Updated: February 13, 2007 11:35:17 AM
Type: Adware
Publisher: TMKSoft
Risk Impact: Medium
File Names: XPlugin.dll,Tmksrvu.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.TMKSoft.XPlugin is executed, it performs the following actions:
- Creates the following files:
- %System%\tmksrvu.exe
- %System%\xplugin.dll
- %System%\nsdb\hosts
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\XPlugin.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AC3F36D4-F905-4FE9-A926-EB937E66F591}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE79D398-AAAF-47B1-8C9E-11F7D4C9111B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XPlugin.XFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XPlugin.XFilter.1
HKEY_LOCAL_MACHINE\SOFTWARE\TMKSoft
- Adds the value:
"CLSID" = "{4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB}"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
so that the adware is executed every time text content is viewed using Internet Explorer.
- Adds the values:
"hpnt" = "[random value]"
"SetHP" = "[random value]"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Modifies the value:
"DataBasePath" = "%System%\nsdb\hosts"
in the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
so that IP addresses are resolved from the hosts file created by the adware in %System%\nsdb\hosts, instead of from "%System%\drivers\etc\hosts".
- Displays advertisements by contacting a particular Web site.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
