We started to receive reports about suspicious internet connections made from corporate and private computers some time ago and some of our clients discovered sets of files that had appeared on their systems without their knowledge.
We believe that the initial file that was dropped to our clients' systems was MNSVC.EXE. That file is the initial BrowserToolbar downloader component. The file could have been hiddenly dropped by some third-party installation package, but we haven't located the source yet. In any case that file was activated without users' knowledge and it installed itself to system and created startup key for itself in Windows Registry to be always run with Windows. The file then tried to download another executable file called AUSVC.EXE from the www.wwws1.com website.
The AUSVC.EXE file is also a downloader component of BrowserToolbar software and it downloaded the rest of BrowserToolbar software to users' systems. That component also installed itself to system and created startup key for itself in Windows Registry to be always run with Windows. This component downloaded and activated a few more files including the BVT.EXE and ABSR.EXE files.
The BVT.EXE and ABSR.EXE files are the main components of BrowserToolbar software. They work as Internet browser addons and filter incoming and outgoing HTTP traffic caused by the browsers. These components also install themselves to system and create startup keys in System Registry for themselves.
We are detecting the BrowserToolbar software for the following reasons:
1. The software is installed to a system without a notification or user's approval
2. The software hiddenly downloads and activates executable files on a user's system
3. The software uses user's Internet connection without authorisation and sends out generic data about a user's system configuration to a website
Unless the developers of BrowserToolbar fix security and privacy issues with their software, F-Secure Anti-Virus will detect it as a backdoor. We haven't been contacted by the developers of BrowserToolbar by the time of this description creation.
[F-Secure Anti-Virus Research Team; May 23rd, 2002]