ADW_NIEGUIDE

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This adware adds the following mutexes to ensure that only one of its copies runs at any one time:

• UPDATEVER6
• UPDATEVER6_A

Download Routine

This adware connects to the following malicious URLs:

• http://app.voneclick.com/installinfo/windowwizard/windowwizard_2010_v2.php
• http://log.adsence.co.kr/logsid.php?
• http://log.adsence.co.kr/logexp.php?aid=windowwizard

It accesses the following websites to download files:

• http://down.{BLOCKED}ick.com/2010_update/windowwizard_20120301_update.exe

It saves the files it downloads using the following names:

• %User Temp%\windowwizard_20120301_update.exe - detected as ADW_WINWIZ

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

NOTES:

This adware has the following icon: