1. /
  2. Security Response/
  3. Adware.Conspy

Adware.Conspy

Updated:
February 13, 2007 11:36:41 AM
Type:
Adware
Risk Impact:
Medium
File Names:
waol.exe; editpad.exe
Systems Affected:
Windows 2000, Windows NT, Windows Server 2003, Windows XP

When Adware.Conspy is executed, it performs the following actions:
  1. Copies itself to %Windir%.


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Attempts to add the values:
    • "Quicken"="%Windir%\Waol.exe"
    • "Editpad"="%Windir%\Editpad.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  3. Attempts to contact the server, conf.conspy.com, to download the updates and configuration files.
    The URLs it accesses include:
    • http:/ /conf.conspy.com/quicken_update.php
    • http:/ /conf.conspy.com/winrar_update.php
    • http:/ /conf.conspy.com/popset.php
    • http:/ /conf.conspy.com/waol.exe
    • http:/ /conf.conspy.com/editpad.exe
    • http:/ /conf.conspy.com/editpad.rsf.php
    • http:/ /conf.conspy.com/resource_update.php

  4. If it fails to contact the server, it will wait 60 seconds and then try again.

  5. Takes a URL from a decryption of editpad.rsf.php.

  6. Adds links to Internet Explorer's "Favorites." These URLs are taken from the decryption of editpad.rsf.php.

  7. Adds the value:

    "Search Page" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

  8. Adds the value:

    "Search Bar" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

  9. Adds the value:

    "Start Page" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

  10. Adds the value:

    "SearchURL" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\

  11. Adds the value:

    "SearchAssistant" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Search\


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver