TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
SPYW_BDPLUGIN.A
Overview

QUICK LINKS  

Download the latest scan engine

In the wild: No

Reported detections:

 Low
 
Description:

This spyware program registers itself as a Browser Helper Object (BHO). It adds several links to the Internet Explorer Favorites folder, which directs the user to certain Web pages.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution: 

Minimum scan engine version needed: 6.810


Uninstalling the Spyware

  1. Go to the Control Panel. Click Start>Run>Settings>Control Panel.
  2. Click Add/Remove Programs.
  3. Select the spyware detected earlier then click Remove.
NOTE: If uninstallation fails, proceed to the next instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the spyware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    BIE = "Rundll32.exe <spyware file>,Rundll32"
NOTE: If you were not able to terminate the spyware process as described in the previous procedure, restart your system.

Removing Other Registry Entries

  1. Still in the Registry Editor, delete the following registry keys:
    • HKEY_CLASSES_ROOT>BDHook.BDSrchHook.1
    • HKEY_CLASSES_ROOT>BDHook.BDSrchHook
    • HKEY_CLASSES_ROOT>MimeFilter.AdFilter.1
    • HKEY_CLASSES_ROOT>MimeFilter.AdFilter
    • HKEY_CLASSES_ROOT>TypeLib>{3034F39C-A0B3-4068-9C0C-FC566B0263A3}
    • HKEY_CLASSES_ROOT>CLSID>{BC207F7D-3E63-4ACA-99B5-FB5F8428200C}
    • HKEY_CLASSES_ROOT>CLSID>{E85A87F7-4AB3-4a9f-8187-9AFDD89489AA}
    • HKEY_CLASSES_ROOT>Interface>{576F7E38-833A-4B0B-9A37-3865726D031E}
    • HKEY_CLASSES_ROOT>Interface>{F08555AF-9CC3-11D2-AA8E-000000000000}
    • HKEY_CLASSES_ROOT>PROTOCOLS>Handler>mp3
    • HKEY_CURRENT_USER>Software>Microsoft>Internet
      Explorer>URLSearchHooks
    • HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>
      URLSearchHooks.1
    • HKEY_LOCAL_MACHINE>Software>CNNIC
    • HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
      CurrentVersion>Uninstall>BDHelper
    • HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
      CurrentVersion>explorer>ShellExecuteHooks
      {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} = "BIE"
    • HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Extensions>
      {BC207F7D-3E63-4ACA-99B5-FB5F8428200C}
    • HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>
      explorer>Browser Helper Objects\{BC207F7D-3E63-4ACA-99B5-FB5F8428200C}
    • HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>
      Uninstall>BDHelper

Running Trend Micro Antivirus

Download the latest spyware pattern file and scan your system. Then, delete all files detected as SPYW_BDPLUGIN.A.

Details: 

This spyware program is a browser helper object (BHO). On execution, it adds several links to the Internet Explorer Favorites folder.

The links added direct the user to the following Web pages:

  • http://bar.baidu.com/assistant/index.html
  • http://bar.baidu.com/assistant/nr/search.html
  • http://bar.baidu.com/assistant/nr/rehab.html
  • http://bar.baidu.com/assistant/nr/yinsi.html
  • http://bar.baidu.com/assistant/nr/clear.html
  • http://bar.baidu.com/assistant/nr/ad.html
  • http://bar.baidu.com/assistant/nr/js.html
  • http://bar.baidu.com/assistant/faq/index.html

It modifies the registry as follows:

HKEY_CLASSES_ROOT\BDHook.BDSrchHook.1

HKEY_CLASSES_ROOT\
BDHook.BDSrchHook

HKEY_CLASSES_ROOT\
MimeFilter.AdFilter.1

HKEY_CLASSES_ROOT\
MimeFilter.AdFilter

HKEY_CLASSES_ROOT\
CLSID\{BC207F7D-3E63-4ACA-99B5-FB5F8428200C}

HKEY_CLASSES_ROOT\
CLSID\{E85A87F7-4AB3-4a9f-8187-9AFDD89489AA}

HKEY_CLASSES_ROOT\
Interface\{576F7E38-833A-4B0B-9A37-3865726D031E}

HKEY_CLASSES_ROOT\
Interface\{F08555AF-9CC3-11D2-AA8E-000000000000}

HKEY_CLASSES_ROOT\
TypeLib\{3034F39C-A0B3-4068-9C0C-FC566B0263A3}

HKEY_CLASSES_ROOT\
PROTOCOLS\Handler\mp3

HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\URLSearchHooks

HKEY_CURRENT_USER\
Software\Microsoft\Internet Explorer\URLSearchHooks.1

HKEY_LOCAL_MACHINE\
Software\CNNIC

HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\

HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\
Extensions\{BC207F7D-3E63-4ACA-99B5-FB5F8428200C}

To ensure its automatic at every system startup, it creates the following autorun registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
BIE = "Rundll32.exe <spyware file>,Rundll32"

It adds a dog paw icon on the Internet Explorer toolbar.
Analysis by: Jameson Ong

For additional information about this threat, see:

Description created: Sep 27, 2004




Tell us how we did. Take our quick survey.