||||
Symantec.com > Security Response > Threats and Risks > Adware.FavoriteMan
PRINT THIS PAGE

Adware.FavoriteMan

Printer Friendly Page

Updated: February 13, 2007 11:37:05 AM
Type: Adware
Risk Impact: Medium
File Names: casldr.exe casldr.dll favorite.dll favman.dll favboot.dll ofrg.dll im64.dll ss32.dll ATPartn
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Adware.FavoriteMan may download the following risks:

When Adware.FavoriteMan is installed it performs the following actions:
  1. Creates some of the following files:

    • %System%\casldr.dll
    • %System%\ATPartners.dll
    • %System%\im64.dll
    • %System%\lstb4drc.dll
    • %System%\lstb4drc.exe
    • %System%\pavb1u2.exe
    • %UserProfile%\Favorites\AT-Games\Big Fish Games.url
    • %UserProfile%\Favorites\AT-Games\FlyorDieGames.url
    • %UserProfile%\Favorites\AT-Games\GameHouse Games.url

      Note:
    • %System% is a variable. The program locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  2. Installs itself as a Browser Helper Object.

  3. Depending on which version is installed in the computer, it may create some of the following registry subkeys:

    HKEY_CLASSES_ROOT\F1.Organizer
    HKEY_CLASSES_ROOT\F1.Organizer.1
    HKEY_CLASSES_ROOT    \Ro_tater.Class1
    HKEY_CLASSES_ROOT\NewFavorite.FavoriteMan
    HKEY_CLASSES_ROOT\NewFavorite.FavoriteMan.1
    HKEY_CLASSES_ROOT\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}
    HKEY_CLASSES_ROOT\CLSID\{EF100007-F409-426A-9E7C-CB211F2A9786)
    HKEY_CLASSES_ROOT\CLSID\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B}
    HKEY_CLASSES_ROOT\CLSID\{A61BF823-2770-4038-9D26-348CAA0AC7A3}
    HKEY_CLASSES_ROOT\TypeLib\{EB5E961F-F519-303C-9744-0D4376B1B0B5}
    HKEY_CLASSES_ROOT\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786)
    HKEY_CLASSES_ROOT\TypeLib\{3F44A502-E104-4D3B-95EC-C3B886E25A16}
    HKEY_CLASSES_ROOT\    Interface\{6BDAB517-CC58-4AA1-9FA4-B645D4AFDB5C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000EF1-0786-4633-87C6-1AA7A44296DA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO
    HKEY_ALL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO
  4. It may also add the following values:

    "Server" = "www.f1organizer/[REMOVED]/.com"
    "Counter" = "0x00000002"
    "Object" = "/F1/audit/DMORG3/Cmd4F1_a1bin0us_Upd2.txt"

    to the registry subkey:

    HKEY_ALL_USERS\SOFTWARE\Microsoft\Windows


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS