1. /
  2. Security Response/
  3. Adware.Raxums

Adware.Raxums

Updated:
February 13, 2007 11:36:50 AM
Type:
Adware
Risk Impact:
Low
File Names:
varies sys.reg
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Raxums is executed, it performs the following actions:
  1. Deletes Internet Explorer's cached files.

  2. Adds links to Internet Explorer's Favorites folder.

  3. Attempts to download, decrypt, and execute a file from 81.211.105.36.

  4. Modifies the values:
    • "Start Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "HOMEOldSP"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "Search Bar"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"
    • "Search Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

      in the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  5. Modifies the values:
    • "Start Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "HOMEOldSP"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "Search Bar"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"
    • "Search Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

      in the registry key:

      HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

  6. Modifies the value:

    "SearchAssistant"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

    in the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  7. Modifies the value:

    "SearchAssistant"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

  8. Modifies the value:

    "PrivacyAdvanced"="1"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

  9. Drops the file, %Windir%\sys.reg.


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  10. Adds the value:

    "sys"="regedit -s sys.reg"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that if the created registry keys are deleted, they are recreated when the computer is restarted.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver