When Adware,Wurldmedia is installed, it performs the following actions:
- Creates some of the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{2737A6C0-7E24-11D7-B299-00E0297E0844}
HKEY_CLASSES_ROOT\CLSID\{3A279869-C6B6-4410-A041-0435DE6AD916}
HKEY_CLASSES_ROOT\CLSID\{40AC4D2D-491D-11D4-AAF2-0008C75DCD2B}
HKEY_CLASSES_ROOT\CLSID\{525BBD23-1863-46C6-86D6-5F9A3715D44E}
HKEY_CLASSES_ROOT\CLSID\{8E9C4F32-BD3F-4C49-9AF5-3F4C5D32EBD7}
HKEY_CLASSES_ROOT\CLSID\{CDBCFEAE-10BA-482C-9F6E-FC67207082D8}
HKEY_CLASSES_ROOT\CLSID\{91F3FA55-75D6-402A-B230-5C8DF44B129A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{AEB3079E-DAA6-4630-BA90-C0C2D577B8F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{1E66FF91-F081-49BF-ACCA-8940B9153B2C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{9B33CD1D-69DC-4853-B830-83CAA8A1F1AF}
HKEY_CLASSES_ROOT\Interface\{EBFE289D-D490-40A1-A5B7-201149EF06D3}
HKEY_CLASSES_ROOT\TypeLib\{C691047B-6C40-4A4E-8313-600C2A1EBB57}
HKEY_CLASSES_ROOT\Tchk.TChkBHO
HKEY_CLASSES_ROOT\Tchk.TChkBHO.1
HKEY_LOCAL_MACHINE\SOFTWARE\FENX
HKEY_ALL_USERS\software\Wurld Media
HKEY_LOCAL_MACHINE\Software\mircosoft\windows\currentversion\explorer
\browser helper objects\{91F3FA55-75D6-402A-B230-5C8DF44B129A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{AEB3079E-DAA6-4630-BA90-C0C2D577B8F9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Ext\Stats\{91F3FA55-75D6-402A-B230-5C8DF44B129A}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Ext\Stats\{AEB3079E-DAA6-4630-BA90-C0C2D577B8F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{65AEB02A-946C-40DE-AA5E-281AA9ADCE0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{A83E42B1-1AE7-4CE6-B128-AB0F4A126B2C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{48F35889-7F47-4A93-8876-7AB20324E5D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mobho.IEHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mobho.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\morp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{65AEB02A-946C-40DE-AA5E-281AA9ADCE0E}
- May add some of the following files:
%System%\mo[RANDOM CHARACTERS].dat
%System%\mo[RANDOM CHARACTERS].de
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Tracks websites visited and sends details to a remote server.
Note: This security risk can track your visits to those Web sites that are listed in the encoded file msc[RANDOM NUMBER].de. It will then append a unique ID and resend the information to a controlling server. It can also connect to a server to download and execute arbitrary code.
