||||
Symantec.com > Security Response > Threats and Risks > Adware.IGetNet
PRINT THIS PAGE

Adware.IGetNet

Printer Friendly Page

Updated: February 13, 2007 11:33:07 AM
Type: Adware
Version: 4.0
Publisher: IGetNet
Risk Impact: High
File Names: Bho001.dll Rsp001.dll Winstart001.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


Adware.IGetNet is an adware program that has two components: One executable file and one Browser Helper Object. When this adware is executed, it does the following:
  1. Inserts the following files:

    • %System%\BHO001.dll
    • %System%\RSP001.dll
    • %System%\Winstart001.exe
    • %System%\Update_Com.DLL
    • %System%\NLNP13.exe
    • %Temp%\etherXXXXa01400

      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  2. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
    Browser Helper Objects\{730F2451-A3FE-4A72-938C-FC8A74F15978
    HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}
    HKEY_LOCAL_MACHINE\software\Classes\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}
    HKEY_LOCAL_MACHINE\software\Classes\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_LOCAL_MACHINE\software\Classes\BHO.clsUrlSearch
    HKEY_LOCAL_MACHINE\software\Classes\BHO.clsDockWindow
    HKEY_LOCAL_MACHINE\software\Classes\BHO.clslnetSpeak
    HKEY_LOCAL_MACHINE\software\Classes\Rsp.BizLgk
  3. Adds the value:

    "Winstart001.exe" = "%system%\Winstart001.exe –boot"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs when you start Windows.

  4. May create some of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
    HKEY_CLASSES_ROOT\Interface\{18333387-5082-4710-94DF-9600CF6B2D5B}
    HKEY_CLASSES_ROOT\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_CLASSES_ROOT\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}
    HKEY_CLASSES_ROOT\Interface\{3c8cde30-d013-4093-b00e-adbc74f33315}
    HKEY_CLASSES_ROOT\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_CLASSES_ROOT\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}
    HKEY_CLASSES_ROOT\TypeLib\{ACBA087F-1547-41DE-8E9E-3F0963CE4BEF}

  5. Modifies the Hosts file with the following text:

    216.177.73.139 auto.search.msn.com
    216.177.73.139 search.netscape.com
    216.177.73.139 Ieautosearch
  6. Causes the browser to go to the IP address, 216.177.73.139, when any of the following domain names are entered:

    • auto.search.msn.com
    • search.netscape.com
    • Ieautosearch

      Note: The IP address, 216.177.73.139, belongs to the server for www.igetnet.com.

  7. Checks IGetNet.com when a search is entered in Web browser to see if the keyword has been paid for by an advertiser.

  8. Redirects the browser to the advertiser that paid for the keyword. If the keyword entered is not a paid for keyword, the browser will be redirected to the search page to which it initially tried to go.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS