ADWARE_BHOT_QUICKLINKS
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Tipo de malware
Adware
Destructivo?
No
Cifrado
In the Wild:
Sí
Resumen y descripción
Detalles técnicos
Instalación
Este malware infiltra el/los siguiente(s) archivo(s)/componente(s):
- %System%\acwfs4t2.exe
- %System%\f50i.tcp
- %System%\wdc1n.dll
(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).
)Técnica de inicio automático
Agrega las siguientes claves de registro para permitir su propia instalación como objeto de ayuda del explorador (BHO):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{0DEADE31-9A37-48B2-921A-7825EA93D32A}
Otras modificaciones del sistema
Agrega las siguientes entradas de registro como parte de la rutina de instalación:
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok\CLSID
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1\CLSID
HKEY_CLASSES_ROOT\Fseytdc.Yvakt
HKEY_CLASSES_ROOT\Fseytdc.Yvakt\CLSID
HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1
HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1\CLSID
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
InprocServer32
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
ProgID
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
InprocServer32
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
ProgID
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
VersionIndependentProgID
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
TypeLib
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\0
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\qI9nJ
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FFjTq
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NJv7jy = ""%System%\dgfgql.exe""
Agrega las siguientes entradas de registro como parte de la rutina de instalación:
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok
{Default} = "Ariaqudok Class"
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1
{Default} = "Ariaqudok Class"
HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"
HKEY_CLASSES_ROOT\Fseytdc.Yvakt
{Default} = "Yvakt Class"
HKEY_CLASSES_ROOT\Fseytdc.Yvakt\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"
HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1
{Default} = "Yvakt Class"
HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}
{Default} = "Yvakt Class"
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
InprocServer32
{Default} = "%System%\wdc1n.dll"
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
InprocServer32
ThreadingModel = "Apartment"
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
ProgID
{Default} = "Fseytdc.Yvakt.1"
HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
VersionIndependentProgID
{Default} = "Fseytdc.Yvakt"
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}
{Default} = "Ariaqudok Class"
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
InprocServer32
{Default} = "%System%\wdc1n.dll"
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
InprocServer32
ThreadingModel = "both"
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
ProgID
{Default} = "Fseytdc.Ariaqudok.1"
HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
VersionIndependentProgID
{Default} = "Fseytdc.Ariaqudok"
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}
{Default} = "IYvakt"
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid
{Default} = "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid32
{Default} = "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
TypeLib
{Default} = "{2383594E-4C4B-46A0-BA6A-817A8CAD2393}"
HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
TypeLib
Version = "1.0"
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
{Default} = ""
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
CLSID = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0
{Default} = "Fseytdc 1.0 Type Library"
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\0\win32
{Default} = "%System%\wdc1n.dll"
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\FLAGS
{Default} = "0"
HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\HELPDIR
{Default} = "%System%\"
HKEY_LOCAL_MACHINE\SOFTWARE\qI9nJ
BN3FLm1rP = "20051"
HKEY_LOCAL_MACHINE\SOFTWARE\qI9nJ
Vsevu3l = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok
{Default} = "Ariaqudok Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok.1
{Default} = "Ariaqudok Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok.1\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt
{Default} = "Yvakt Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1
{Default} = "Yvakt Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}
{Default} = "Yvakt Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\InprocServer32
{Default} = "%System%\wdc1n.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\InprocServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\ProgID
{Default} = "Fseytdc.Yvakt.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\VersionIndependentProgID
{Default} = "Fseytdc.Yvakt"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}
{Default} = "Ariaqudok Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\InprocServer32
{Default} = "%System%\wdc1n.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\InprocServer32
ThreadingModel = "both"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\ProgID
{Default} = "Fseytdc.Ariaqudok.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\VersionIndependentProgID
{Default} = "Fseytdc.Ariaqudok"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}
{Default} = "IYvakt"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid
{Default} = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid32
{Default} = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\TypeLib
{Default} = "{2383594E-4C4B-46A0-BA6A-817A8CAD2393}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\TypeLib
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
PROTOCOLS\Filter\text/html
{Default} = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
PROTOCOLS\Filter\text/html
CLSID = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FFjTq
DisplayName = "Quicklinks"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FFjTq
UninstallString = ""%System%\acwfs4t2.exe" -G8Fq"