When Version.exe is executed, it does the following:
- Adds the value:
"version" = "%system%\version.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs when you start Windows.
- Adds the values:
"version" ="0"
"sys" ="%system"
"lastdate"="0"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Redirectkey
- Attempts to download and execute files. At the time of writing, the two downloaded files are Keyhost.exe and Setup.exe (saved to disk as
%System%\Setup_123.exe).
- Setup.exe installs "Golden Palace Casino PT," an online gambling program, onto your computer.
- Keyhost.exe does the following:
- Drops an HTML file, %System%\Keyhost.exe, which contains a blank Web page titled, "Enter your search keywords here."
- Adds the value:
"WinEssential" = "%system%\keyhost.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adds the value:
"Enter:your:search:keywords:here"" = "%system%\keyhost.htm"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
- Adds the value:
"sys" = "%system"
"lastdate"="0"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Redirectkey
