Blog

As we wish our American colleagues and friends 'Happy Thanksgiving', we could be tempted to get into the spirit and maybe brighten up our desktop with screensavers, wallpapers and the like. Our advice to users is to exercise caution - such activity may lead to adware, BHOs, and other undesirables.

I tuned our ThreatSeeker™ Network to reveal the potential pitfalls on a Thanksgiving-related theme. We found examples of Thanksgiving-themed screensavers leading to Potentially Unwanted Software in the form of browser toolbars (BHO), as well as changes to your home page, and personal data being harvested.

One site offering Thanksgiving-themed downloads (screensavers, eCards and wallpapers), located at hxxp://www.thanksgiving*snip*.com/, hosts scenic-happythanksgiving2-wallpaper.exe which acts a dropper to further files. The installation process is as follows:

1.  Upon execution of the above-named file, an end-user license agreement (EULA) is provided to the user, with the option to set their home page to hxxp://www.*snip*search.com/

2.  A popup is then displayed requesting an individual's name, address, zip code, email address, date of birth, and phone number.

3.  Two further files are executed without additional user interaction - this runs 'e-Shopper Setup Wizard'. (We sure weren't hoping for Adware on Thanksgiving.)

4.  Next, further files are run which launch the My Global Search Bar Setup Wizard. Antivirus detection is adequate on mgsb.exe (MD5: 599B8D0088FF83ED67E2CEAB8DE657BC).

5.  Once the user has progressed through the wizard, a browser window is displayed encouraging the user to pass on this nuisance-ware to friends.

6.  The user's home page has now been set to hxxp://*snip*way.com/, the My Global Search Bar has been integrated into Internet Explorer's address bar, and finally the wallpaper and screensaver have been configured as below.

Installed wallpaper:

Installed screensaver:

7.  Search results from the user's browser address bar now utilise hxxp://www.myglobal*snip*.com/

Quite a lot of work and exposure for a screensaver, I think you will agree. Well, people always said there's no such thing as a free lunch, even on Thanksgiving. Over the next few days the WSLabs will be keeping an eye out for other Thanksgiving-themed threats.

Happy Thanksgiving!

Security Researchers: Carl Leonard, Elad Sharf