1. /
  2. Security Response/
  3. Adware.BetterInternet

Adware.BetterInternet

Updated:
February 13, 2007 11:50:01 AM
Type:
Adware
Publisher:
stop-popup-ads-now.com
Risk Impact:
High
File Names:
Varies: Bi.dll and Biprep.exe Belt.exe Belt.ini Belt.inf Buddy.exe ceres.dll Susp.exe Sus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Depending on the version of the adware, Adware.BetterInternet performs some of the following actions when it is executed:
  1. Creates some of the following files:

    • %CurrentFolder%\Belt.ini
    • %CurrentFolder%\Belt.inf
    • %CurrentFolder%\Susp.ini
    • %CurrentFolder%\Susp.in
    • %CurrentFolder%\BTGrab.inf
    • %Temp%\bho_prob.exe
    • %Temp%\bik.inf
    • %Temp%\bi.dll
    • %Temp%\bik.cab
    • %Temp%\biprep.exe
    • %Temp%\dummy.htm
    • %Temp%\morphrec.exe
    • %Temp%\thnall1s.exe
    • %Temp%\DrTemp\ceres.cab
    • %Temp%\DrTemp\ceres.dll
    • %Temp%\DrTemp\ceres.inf
    • %Temp%\DrTemp\thnall1b.exe
    • %Temp%\DrTemp\thnall1p.exe
    • %Temp%\DrTemp\thnall2r.exe
    • %Temp%\DrTemp\polall1b.exe
    • %Temp%\THI[????].tmp\adrmimg.cab
    • %Temp%\THI[????].tmp\imGiant.cab
    • %Temp%\THI[????].tmp\adrmimg.inf
    • %Temp%\THI[????].tmp\imgiant.inf
    • %Temp%\THI[????].tmp\IMGUninst.exe
    • %Temp%\THI[????].tmp\imGiant.dll
    • %System%\ezxiiyv.exe
    • %System%\bdle4012.exe
    • %System%\bik.exe
    • %System%\imgiant.dll
    • %System%\ln_reco.exe
    • %System%\laziqn.exe
    • %System%\nnmzoq.exe
    • %System%\randreco.exe
    • %System%\susp_reco.exe
    • %System%stmtreco.exe
    • %System%\xxvyaj.exe
    • %System%\wbtvsffd.exe
    • %Windir%\banner.dll
    • %Windir%\Bi.dll
    • %Windir%\Biprep.exe
    • %Windir%\BTGrab.dll
    • %Windir%\Buddy.exe
    • %Windir%\ceres.dll
    • %Windir%\dlmax.dll
    • %Windir%\farmmext.exe
    • %Windir%\imgiant.dll
    • %Windir%\morphacl.dll
    • %Windir%\Mxtarget.dll
    • %Windir%\Pynix.dll
    • %Windir%\speer2.dll
    • %Windir%\speeryox.dll
    • %Windir%\VoiceIP.dll
    • %Windir%\zserv.dll
    • %Windir%\BBIIEHPL.ini
    • %Windir%\BIILJLLM.ini
    • %Windir%\BICJNF.ini
    • %Windir%\CCEJHONM.ini
    • %Windir%\FCIJLFMN.ini
    • %Windir%\FFGDEGOJ.ini
    • %Windir%\IDDJHJM.ini
    • %Windir%\morphstb.ini
    • %Windir%\abiuninst.htm
    • %Windir%\IMGUninst.exe
    • %Windir%\DrUninst.exe
    • %Windir%\inf\adrmcer.inf
    • %Windir%\inf\adrmimg.inf
    • %Windir%\inf\bik.inf
    • %Windir%\inf\ceres.inf
    • %Windir%\inf\farmmext.inf
    • %Windir%\farmmext.ini
    • %Windir%\inf\imgiant.inf
    • %Windir%\inf\morphstb.inf
    • %Windir%\inf\payload.inf
    • %Windir%\inf\payload2.inf
    • %Windir%\inf\Pynix.inf
    • %Windir%\inf\Pynix.pnf
    • %Windir%\inf\sprnopol.inf
    • %Windir%\inf\topmins2.inf
    • %Windir%\Wininit.ini
    • %Windir%\inf\zserv.inf
    • %Windir%\LastGood\BICJNF.ini
    • %Windir%\LastGood\INF\adrmimg.inf
    • %Windir%\LastGood\INF\adrmimg.PNF
    • %Windir%\LastGood\INF\bik.inf
    • %Windir%\LastGood\INF\bik.pnf
    • %Windir%\LastGood\INF\ceres.inf
    • %Windir%\LastGood\INF\ceres.pnf
    • %Windir%\LastGood\farmmext.ini
    • %Windir%\LastGood\INF\farmmext.inf
    • %Windir%\LastGood\INF\farmmext.pnf
    • %Windir%\LastGood\INF\imgiant.inf
    • %Windir%\LastGood\INF\imgiant.PNF
    • %Windir%\LastGood\INF\morphstb.PNF
    • %Windir%\LastGood\INF\morphstb.inf
    • %Windir%\LastGood\INF\payload.PNF
    • %Windir%\LastGood\INF\payload.inf
    • %Windir%\LastGood\INF\Pynix.inf
    • %Windir%\LastGood\INF\Pynix.PNF
    • %Windir%\LastGood\INF\zserv.inf
    • %Windir%\LastGood\INF\zserv.pnf
    • %Windir%\LastGood\DrUninst.exe
    • %Windir%\Downloaded Program Files\thin.inf
    • %Windir%\LastGood\Downloaded Program Files\thin.inf
    • XXVYAJ.exe

      Notes:
    • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
    • [????] is a variable that refers to a random sequence of characters which make up part of the folder name.

  2. Attempts to create some of the following registry keys:


    HKEY_CLASSES_ROOT\CLSID\{00000000-59D4-4008-9058-080011001200}
    HKEY_CLASSES_ROOT\CLSID\{00000000-C1EC-0345-6EC2-4D0300000000}
    HKEY_CLASSES_ROOT\CLSID\{00000000-DD60-0064-6EC2-6E0100000000}
    HKEY_CLASSES_ROOT\CLSID\{00000000-F09C-02B4-6EC2-AD0300000000}
    HKEY_CLASSES_ROOT\CLSID\{00000026-8735-428D-B81F-DD098223B25F}
    HKEY_CLASSES_ROOT\CLSID\{00000035-92F8-407F-98A5-7D8ADA59B6BB}
    HKEY_CLASSES_ROOT\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}
    HKEY_CLASSES_ROOT\CLSID\{0000005D-C175-4405-BAC5-1F3B2BAF67C6}
    HKEY_CLASSES_ROOT\CLSID\{00000062-2E5F-4AF7-986E-5B64E0951A96}

    HKEY_CLASSES_ROOT\CLSID\{00000097-7C67-4BA6-8B42-05128941688A}
    HKEY_CLASSES_ROOT\CLSID\{00000250-0320-4DD4-BE4F-7566D2314352}
    HKEY_CLASSES_ROOT\CLSID\{000006B1-19B5-414A-849F-2A3C64AE6939}
    HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}
    HKEY_CLASSES_ROOT\CLSID\{0000607D-D204-42C7-8E46-216055BF9918}
    HKEY_CLASSES_ROOT\CLSID\{002EB272-2590-4693-B166-FBD5D9B6FEA6}
    HKEY_CLASSES_ROOT\CLSID\{00320615-B6C2-40A6-8F99-F1C52D674FAD}
    HKEY_CLASSES_ROOT\CLSID\{36A59337-6EEF-40AE-94B1-ED443A0C4740}
    HKEY_CLASSES_ROOT\CLSID\{D5E06663-DE78-4A48-BB81-7C9AFF2E49E4}

