Updated: February 13, 2007 11:47:38 AM
Type: Adware
Publisher: http://www.fullcontext.net
Risk Impact: Medium
File Names:
FCHelp.exe
FCHelp.dll
FCMan.exe
FCplugin.dll
setup.exe
patterns.dat
Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.FCHelp is executed, it performs the following actions:
- May create the following files:
- %CurrentFolder%\FCHelp.exe
- %CurrentFolder%\FCHelp.dll
- %CurrentFolder%\patterns.dat (A non-malicious file.)
- %CurrentFolder%\setup.exe
- %ProgramFiles\FCMan\FCMan.exe
- %ProgramFiles\FCMan\FCPlugin.dll
- %ProgramFiles\FCMan\Uninstall.exe (A non-malicious file.)
Note:
- %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the following registry subkeys and adds a number of values under these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{994D478A-2BD0-4DB4-288B1E346E99}
HKEY_LOCAL_MACHINE\SOFTWARE\TypeLib
\{1B8B502E-465B-4022-BE4F-FB6D9F808A18}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_CURRENT_USER\Software\FCMan
- Adds the value
"FCMan" = "%ProgramFiles%\FCMan\FCMan.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
- Displays advertisements and attempts to connect to the following Web site:
[http://]www.fullcontext.net/[REMOVED]
Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
