||||
Symantec.com > Security Response > Threats and Risks > Adware.InstantAccess
PRINT THIS PAGE

Adware.InstantAccess

Printer Friendly Page

Updated: February 13, 2007 11:35:41 AM
Type: Adware
Publisher: e-Group
Risk Impact: Medium
File Names: %Windir%\access.exe %System%\EGDHTML_xxxx.dll %System%\p2esocks_xxxx.dll %Windir%\system\eghtm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Adware.InstantAccess runs, it performs the following actions:
  1. Creates some of the following files:

    • %Windir%\access.exe
    • %System%\EGDHTML_xxxx.dll
    • %Windir%\system\eghtmldialer.dll
    • %System%\p2esocks_xxxx.dll
    • %Windir%\eg_auth_1041.dll

      Notes:
      • %Windir% is a variable. By default, this is C:\Windows or C:\Winnt.
      • %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • xxxx represents the version number.

  2. Creates the following folders:

    • C:\Program Files\instant access
    • %Windir%\dialpass
    • %Windir%\egroup

  3. Registers its .dll files.

  4. Adds some of the following registry subkeys:

    HKEY_CLASSES_ROOT\egdhtml.egdialhtml
    HKEY_CLASSES_ROOT    \egdhtml.egdialhtml.1
    HKEY_CLASSES_ROOT    \egdialobject.egdial
    HKEY_CLASSES_ROOT    \eghtmldialer.htmldialer
    HKEY_CLASSES_ROOT    \eghtmldialer.htmldialer.1
    HKEY_CLASSES_ROOT\P2ECOM.EGP2ECOM
    HKEY_CLASSES_ROOT\P2ECOM.EGP2ECOM.1
    HKEY_CLASSES_ROOT\EGAUTH.EGEGAUTH
    HKEY_CLASSES_ROOT\EGAUTH.EGEGAUTH.1
    HKEY_CLASSES_ROOT\EGCOMSERVICE.EGComSvc.1
    HKEY_CLASSES_ROOT\EGCOMSERVICE.EGComSvc
    HKEY_LOCAL_MACHINE\04
    HKEY_CLASSES_ROOT\CLSID\{6AA93DF6-6757-4338-9087-F7601DE18402}
    HKEY_CLASSES_ROOT\CLSID\{54C75FB0-6B8B-4278-BF7B-77036F15A69E}
    HKEY_CLASSES_ROOT\TypeLib\{F3A257E6-FA04-4B30-A1B6-6B89EB814544}
    HKEY_CLASSES_ROOT\Interface\{C13FA88A-D264-4BC8-92ED-52EB8181E209}
    HKEY_CLASSES_ROOT\CLSID\{D7B59209-0ED9-4986-BD4A-527BE836C6B2}
    HKEY_CLASSES_ROOT\TypeLib\{AD9B275B-E42D-4C7F-9FFB-29B5FB81688B}
    HKEY_CLASSES_ROOT\Interface\{F8ACA5A0-060A-478A-8368-1407780D2251}
    HKEY_CLASSES_ROOT\CLSID\{2ABE804B-4D3A-41BF-A172-304627874B45}
    HKEY_CLASSES_ROOT\Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}
    HKEY_CLASSES_ROOT\TypeLib\{83F0D6AA-CD15-46B5-AA4E-BDB506B4AE53}
    HKEY_CLASSES_ROOT\CLSID\{50AD557E-3426-41FD-AFDD-2AF39BB1C387}
    HKEY_CLASSES_ROOT\CLSID\{0594AF7E-573B-40DF-8165-E47AB2EAEFE8}
    HKEY_CLASSES_ROOT\Interface\{3947AC1D-DB09-4353-BBCC-55B97F5035EF}
    HKEY_CLASSES_ROOT\Interface\{A58F3D09-4543-4396-8BE7-105F14DD6ED5}
    HKEY_CLASSES_ROOT\TypeLib\{0E594D22-ACE6-43A2-BCDA-BB7C65D3FE8C}
    HKEY_CLASSES_ROOT\CLSID\{EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1}
    HKEY_CLASSES_ROOT\CLSID\{1EB17D1C-141D-4D9D-91CB-24D99215851D}
    HKEY_CLASSES_ROOT\CLSID\{469C7080-8EC8-43A6-AD97-45848113743C}
    HKEY_CLASSES_ROOT\CLSID\{CEFB7B49-9652-464F-8AFD-A577C0500F39}
    HKEY_CLASSES_ROOT\Interface\{2E30AC01-99D7-4E9C-B13E-94E1701B0AC9}
    HKEY_CLASSES_ROOT\TypeLib\{E8C88115-4951-425B-8C45-4DFC5A5540EE}
    HKEY_CLASSES_ROOT\Interface\{8F0A06F6-DF4D-4D54-B8CA-E8EEDBAE6DDB}
    HKEY_CURRENT_USER\Software\livesvc
    HKEY_CURRENT_USER\Software\EGDHTML
    HKEY_CURRENT_USER\Software\egroup

  5. May add the value:

    "Instant Access" = "rundll32.exe p2esocks_xxxx.dll,InstantAccess"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs when you start Windows.

  6. Accesses predetermined Web sites and downloads pop-up ads.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS