1. /
  2. Security Response/
  3. Adware.PurityScan

Adware.PurityScan

Updated:
June 21, 2007 12:14:08 PM
Type:
Adware
Publisher:
Outerinfo; outerinfo.com
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Due to the self-updating nature of Adware.PurityScan, this information is liable to change as new versions of the Adware are published.

When Adware.PurityScan is executed, it adds itself to the following location:
%UserProfile%\Start Menu\Programs\Purity Scan

Next, the program may create the following files (possibly with the first and/or second letters replaced with a question mark):
  • %System%\wnsinttr.exe
  • %System%\wnscpit.exe
  • %System%\Microsoft.NET.exe
  • %System%\Drivers.exe
  • %System%\WinSxS.exe
  • %System%\Tasks.exe
  • %System%\system32.exe
  • %System%\system.exe
  • %System%\symbols.exe
  • %System%\security.exe
  • %System%\java.exe
  • %System%\Help.exe
  • %System%\Fonts.exe
  • %System%\assembly.exe
  • %System%\AppPatch.exe
  • %System%\regsvr32.exe
  • %System%\regedit.exe
  • %System%\tracert.exe
  • %System%\nslookup.exe
  • %System%\arpa.exe
  • %System%\ping.exe
  • %System%\mshta.exe
  • %System%\nopdb.exe
  • %System%\winword.exe
  • %System%\ati2evxx.exe
  • %System%\spool32.exe
  • %System%\msconfig.exe
  • %System%\userinit.exe
  • %System%\netdde.exe
  • %System%\mmc.exe
  • %System%\scanregw.exe
  • %System%\wucrtupd.exe
  • %System%\wuauboot.exe
  • %System%\wuauclt.exe
  • %System%\wuaclt.exe
  • %System%\rundll.exe
  • %System%\fast.exe
  • %System%\alg.exe
  • %System%\cmd.exe
  • %System%\dexplore.exe
  • %System%\iexplore.exe
  • %System%\notepad.exe
  • %System%\msdtc.exe
  • %System%\javaw.exe
  • %System%\ntvdm.exe
  • %System%\wowexec.exe
  • %System%\winspool.exe
  • %System%\taskmgr.exe
  • %System%\rundll32.exe
  • %System%\msiexec.exe
  • %System%\logonui.exe
  • %System%\dvdplay.exe
  • %System%\dllhost.exe
  • %System%\chkdsk.exe
  • %System%\chkntfs.exe
  • %System%\attrib.exe
  • %System%\winlogon.exe
  • %System%\spoolsv.exe
  • %System%\smss.exe
  • %System%\services.exe
  • %System%\lsass.exe
  • %System%\csrss.exe
  • %System%\svchost.exe
  • %System%\explorer.exe


Next, the program may create one or more of the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Content Service" = %System%\winserv[LETTER].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"twhe" = %Windir%\Application Data\wbta.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Ussi" = %Windir%\Application Data\rwsa.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Ussi" = "%System%\wnscpit.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Oesi" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\srts.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Eech" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\hoor.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WNSI" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\rwsa.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Esph" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\ortu.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Content Service" = %System%\winserv[LETTER].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"twhe" = %Windir%\Application Data\wbta.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Ussi" = %Windir%\Application Data\rwsa.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Ussi" = "%System%\wnscpit.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Oesi" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\srts.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Eech" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\hoor.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WNSI" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\rwsa.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Esph" = "%SystemDrive%\Documents and Settings\[USER NAME]\Application Data\ortu.exe"

In the above registry entries, [LETTER] is a variable letter that will change for different versions of PuritySCAN. Samples we have seen will generally delete the old version before installing the updated one.

The program then creates the following registry subkeys:
HKEY_CURRENT_USER\software\purityscan
HKEY_LOCAL_MACHINE\SOFTWARE\ClickSpring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\ClickFlag
HKEY_USERS\.DEFAULT\Software\Ttee
HKEY_CURRENT_USER\Software\Toos
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PuritySCAn
HKEY_CURRENT_USER\Software\Aubt

It may then creates some or all of the following files:
  • %Program Files%\PurityScan\PuritySCAN.exe
  • %ProgramFiles%\PurityScan\PuritySCANUninstall.exe
  • %System%\Winserv[LETTER].exe
  • %System%\Winservn.exeps_uninstaller.exe
  • %CurrentFolder%\Rs.exe
  • %Windir%\Application\Data\Wbta.exe
  • %SystemDrive%\Documents and Settings\[USER NAME]\Application Data\srts.exe
  • %SystemDrive%\Documents and Settings\[USER NAME]\Application Data\hoor.exe
  • %SystemDrive%\Documents and Settings\[USER NAME]\Application Data\rbap.exe
  • %SystemDrive%\Documents and Settings\[USER NAME]\Application Data\rwsa.exe


The program may create the following folder:
%UserProfile%\Application Data\ilas

It then creates a shortcut to the risk on the desktop.

Next, the program contacts a remote server on the clickspring.net domain. The adware then registers system information and the status of the installation with the server and checks for software updates to install.

It also scans Internet Explorer files, including browser files, cache, history, and cookies for adult-related keywords. It then displays advertisements.

The program downloads and displays advertisements from Web sites on the following domains:

  • fp.clickspring.net
  • www.clickspring.net
  • legend.psdtools.com
  • pisces.clickspring.com
  • app.whenu.com
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver