PUA.Win32.MyWebSearch.HZ
Win32:UnwantedSig [PUP](AVAST); Win32/Toolbar.MyWebSearch.BA potentially unwanted application(NOD32);
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.
TECHNICAL DETAILS
Arrival Details
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Potentially Unwanted Application drops the following files:
- %AppDataLocal%\MapsGalaxyTooltab\TooltabExtension.dll
- %User Temp%\nsp{random}.tmp\reporting
- %User Temp%\nsp{random}.tmp\cancel_japanese_{random nubers}.bmp
- %User Temp%\nsp{random}.tmp\installerParams
- %User Temp%\nsp{random}.tmp\Install_JPN_{random nubers}.bmp
- %User Temp%\nsp{random}.tmp\MG_jpn_msi_bg-copy_{random nubers}.bmp
- %User Temp%\nsp{random}.tmp\nsDialogs.dll
- %User Temp%\nsp{random}.tmp\reporting
- %User Temp%\nsp{random}.tmp\System.dll
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
Other System Modifications
This Potentially Unwanted Application adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\MapsGalaxy
Start Page = "http://{BLOCKED}p.{BLOCKED}y.com/mapsgalaxy/lmjajp/index.html?n=78584B19&p2=^UX^mni000^LMJAJP&ptb=3AC183E7-0B25-4864-9A49-565D8D71FEA3&coid=b0a3b24d849846deb095975eb0fbbfdc"
HKEY_CURRENT_USER\Software\MapsGalaxy
UnInstallSurveyUrl = "https://@{downloadDomain}.{BLOCKED}l.{BLOCKED}y.com/uninstall.jhtml?c=3AC183E7-0B25-4864-9A49-565D8D71FEA3&ptb=^UX^mni000^LMJAJP"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://{BLOCKED}p.{BLOCKED}y.com/mapsgalaxy/lmjajp/index.html?n=78584B19&p2=^UX^mni000^LMJAJP&ptb=3AC183E7-0B25-4864-9A49-565D8D71FEA3&coid=b0a3b24d849846deb095975eb0fbbfdc"
Web Browser Home Page and Search Page Modification
This Potentially Unwanted Application modifies the user's Internet Explorer home page to the following websites:
- http://{BLOCKED}p.{BLOCKED}y.com/mapsgalaxy/lmjajp/index.html?n=78584B19&p2=^UX^mni000^LMJAJP&ptb=3AC183E7-0B25-4864-9A49-565D8D71FEA3&coid=b0a3b24d849846deb095975eb0fbbfdc
Other Details
This Potentially Unwanted Application connects to the following possibly malicious URL:
- https://{BLOCKED}x.{BLOCKED}ark.com/anx.gif?anxa=CAPDownloadProcess&anxe=InstallerInvoked&platform=vicinio&anxv=2.7.1.3000&anxd=2019-03-04&coid=b0a3b24d849846deb095975eb0fbbfdc&refPartner=^UX^mni000^LMJAJP&refSub=&anxl=en-US&anxr=-2106142550&refCobrand=UX&refCampaign=mni000&refTrack=LMJAJP&refCountry=
- http://{BLOCKED}p.{BLOCKED}y.com/mapsgalaxy/lmjajp/assets/1557860707117/ie8.js