Updated: February 13, 2007 11:36:48 AM
Type: Adware
Risk Impact: Medium
File Names:
1.01.00.dll
Services.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.Replace is executed, it performs the following actions:
- Creates the following files:
- %System%\Services\Services.exe
- 1.01.00.dll
Note: %System% is a variable. The adware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Modifies the value:
"xpsystem"="%system%\Services\Services.exe"
in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Modifies the Win.ini file by adding these lines in the [windows] section:
run=%system%\Services\Services.exe
load=%system%\Services\Services.exe
- Adds the following section to the System.ini file:
[windows]
run=%system%\Services\Services.exe
load=%system%\Services\Services.exe
- Registers 1.01.00.dll as a browser help object.
- Attempts to update itself from the Web. The update mechanism can also be used to instruct the adware to download and execute other files, modify the registry, or add a site to Internet Explorer's list of trusted sites.
- Displays pop-up advertisements when visiting search engines with Internet Explorer.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
