ADW_ELEX.A

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware drops the following non-malicious files:

• %User Profile%\Application Data\{name}\msvcr100.dll
• %User Profile%\Application Data\{name}\System.dll
• %Program Files%\{name}\{config name}.ini

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It drops the following copies of itself into the affected system:

• %User Profile%\Application Data\{name}\{file name}.exe
• %Program Files%\{name}\{file name}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It creates the following folders:

• %User Profile%\Application Data\{name}
• %User Profile%\{name}
• %User Temp%\{random values}.tmp
• %Program Files%\{name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This adware adds and runs the following services:

• Service Name: {name}
• Display Name: {name}
• Start Type: SERVICE_AUTO_START
• Binary Pathname: "%User Profile%\Application Data\{name}\{file name}.exe" or "%Program Files%\{name}\{file name}.exe"

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Other Details

This adware connects to the following possibly malicious URL:

• http://www.{BLOCKED}ch123.com/logic/z.php
• http://{BLOCKED}.{BLOCKED}oud.com/v4/sof-everything/{url path}
• http://www.{BLOCKED}3.com/inf/eve/SSFK?ver={version}
• http://{BLOCKED}.{BLOCKED}5.com/everything/up?{url path}
• http://www.{BLOCKED}lage.com/searchprotect/up?{url path}