Updated: February 13, 2007 11:33:52 AM
Type: Adware
Publisher: Avenue Media
Risk Impact: Medium
File Names:
ioptiXXX.dll
nemXXX.dll
wsemXXX.dll
optimize.exe
optimizeXXX.exe
actalert.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.NetOptimizer is executed, it performs the following actions:
- Creates some of the following files:
- %ProgramFiles%\Internet Optimizer\actalert.exe
- %ProgramFiles%\Internet Optimizer\optimize.exe
- %ProgramFiles%\Internet Optimizer\update\actalert.exe
- C:\Internet Optimizer\optimize.exe
- %UserProfile%\Internet Optimizer\optimize.exe
- %Windir%\nem[XXX].dll
- %Windir%\optimize.exe
- %Windir%\wsem[XXX].dll
- C:\Documents and Settings\Administrator\Local Settings\Temp\cfin
- C:\Documents and Settings\Administrator\Local Settings\Temp\cfout.txt
Notes:
- [XXX] is a 3-digit number referring to the version of the software.
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000.
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- Adds the value:
"Internet Optimizer" = "%ProgramFiles%\Internet Optimizer\optimize.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
- May create an entry referencing the value DyFuca, under the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Active Alert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WSEM Update
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Avenue Media
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt
HKEY_CURRENT_USER\Software\Policies\Avenue Media
HKEY_CURRENT_USER\Software\Avenue Media
- May also create the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\FCI
- Deletes the value:
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""
from the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
- Adds the value:
"_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
- Periodically displays advertisements.
- Dynamically updates itself.
- The program's End User License Agreement (EULA) states that the software may collate data relating to Web browsing habits and send it back to its controllers.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
