F-Secure
Tools
Adware:W32/Superjuan
Summary
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Additional Details
Superjuan is an adware that is installed as a Browser Helper Object (BHO).
Installation
The dll file is usually located in the windows system folder with a random file name and implements the following autorun entries:
Activity
While active, the adware can perform the following actions:
The adware also lowers the Security level settings on Microsoft Internet Explorer's Security Zones.
Activity
The adware tracks search queries made on a defined list of strings, then either displays adware or redirects the query. The adware tracks queries made on these websites:
When the user searches on a defined website, the adware may contact a server to obtain an address or data containing an advertisement. The adware then launches a new web browser instance, which is in this format:
Where [Address] is an IP address or domain returned by a contacted server, giving the location of advertisement data.
The searches made by the user may also be redirected to the following address:
Where [Address] in this case is dependent on a hard coded variant. Some possible addresses are:
The adware is known to be associated with several rogue applications. The adware may redirect the user to an online scanning website, which may trick the user into installing a rogue application. Some representative screenshots of rogue applications can be seen below:
.jpg)
Several variants of these rogue applications may also contact a website containing a script that downloads and execute a rogue installer program.
Registry
During installation, several registry entries may be temporarily created, in order to facilitate the adware's tracking functionality.
It adds the DLL file name ton the Appinit startup:
And keys to register the adware as a Browser Helper Object (BHO):
These are the CLSID that the adware may use:
Installation
The dll file is usually located in the windows system folder with a random file name and implements the following autorun entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[random string] = "rundll32.exe
Activity
While active, the adware can perform the following actions:
- Display advertisement pop up depending on the search made
- Redirect user to a different website
- Trick user to install rogue application
- May track search strings on various search engines
- Lowers security level on internet zones
The adware also lowers the Security level settings on Microsoft Internet Explorer's Security Zones.
Activity
The adware tracks search queries made on a defined list of strings, then either displays adware or redirects the query. The adware tracks queries made on these websites:
- websearch.com
- usseek.com
- sensis.com.au
- searchmiracle.com
- neon.org.uk
- mirago.co.uk
- wesearchall.com
- search.about.com
- mywebsearch.com
- mysearch.myway.com
- netster.com
- lb1.netster.com
- vivisimo.com
- search.netzero.net
- search.netscape.com
- search.aol
- recherche.aol.fr
- query.nytimes.com
- mamma.com
- lycos
- kanoodle.com
- jayde.com
- hotbot.com
- search.dmoz.org
- www.excite.co.jp
- web.ask
- url.searchuk.com
- uk.searchengine.com
- excite.co.jp
- infoseek.co.jp
- search.looksmart.com
- findsearch.net
- destinationadult.com
- 7search.com
- s.teoma.com
- search.xtramsn.co.nz
- search.wanadoo.co.uk
- search.sympatico.msn.ca
- search.msn
- search.earthlink.net
- search.daum.net
- reference.com
- instafinder.com
- goguides.org
- gigablast.com
- comcast.net
- bbc.co.uk
- ask.com/web
- altavista.com
- alltheweb.com
- alexa.com
- quizrocket.com
- microsoft.com
- facebook.com
- live.com
- msn.com
- myspace
- youtube
- adultfriendfinder
- yahoo
When the user searches on a defined website, the adware may contact a server to obtain an address or data containing an advertisement. The adware then launches a new web browser instance, which is in this format:
- http://[Address]/?source=[string value]&affid=[value created by adware]&guid=[value created by adware]&rid=[value created by adware]
Where [Address] is an IP address or domain returned by a contacted server, giving the location of advertisement data.
The searches made by the user may also be redirected to the following address:
- http://[Address]/go/?cmp=system32&uid=[value created by adware]&lid="user search string"&url=[original search address result]&superjuan...
Where [Address] in this case is dependent on a hard coded variant. Some possible addresses are:
- http://89.188.16.10/go/
- http://89.188.16.16/go/
- http://65.243.103.60/go/
- http://65.243.103.62/go/
- http://65.243.103.56/go/
The adware is known to be associated with several rogue applications. The adware may redirect the user to an online scanning website, which may trick the user into installing a rogue application. Some representative screenshots of rogue applications can be seen below:
Several variants of these rogue applications may also contact a website containing a script that downloads and execute a rogue installer program.
Registry
During installation, several registry entries may be temporarily created, in order to facilitate the adware's tracking functionality.
-
HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan -
HKEY_LOCAL_MACHINE\Software\Microsoft\MS Track System -
HKEY_LOCAL_MACHINE\Software\Microsoft\Juan -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Con -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jsearchcount -
HKEY_LOCAL_MACHINE\Software\Microsoft\jn_tr_<8 random character or number>
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = "{existing entries} [adware filename].dll"
And keys to register the adware as a Browser Helper Object (BHO):
-
CLSID registry key
HKEY_CLASSES_ROOT\CLSID\{[selected CLSID from the list]} - CLSID file entry
HKEY_CLASSES_ROOT\CLSID\{{selected CLSID from the list}}\InprocServer32
Default = - Browser Helper Object-added registry key entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper\{[selected CLSID from the list]}
These are the CLSID that the adware may use:
-
{B7672BAF-E9A3-49B6-86B2-C81719A18A4C} -
{849B9523-785F-4014-9CAF-079FB4A74C61} -
{1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} -
{F18F04B0-9CF1-4b93-B004-77A288BEE28B} -
{0676CC61-CDC5-447e-AAFC-9D886EC820EB} -
{7797F524-B819-42d0-B35A-0DACAF93E977} -
{013A653B-49A6-4f76-8B68-E4875EA6BA54} -
{14FD9304-A270-4d8c-B696-6B7DA0C1DF56} -
{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} -
{3FD6B99C-A275-46ea-8FD1-3D63986E51E4} -
{7DA39570-5FD2-4f18-94B4-20730CB3F727} -
{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} -
{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} -
{337C54C9-80C1-4de2-93CD-AAA510834074} -
{D38439EC-4A7F-42b4-90C2-D810D7778FDD} -
{57E218E6-5A80-4f0c-AB25-83598F25D7E9} -
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6} -
{1557B435-8242-4686-9AA3-9265BF7525A4} -
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} -
{E2EE5C44-C66D-499d-BEAE-A2A79189A63A} -
{55DB983C-BDBF-426f-86F0-187B02DDA39B} -
{A24B57F8-505D-4fc5-9960-740E304D1ABA} -
{4B646AFB-9341-4330-8FD1-C32485AEE619} -
{CD3447D4-CA39-4377-8084-30E86331D74C} -
{DEBEB52F-CFA6-4647-971F-3EDB75B63AFA} -
{8F2183B9-F4DB-4913-8F82-6F9CC42E4CF8} -
{92A444D2-F945-4dd9-89A1-896A6C2D8D22} -
{E12BFF69-38A7-406e-A8EF-2738107A7831} -
{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} -
{1F6581D5-AA53-4b73-A6F9-41420C6B61F1} -
{1126271C-A8C3-438c-B951-7C94B453B16B} -
{938A8A03-A938-4019-B764-03FF8D167D79} -
{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} -
{C6039E6C-BDE9-4de5-BB40-768CAA584FDC} -
{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3} -
{C24751C6-3976-419a-A776-915669E28A4D} -
{47B83D78-F986-4E96-9769-2C55EF14DA0B} -
{E64F0381-0053-4842-B3E5-08F6C4A0AEB6} -
{32A5ED57-EA40-4869-8675-28EA463E6B23} -
{89AD4D75-2429-462e-BD4E-443F233F6033} -
{F9546B58-83B5-44bb-93CF-945253E58025} -
{F864AD64-8376-447d-B5F4-EA4965E3E0EA} -
{BE3E60A0-8087-4ad2-9386-500966D663B4}