MaxSearch

Posted: March 28, 2006

MaxSearch is a browser hijacker that changes Internet Explorer default start and search pages to sites on maxfind.com and maxifiles.com domains. Once executed, MaxSearch creates a directory, drops files in it and modifies the Windows registry in order to register itself as a browser plugin. A sidebar is also included in the MaxSearch toolbar installation.

File System Modifications

The following files were created in the system:

# File Name

1 *.xml

2 basis.xml

3 freeprod77.ex_

4 maxifiles.dll

5 nav.bmp

6 toolbar.crc

7 version.txt

#	File Name
1	*.xml
2	basis.xml
3	freeprod77.ex_
4	maxifiles.dll
5	nav.bmp
6	toolbar.crc
7	version.txt

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOTToolBand.XBTB07618HKEY_CLASSES_ROOTToolBand.XBTB07618.1HKEY_CLASSES_ROOTXBTB07618.IEToolbarHKEY_CLASSES_ROOTXBTB07618.IEToolbar.1HKEY_CLASSES_ROOTXBTB07618.XBTB07618HKEY_CLASSES_ROOTXBTB07618.XBTB07618.1HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainFeatureControlFEATURE_LOCALMACHINE_LOCKDOWNiexplore.exe=0HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainStartPage=[siteaddress]HKEY_CURRENT_USERSoftwareXBTB07618HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternetExplorerSearchSearchAssistant=[siteaddress]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternetSettingsUserAgentPostPlatformMaxiFilesHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternetSettingsUserAgentPostPlatformMaxiFilesTBHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallXBTB07618.XBTB07618Toolbar
The following CLSID's were detected:
HKEY..\..\{CLSID Path}FFBE337D-CB05-4FF0-B9FA-3C2FCC2F54FB3261A9A1-91F5-4A20-BEC7-3F8373C72C1FEABBB49A-4D7B-415B-8250-15C3B854E9FF0D5CC8AE-0BB0-49C3-BA33-BA4508EA43CCBBBE1C1A-89F7-4AF6-ABD1-F8FBCFA4740877FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F

MaxSearch

File System Modifications

Registry Modifications

Leave a Reply