    HKEY_CLASSES_ROOT\Interface\{237CB7A2-E26E-443B-B16E-5DA66584B05B}
    HKEY_CLASSES_ROOT\Interface\{C45C774D-5ECC-4D9E-94E1-AC57189C4435}
    HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
    HKEY_CLASSES_ROOT\Interface\{C08175C6-B2B2-47FC-AF1A-32F77A6CB673}
    HKEY_CLASSES_ROOT\Interface\{59EBB576-CEB0-42FA-9917-DA6254A275AD}
    HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}
    HKEY_CLASSES_ROOT\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD}
    HKEY_CLASSES_ROOT\Interface\{72322CE2-D1C1-423E-9748-FF7E7F1E47C3}
    HKEY_CLASSES_ROOT\Interface\{19C8E563-D989-47CE-BED8-EA72B5EB62D6}
    HKEY_CLASSES_ROOT\Interface\{A93B84C6-5278-473A-8027-F6304A291A7A}
    HKEY_CLASSES_ROOT\Interface\{50F646B1-1C3E-4B01-B818-437E1276E5BE}
    HKEY_CLASSES_ROOT\TypeLib\{09049E4F-8D9E-4C8A-A952-5BAF1A115C59}
    HKEY_CLASSES_ROOT\TypeLib\{230C3786-1C2C-45BD-9D2D-9D277FCE6289}
    HKEY_CLASSES_ROOT\TypeLib\{2390AAA5-E65C-4404-BD3B-3A9EAC22C0A5}
    HKEY_CLASSES_ROOT\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
    HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}
    HKEY_CLASSES_ROOT\TypeLib\{7EFE1256-AB56-44B3-A63A-EB1A2208A490}
    HKEY_CLASSES_ROOT\TypeLib\{8E0D8965-B97B-468D-8306-A05929E439C1}
    HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}
    HKEY_CLASSES_ROOT\TypeLib\{BBE6D461-41FC-4100-A629-B9D2162BEFAA}
    HKEY_CLASSES_ROOT\TypeLib\{C0168E40-6211-4113-9202-B9B852CB12FC}
    HKEY_CLASSES_ROOT\TypeLib\{EE6AE627-8F18-4986-BEAD-52073EDFC776}
    HKEY_CLASSES_ROOT\AppID\{4D980B0A-C3EF-4965-A58F-7F64F3B42E79}
    HKEY_CLASSES_ROOT\AppID\XParam.DLL
    HKEY_CLASSES_ROOT\BiDll.BiDllObj
    HKEY_CLASSES_ROOT\BiDll.BiDllObj.1
    HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj
    HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj.1
    HKEY_CLASSES_ROOT\CeresDll.CeresDllObj
    HKEY_CLASSES_ROOT\CeresDll.CeresDllObj.1
    HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj
    HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj.1
    HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj
    HKEY_CLASSES_ROOT\imGiantDll.imGiantDllObj.1
    HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj
    HKEY_CLASSES_ROOT\morphaclDll.morphaclDllObj.1
    HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj
    HKEY_CLASSES_ROOT\MultiMPPDll.MultiMPPDllObj.1
    HKEY_CLASSES_ROOT\MxTarget.MxTargetDllObj.1
    HKEY_CLASSES_ROOT\PynixDll.PynixDllObj
    HKEY_CLASSES_ROOT\PynixDll.PynixDllObj.1
    HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj
    HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj.1
    HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj
    HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj.1
    HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj
    HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1
    HKEY_CLASSES_ROOT\VoiceIPDll.VoiceIPDllObj.1
    HKEY_CLASSES_ROOT\VX2.VX20BJ
    HKEY_CLASSES_ROOT\XParam.XParamObj
    HKEY_CLASSES_ROOT\XParam.XParamObj.1
    HKEY_CLASSES_ROOT\ZServDll.ZServDllObj
    HKEY_CLASSES_ROOT\ZServDll.ZServDllObj.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-59D4-4008-9058-080011001200}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-C1EC-0345-6EC2-4D0300000000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000000-F09C-02B4-6EC2-AD0300000000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000026-8735-428D-B81F-DD098223B25F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000035-92F8-407F-98A5-7D8ADA59B6BB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{0000005D-C175-4405-BAC5-1F3B2BAF67C6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000062-2E5F-4AF7-986E-5B64E0951A96}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000097-7C67-4BA6-8B42-05128941688A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00000250-0320-4DD4-BE4F-7566D2314352}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{000006B1-19B5-414A-849F-2A3C64AE6939}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{0000607D-D204-42C7-8E46-216055BF9918}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{002EB272-2590-4693-B166-FBD5D9B6FEA6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00320615-B6C2-40A6-8F99-F1C52D674FAD}
    HKEY_CURRENT_USER\Software\AHExe
    HKEY_CURRENT_USER\Software\BTGrab
    HKEY_CURRENT_USER\Software\ceres
    HKEY_CURRENT_USER\Software\DLMax
    HKEY_CURRENT_USER\Software\BTGrab
    HKEY_CURRENT_USER\Software\Ceres
    HKEY_CURRENT_USER\Software\imGiant
    HKEY_CURRENT_USER\Software\morphacl
    HKEY_CURRENT_USER\Software\MultiMPP
    HKEY_CURRENT_USER\Software\MxTarget
    HKEY_CURRENT_USER\Software\sPeer
    HKEY_CURRENT_USER\Software\sPeer2
    HKEY_CURRENT_USER\Software\morphacl
    HKEY_CURRENT_USER\Software\VoiceIP
    HKEY_CURRENT_USER\Software\pynix
    HKEY_CURRENT_USER\Software\VoiceIP
    HKEY_CURRENT_USER\Software\ZServ
    HKEY_CURRENT_USER\Software\AHExe
    HKEY_LOCAL_MACHINE\SOFTWARE\Vendor\xml
    HKEY_LOCAL_MACHINE\Software\Dbi
    HKEY_LOCAL_MACHINE\Software\twaintec
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ceres
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speer
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dbi
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IMGiant

  3. Adds the value:

    "BLLid20fslnst" = "{688DE333-FB9A-4E16-B6B7-D81D266E0009}"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\DBi

  4. Adds some of the values:

    "INF/ceres.inf" = "0x00000001"
    "INF/ceres.pnf" = "0x00000001"
    "INF/adrmimg.inf" = "0x00000001"
    "INF/adrmimg.PNF" = "0x00000001"
    "INF/farmmext.inf" = "0x00000001"
    "INF/farmmext.pnf" = "0x00000001"
    "INF/imgiant.inf" = "0x00000001"
    "INF/imgiant.PNF" = "0x00000001"
    "INF/payload.inf" = "0x00000001"
    "INF/payload.pnf" = "0x00000001"
    "INF/Pynix.PNF = "0x00000001"
    "INF/Pynix.inf = "0x00000001"
    "INF/morphstb.PNF" = "0x00000001"
    "INF/morphstb.inf" = "0x00000001"
    "INF/zserv.inf" = "0x00000001"
    "INF/zserv.pnf" = "0x00000001"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood

  5. Adds the value:

    "[File name of adware]" = "[File path to adware]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  6. Attempts to connect to one of the following domains to check for updated versions of the adware:

    • abetterinternet.com
    • stop-popup-ads-now.com

  7. Attempts to perform some of the following actions:

    • Display advertisements.
    • Display links to related Web sites, and advertisements for related Web sites, based on the Web sites visited on the infected computer.
    • Log the Web sites visited by the infected computer.
    • Redirect certain URLs, including the Web browser default 404-error page, to or through the Web page used by the threat.
    • Automatically update the adware and install added features or functionality. This action is performed without input from, or interaction with the user.
    • Install desktop icons, installation files, and other publisher's software.

Some samples that Security Response has received of Belt.exe will not install successfully, as the CAB package it attempts to download is no longer available. In these instances, as well as those when an Internet connection is not available, the adware will add the registry key specified in step 4, and then exit cleanly.

Note: Virus definitions dated prior to November 19, 2003 may detect this as Adware.Ipinsight or Download.Trojan.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver