Threat Descriptions

Adware:W32/Boran

Classification

Category :

Spyware

Type :

Adware

Platform :

W32

Aliases :

-

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Removal

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Adware:W32/Boran is an adware program that acts as a Browser Helper Object (BHO). While active, the program displays Chinese-language advertising contents.

Installation

Boran software is usually distributed bundled with other Chinese adware/spyware program, such as& MMSAssist, Webwork or Vision Communicate "Cai Xin Fa Song" (Pinyin).

Once downloaded onto the system, Boran software must be executed manually. Upon execution, it drops executable and configuration files at:

  • C:\Program Files\MMSAssist\mms.ini
  • C:\Program Files\MMSAssist\Mmsass~1.dll

It may also create one or more of the following files:

  • alsmt.exe
  • Albus.SYS
  • Albus.DAT

Some variants may drop multiple component files and configuration files using a different path name and file name, for example:

  • C:\Program Files\winp\actv.ini
  • C:\Program Files\winp\stdi.ini
  • C:\Program Files\winp\stdl.ini
  • C:\Program Files\winp\upilex.ini
  • C:\Program Files\winp\upme.ini
  • C:\Program Files\winp\code.dll
  • C:\Program Files\winp\play.dll
  • C:\Program Files\winp\snet.dll
  • C:\Program Files\winp\vote.dll
  • C:\Program Files\yrpt\cvtx.ini
  • C:\Program Files\yrpt\xqos.ini
  • C:\Program Files\yrpt\gzxb.ini
  • C:\Program Files\yrpt\tmko.ini
  • C:\Program Files\yrpt\ibzd.dll
  • C:\Program Files\yrpt\lecg.dll
  • C:\Program Files\yrpt\ngei.dll
  • C:\Program Files\yrpt\qjhl.dll
  • C:\Program Files\yrpt\exvz.dll

Activity

While active, the adware checks Internet availability by contacting:

  • active.borlander.com.cn.

It then downloads advertising contents from:

  • www.borlander.com.cn
  • www.borlander.cn.

And downloads configuration files and the latest cabinet files (CAB) by using the following URL pattern:

  • https://update.borlander.cn/[..]/mmsas.cab
  • https://update.borlander.cn/[..]/updateex.ini
  • https://update.borlander.cn/[..]/updvsnex.ini
  • https://www.borlander.cn/[..]/mms.ini

Registry

This adware installs as a service by adding the following registry subkey:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Security]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random name]] Type= Start= ErrorControl= ImagePath="C:\WINDOWS\System32\rundll32.exe [Path to the component DLL file],Service -s" DisplayName=[random name]

The ImagePath's value C:\WINDOWS\System32\rundll32.exe [Path to the component DLL file],Service -sindicates that the adware will be started automatically as a background process when Windows is started.

It may also create one or more of the following registery subkeys:

  • [HKEY_CLASSES_ROOT\MMSBho.MMSAssist]
  • [HKEY_CLASSES_ROOT\MMSBho.MMSAssist.1]
  • [HKEY_CLASSES_ROOT\MMSBho.MMSAssistMenu]
  • [HKEY_CLASSES_ROOT\MMSBho.MMSAssistMenu.1]
  • [HKEY_CLASSES_ROOT\CLSID\{29875208-C411-4BBC-A537-4928Ba1E784A}]
  • [HKEY_CLASSES_ROOT\CLSID\{41DDECD2-1991-48C2-92C5-3698F3A6C607}]
  • [HKEY_CLASSES_ROOT\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}]
  • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ >>Cai Xin Fa Song<<
  • [HKEY_LOCAL_MACHINE\Software\Classes\MMSBho.MMSAssist]
  • [HKEY_LOCAL_MACHINE\Software\Classes\MMSBho.MMSAssist.1]
  • [HKEY_LOCAL_MACHINE\Software\Classes\MMSBho.MMSAssistMenu]
  • [HKEY_LOCAL_MACHINE\Software\Classes\MMSBho.MMSAssistMenu.1]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Albus]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\Albus]
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VisionService]
  • [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{29875208-C411-4BBC-A537-4928Ba1E784A}]
  • [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{41DDECD2-1991-48C2-92C5-3698F3A6C607}]
  • [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MMSAssist]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Vision Communicate]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0C5C8E9A-48BA-4d26-AA01-2E1D4DC14718}]