ADW_ELEX.A
Windows 2000, XP, Server 2003
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Varies
EXE
No
07 Sep 2013
Arrival Details
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This adware drops the following non-malicious files:
- %User Profile%\Application Data\{name}\msvcr100.dll
- %User Profile%\Application Data\{name}\System.dll
- %Program Files%\{name}\{config name}.ini
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
It drops the following copies of itself into the affected system:
- %User Profile%\Application Data\{name}\{file name}.exe
- %Program Files%\{name}\{file name}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
It creates the following folders:
- %User Profile%\Application Data\{name}
- %User Profile%\{name}
- %User Temp%\{random values}.tmp
- %Program Files%\{name}
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
Autostart Technique
This adware adds and runs the following services:
- Service Name: {name}
- Display Name: {name}
- Start Type: SERVICE_AUTO_START
- Binary Pathname: "%User Profile%\Application Data\{name}\{file name}.exe" or "%Program Files%\{name}\{file name}.exe"
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
Other Details
This adware connects to the following possibly malicious URL:
- http://www.{BLOCKED}ch123.com/logic/z.php
- http://{BLOCKED}.{BLOCKED}oud.com/v4/sof-everything/{url path}
- http://www.{BLOCKED}3.com/inf/eve/SSFK?ver={version}
- http://{BLOCKED}.{BLOCKED}5.com/everything/up?{url path}
- http://www.{BLOCKED}lage.com/searchprotect/up?{url path}