||||
Symantec.com > Security Response > Threats and Risks > Adware.CommonName
PRINT THIS PAGE

Adware.CommonName

Printer Friendly Page

Updated: February 13, 2007 11:32:59 AM
Type: Adware
Version: 4.0
Publisher: CommonName
Risk Impact: Medium
File Names: Winnet.exe Comwiz.exe Cnbabe.dll Winik.sys
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Adware.CommonName is installed, it performs the following actions:
  1. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    \CLSID\{046D6EA4-15E3-4b27-8010-45BD78A9219E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    \CLSID\{5A5F9339-F6A5-4464-95E3-A00BCA6206E3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    \CLSID\{746CEE9E-7A1D-417f-9A35-804A0217268B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    \{3C7624D1-C414-4D1B-8FE9-52FA0558FB62}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    \{C8FFABC6-B706-4278-9399-169DF9FBF37E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    \{127ACE33-7EA8-45F0-8B55-EFE8B8068BEF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Browser
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Browser.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Handler
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Handler.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Helper
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\INetKW.Helper.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{046D6EA4-15E3-4b27-8010-45BD78A9219E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inetmgr
    HKEY_LOCAL_MACHINE\SOFTWARE\Internet Keyword
    HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME]\User
    HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME]\App
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[NAME SERVICE IS REGISTERED AS]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[NAME SERVICE IS REGISTERED AS]
    HKEY_USERS\S-1-5-21-1960408961-507921405-725345543-500\Software\Internet Keyword
    HKEY_USERS\S-1-5-21-1960408961-507921405-725345543-500\Software\[RANDOM NAME]\User
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Note: The [RANDOM NAME] variable in this and subsequent steps refers to different random names, not the same randomly chosen name every time.

  2. Adds the values:

    "DisplayName" = "Internet Keyword"
    "UninstallString" = "C:\Program Files\Internet Keyword\unins.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Keyword

  3. Creates some of the following files and folders:

    • C:\Program Files\CommonName
    • C:\Program Files\Internet Keyword
    • C:\Program Files\[RANDOM NAME]\babe.dat
    • C:\Program Files\[RANDOM NAME]\cnml.exe
    • C:\Program Files\[RANDOM NAME]\dfs.dat
    • C:\Program Files\[RANDOM NAME]\exit.dat
    • C:\Program Files\[RANDOM NAME]\[RANDOM NAME].dll
    • C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
    • C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
    • C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
    • C:\Program Files\[RANDOM NAME]\obj.dat
    • C:\Program Files\[RANDOM NAME]\profile.dat
    • C:\Program Files\[RANDOM NAME]\url1.dat
    • C:\Program Files\[RANDOM NAME]\url2.dat
    • C:\Program Files\[RANDOM NAME]\url8.dat
    • C:\Program Files\[RANDOM NAME]\url9.dat
    • C:\Program Files\[RANDOM NAME]\urlx.dat
    • C:\Program Files\[RANDOM NAME]\WINIK.SYS
    • C:\Program Files\[RANDOM NAME]\[RANDOM NAME].dll
    • C:\Program Files\[RANDOM NAME]\[RANDOM NAME].exe
    • C:\WINDOWS\system32\[RANDOM NAME].ini
    • C:\WINDOWS\system32\[RANDOM NAME].ini
    • C:\WINDOWS\system32\[RANDOM NAME].ini

  4. May drop the following file, which is a rookit component that hides processes, registry subkeys, and files associated with this risk:

    %System%\drivers\winik.sys

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  5. Displays advertisements when certain keywords are typed into a search engine. The functionality of this adware component is that you can type keywords instead of the URLs to reach Web sites.

  6. Contacts the server www.commonname.com, on port TCP port 80, and other related Web sites, which are typically online gambling sites.

  7. Runs as a Browser Helper Object, which means that the adware component receives information regarding all the actions inside Internet Explorer.

  8. May log Internet usage data without using an identification number. In other words, this risk does not appear to log personally identifiable information.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS