55A8D-E808-4caa-9EA7-F77102DE0BB6}
  • {1557B435-8242-4686-9AA3-9265BF7525A4}
  • {D651AFF4-9590-424d-BD1E-8E33E090DFB3}
  • {E2EE5C44-C66D-499d-BEAE-A2A79189A63A}
  • {55DB983C-BDBF-426f-86F0-187B02DDA39B}
  • {A24B57F8-505D-4fc5-9960-740E304D1ABA}
  • {4B646AFB-9341-4330-8FD1-C32485AEE619}
  • {CD3447D4-CA39-4377-8084-30E86331D74C}
  • {DEBEB52F-CFA6-4647-971F-3EDB75B63AFA}
  • {8F2183B9-F4DB-4913-8F82-6F9CC42E4CF8}
  • {92A444D2-F945-4dd9-89A1-896A6C2D8D22}
  • {E12BFF69-38A7-406e-A8EF-2738107A7831}
  • {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
  • {1F6581D5-AA53-4b73-A6F9-41420C6B61F1}
  • {1126271C-A8C3-438c-B951-7C94B453B16B}
  • {938A8A03-A938-4019-B764-03FF8D167D79}
  • {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}
  • {C6039E6C-BDE9-4de5-BB40-768CAA584FDC}
  • {44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}
  • {C24751C6-3976-419a-A776-915669E28A4D}
  • {47B83D78-F986-4E96-9769-2C55EF14DA0B}
  • {E64F0381-0053-4842-B3E5-08F6C4A0AEB6}
  • {32A5ED57-EA40-4869-8675-28EA463E6B23}
  • {89AD4D75-2429-462e-BD4E-443F233F6033}
  • {F9546B58-83B5-44bb-93CF-945253E58025}
  • {F864AD64-8376-447d-B5F4-EA4965E3E0EA}
  • {BE3E60A0-8087-4ad2-9386-500966D663B4}