1. /
  2. Security Response/
  3. Adware.Cydoor

Adware.Cydoor

Updated:
February 13, 2007 11:33:05 AM
Type:
Adware
Version:
2.0
Publisher:
Cydoor Technologies
Risk Impact:
Medium
File Names:
cd_clint.dll,cd_load.exe,cd_install_336.exe,cd_htm.dll,cd_Install_2022.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Adware.Cydoor is an adware program that displays advertisements. When Adware.Cydoor is executed, it performs the following actions:
  1. May create some of the following files:

    • %System%\Cd_clint.dll
    • %System%\Cd_load.exe
    • %System%\cd_htm.dll

      Note:
      %System% is a variable. The adware component locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. May create some of the following registry keys:
    HKEY_USERS\.DEFAULT\Software\Cydoor
    HKEY_USERS\.DEFAULT\Software\Cydoor Services
    HKEY_CURRENT_USER\Software\Cydoor
    HKEY_CURRENT_USER\Software\Cydoor Services
    HKEY_LOCAL_MACHINE\Software\Cydoor
    HKEY_LOCAL_MACHINE\Software\Cydoor Services
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdSupport_291
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdSupport_202
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdSupport_336


Other programs usually install Adware.Cydoor. It does not add a registry value to launch itself at startup. Instead, it allows the program that installed it to launch it as the program itself is started. Then, the program uses Adware.Cydoor to download and display advertisements.

The Cd_load.exe file is only installed when the program that installed Adware.Cydoor does not require an Internet connection to function. This file is only used to check for the active Internet connections. The file, Cd_clint.dll, contains all the functionality.

When Adware.Cydoor is launched after installation, it will contact the server www.rgs[?].net (in which [?] is a number between 1 – 4) on port 80. However, it is not limited to this server. This adware can receive a list of other servers from this initial server and connect to them instead. These servers are advertisement servers, and it is from these servers that cydoor retrieves the advertisements.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver