||||
Symantec.com > Security Response > Threats and Risks > Adware.Savenow
PRINT THIS PAGE

Adware.Savenow

Printer Friendly Page

Updated: February 13, 2007 11:32:37 AM
Type: Adware
Version: 2.1
Publisher: WhenU
Risk Impact: Low
File Names: Save.exe VVSN.exe xplus.exe savenow.exe WUInst.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.Savenow is executed, it does the following:
  1. Creates the following files:

    • %ProgramFiles%\Save\Save.exe
    • %ProgramFiles%\Save\Save.html
    • %ProgramFiles%\Save\Readme.txt
    • %ProgramFiles%\Save\SaveUninst.exe
    • %ProgramFiles%\VVSN\VVSN.exe
    • %ProgramFiles%\SaveNow\Readme.txt
    • %ProgramFiles%\SaveNow\SaveNow.exe
    • %ProgramFiles%\SaveNow\SaveNow.htm
    • %ProgramFiles%\SaveNow\Uninst.exe
    • %ProgramFiles%\Xtractor Plus\hh.html
    • %ProgramFiles%\Xtractor Plus\readme.txt
    • %ProgramFiles%\Xtractor Plus\unins000.dat
    • %ProgramFiles%\Xtractor Plus\unins000.exe
    • %ProgramFiles%\Xtractor Plus\xp.exe
    • %ProgramFiles%\Xtractor Plus\Xplus.CNT
    • %ProgramFiles%\Xtractor Plus\XPLUS.HLP
    • %System%\CCRPFTV6.OCX
    • %System%\SSubTmr.dll
    • %System%\TABCTL32.OCX
    • %System%\UNACE.DLL
    • %System%\UNRAR.dll
    • %System%\Unzip32.dll
    • %Windir%\hh.ico
    • %Windir%\hhs.url
    • %Windir%\Downloaded Program Files\WUInst.dll
    • %UserProfile%\Start Menu\Programs\WhenU\Learn More About Save!.url
    • %UserProfile%\Start Menu\Programs\WhenU\Learn More About SaveNow.url
    • %UserProfile%\Start Menu\Programs\WhenU\WhenU.com Website.url

      Note:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Adds the values:

    "VVSN" = "%ProgramFiles%\VVSN\VVSN.exe"
    "SaveNow" = "%ProgramFiles%\SaveNow\SaveNow.exe    "
    "WhenUSave" = "%ProgramFiles%\Save\Save.exe"

    to one or more of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\    WhenUSaveMsg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xtractor Plus_is1
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Free Software
    HKEY_CLASSES_ROOT\WUSN.1
    HKEY_CLASSES_ROOT\CLSID\{E2F2B9D0-96B9-4B25-B90C-636ECB207D18}
  4. Contacts a server at the whenu.com domain and downloads and displays advertisements.

  5. Tracks Internet browsing habits. However, the collected information is not submitted to the server. It is stored locally on the computer and used to determine which advertisements should be displayed.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS