Updated: February 13, 2007 11:34:35 AM
Type: Adware
Risk Impact: High
File Names: Linmeimei.exe,Wupdate.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.Wengs is executed, it performs the following actions:
- Copies itself to %System%\Wupdate.exe.
Note: %System% is a variable. The worm locates the folder (by default, this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
- Adds the value:
"Windows Update" = %System%\Wupdate.exe
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs when you start Windows.
- Changes the Internet Explorer home page to we.cn.gs.
- Opens a browser window and displays a flash animation downloaded from the Internet.
- Attempts to access the following URL at 3721.com, which redirects users to Yahoo china (http: //cn.yahoo.com).
http:// cns.3721.com/cns.dll?fw=cm2&name=%D1%C5%BB%A2&pid=U_angelye_19721
- May download itself, or its updated version, from we.cn.gs.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
