ADW_ADPOPUP

Infection Channel: Downloaded from the Internet, Dropped by other malware

This adware may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any information-stealing capability.

It comes with an uninstall package that completely removes the files it dropped and the registries it created. However, as of this writing, the said sites are inaccessible.

File Size: 296,192 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 07 Oct 2013

Payload: Connects to URLs/IPs

Arrival Details

This adware may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This adware drops the following file(s)/component(s):

%Program Files%\InsideTool\InsideTool.dll - also detected as ADW_ADPOPUP
%Program Files%\InsideTool\InsideTool.exe - also detected as ADW_ADPOPUP
%Program Files%\InsideTool\Uninstall.exe - also detected as ADW_ADPOPUP

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This adware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
Type = "10"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
ImagePath = "{malware path}\{malware file name}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
DisplayName = "Protect your browser's extensions"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
Object Name = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect
Description = "Protect your browser's extensions"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect\Security
Security = Security = "{random values}"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
InsideTool = "%Program Files%\InsideTool\InsideTool.exe"

HKEY_CLASSES_ROOT\CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\
InprocServer32
Default = "%Program Files%\InsideTool\InsideTool.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\InprocServer32
Default = "%Program Files%\InsideTool\InsideTool.dll"

It adds the following registry keys to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvPlgProtect\Security

Other System Modifications

This adware adds the following registry keys:

HKEY_CLASSES_ROOT\InsideTool.InsideToolHelper

HKEY_CLASSES_ROOT\InsideTool.InsideToolHelper\CLSID

HKEY_CLASSES_ROOT\InsideTool.InsideToolHelper\CurVer

HKEY_CLASSES_ROOT\InsideTool.InsideToolHelper.1

HKEY_CLASSES_ROOT\InsideTool.InsideToolHelper.1\CLSID

HKEY_CLASSES_ROOT\CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}

HKEY_CLASSES_ROOT\CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\
InprocServer32

HKEY_CLASSES_ROOT\CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\
ProgID

HKEY_CLASSES_ROOT\CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\
Programmable

HKEY_CLASSES_ROOT\CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\
TypeLib

HKEY_CLASSES_ROOT\CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\
VersionIndependentProgID

HKEY_CLASSES_ROOT\Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}

HKEY_CLASSES_ROOT\Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}\
ProxyStubClsid

HKEY_CLASSES_ROOT\Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}\
ProxyStubClsid32

HKEY_CLASSES_ROOT\Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}TypeLib

HKEY_CLASSES_ROOT\TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}

HKEY_CLASSES_ROOT\TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\
1.0

HKEY_CLASSES_ROOT\TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\
1.0\0

HKEY_CLASSES_ROOT\TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\
1.0\0\win32

HKEY_CLASSES_ROOT\TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\
1.0\FLAGS

HKEY_CLASSES_ROOT\TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\
1.0\HELPDIR

HKEY_CURRENT_USER\Software\InsideTool

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InsideTool.InsideToolHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InsideTool.InsideToolHelper\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InsideTool.InsideToolHelper\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InsideTool.InsideToolHelper.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InsideTool.InsideToolHelper.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{59C24C84-694C-479E-9AB3-BDDA2BA14F41}TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\1.0\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\1.0\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}\1.0\
HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
InsideTool

Propagation

This adware does not have any propagation routine.

Backdoor Routine

This adware does not have any backdoor routine.

Information Theft

This adware does not have any information-stealing capability.

Other Details

This adware adds the following registry entries to add an uninstall option to the Control Panel:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
InsideTool
DisplayName = "InsideTool"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
InsideTool
UninstallString = "%Program Files%\InsideTool\Uninstall.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
InsideTool
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
InsideTool
NoRepair = "1"

It connects to the following possibly malicious URL:

insidetool.{BLOCKED}b.co.kr/update//InsideTool.ini
insidetool.{BLOCKED}b.co.kr/update.asp?version=&id&mac={id}&oldversion&iever={version}
www.{BLOCKED}b.co.kr/setting.dat

It comes with an uninstall package that completely removes the files it dropped and the registries it added.

However, as of this writing, the said sites are inaccessible.

NOTES:

This adware accesses URLs categorized as the following:

Ringtones/mobile phone downloads - Sites that provide content for mobile devices, including ringtones, games, or videos
Software downloads - Sites dedicated to providing free, trial, or paid software downloads
Web advertisements - Sites dedicated to displaying advertisements, including sites used to display banner or popup ads

It does not have rootkit capabilities.

It does not exploit any vulnerability.

Minimum Scan Engine: 9.700

SSAPI PATTERN File: 1.460.05

SSAPI PATTERN Date: 21 Oct 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and terminate files detected as ADW_ADPOPUP

[ Learn More ]

Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Remove ADW_ADPOPUP by using its own Uninstall option

[ Learn More ]

To uninstall the grayware process

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- srvPlgProtect
In HKEY_CLASSES_ROOT
- InsideTool.InsideToolHelper
In HKEY_CLASSES_ROOT\CLSID
- {0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}
In HKEY_CLASSES_ROOT\Interface
- {59C24C84-694C-479E-9AB3-BDDA2BA14F41}
In HKEY_CLASSES_ROOT\TypeLib
- {FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}
In HKEY_CURRENT_USER\Software
- InsideTool
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes
- InsideTool.InsideToolHelper
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
- {0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
- {59C24C84-694C-479E-9AB3-BDDA2BA14F41}
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
- {FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- {0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- InsideTool

To delete the registry key this malware/grayware/spyware created:

Restart your computer in Safe Mode. For instructions on how to do this, you may refer to this page. If the preceding step requires you to restart in safe mode, you may proceed to #2.
Open Registry Editor. To do this:
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run, type regedit in the text box provided, and then press Enter.
» For Windows Vista, Windows 7, and Windows Server 2008 users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on the lower left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
srvPlgProtect
In the left panel of the Registry Editor window, double-click the following:
HKEY_CLASSES_ROOT
Still in the left panel, locate and delete the key:
InsideTool.InsideToolHelper
In the left panel of the Registry Editor window, double-click the following:
HKEY_CLASSES_ROOT>CLSID
Still in the left panel, locate and delete the key:
{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}
In the left panel of the Registry Editor window, double-click the following:
HKEY_CLASSES_ROOT>Interface
Still in the left panel, locate and delete the key:
{59C24C84-694C-479E-9AB3-BDDA2BA14F41}
In the left panel of the Registry Editor window, double-click the following:
HKEY_CLASSES_ROOT>TypeLib
Still in the left panel, locate and delete the key:
{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software
Still in the left panel, locate and delete the key:
InsideTool
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes
Still in the left panel, locate and delete the key:
InsideTool.InsideToolHelper
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>CLSID
Still in the left panel, locate and delete the key:
{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>Interface
Still in the left panel, locate and delete the key:
{59C24C84-694C-479E-9AB3-BDDA2BA14F41}
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>TypeLib
Still in the left panel, locate and delete the key:
{FC8463FB-3031-4D1A-BEF0-6A139CCD7B83}
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>Browser Helper Objects
Still in the left panel, locate and delete the key:
{0B3B9D03-5E08-4E48-BF77-FC88443F3DC2}
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Uninstall
Still in the left panel, locate and delete the key:
InsideTool
Close Registry Editor.

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- InsideTool = "%Program Files%\InsideTool\InsideTool.exe"

Step 6

Scan your computer with your Trend Micro product to delete files detected as ADW_ADPOPUP. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters