||||
Symantec.com > Security Response > Threats and Risks > Adware.Conspy
PRINT THIS PAGE

Adware.Conspy

Printer Friendly Page

Updated: February 13, 2007 11:36:41 AM
Type: Adware
Risk Impact: Medium
File Names: waol.exe; editpad.exe
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP


When Adware.Conspy is executed, it performs the following actions:
  1. Copies itself to %Windir%.

    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Attempts to add the values:
    • "Quicken"="%Windir%\Waol.exe"
    • "Editpad"="%Windir%\Editpad.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  3. Attempts to contact the server, conf.conspy.com, to download the updates and configuration files.
    The URLs it accesses include:
    • http:/ /conf.conspy.com/quicken_update.php
    • http:/ /conf.conspy.com/winrar_update.php
    • http:/ /conf.conspy.com/popset.php
    • http:/ /conf.conspy.com/waol.exe
    • http:/ /conf.conspy.com/editpad.exe
    • http:/ /conf.conspy.com/editpad.rsf.php
    • http:/ /conf.conspy.com/resource_update.php

  4. If it fails to contact the server, it will wait 60 seconds and then try again.

  5. Takes a URL from a decryption of editpad.rsf.php.

  6. Adds links to Internet Explorer's "Favorites." These URLs are taken from the decryption of editpad.rsf.php.

  7. Adds the value:

    "Search Page" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\
  8. Adds the value:

    "Search Bar" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\
  9. Adds the value:

    "Start Page" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\
  10. Adds the value:

    "SearchURL" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\
  11. Adds the value:

    "SearchAssistant" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Search\


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS