Adware.WinFavorites

Printer Friendly Page

Updated: February 13, 2007 11:36:37 AM

Type: Adware

Risk Impact: Low

File Names: bridge.exe winfavorites.exe bridge.dll bridge.inf jao.dll a.exe

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Adware.WinFavorites is an adware program that may have two components: an executable file and a Browser Helper Object.

When Adware.WinFavorites is executed, it does the following:

Attempts to create the files:
- bridge.dll
- bridge.inf
May drop the file:

%System%\a.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates one or more of the following registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} HKEY_LOCAL_MACHINE\Software\Classes\Bridge.brdg HKEY_LOCAL_MACHINE\Software\Classes\Bridge.brdg.1 HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{78e25b5d-78e25b5d-78e25b5d-78e25b5d-78e25b5d} HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{80BB7465-A638-43B5-9827-8E8FE38DFCC1}HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF}HKEY_LOCAL_MACHINE\Software\Classes\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}HKEY_LOCAL_MACHINE\Software\Classes\Interface\{B88A3AF1-4F1B-4400-8FFB-3FCB108CE115}HKEY_LOCAL_MACHINE\Software\Classes\Jao.jaoHKEY_LOCAL_MACHINE\Software\Classes\Jao.jao.1HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{C094876D-1B0E-46FA-B6A6-7FFc0F970c27}HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\UNinstall\bridge
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\bridge
Adds one of the following values:

"mswpl" = "[FILE NAME OF ADWARE]"
"RunDLL" = "rundll32.exe "C:\WINNT\System32\bridge.dll",Load"
"Systray" = "[PATH TO ADWARE FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the adware runs when Windows starts.
Attempts to download files from the flingstone.com domain.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}