As of this writing, Symantec Security Response has received a submission of a .dll file that is one component of Adware.Look2Me. The file name appears to be random and may vary. We have not received a submission of the file that actually installs this .dll file.
If this .dll file is executed, it may install itself as a Browser Helper Object (BHO), or it may directly install itself. The CLSID key in the registry, which the BHO adds, will vary but it will always begin with {DDFFA75A-.
The adware component performs some or all of the following actions:
- Creates the following files:
- %System%\[RANDOM NAME].dll
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Adds one or more of the following registry keys and values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"ID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"Idex"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"[CLSID VALUE]"
- May add the values:
"(Default)" = ""
"IDEX" = "AD"
"InProcServer32\(Default)" = "[PATH TO %System%\[RANDOM NAME].DLL]"
"InProcServer32\ThreadingModel" = "Apartment"
to the registry subkey:
HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID KEY]
- May add the values:
"Asynchronous" = "0"
"DllName" = "[PATH TO %System%\[RANDOM NAME].DLL]"
"Impersonate" = "0"
"Logoff" = "WinLogoff"
"Logon" = "WinLogon"
"Shutdown" = "WinShutdown"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run
so that it runs every time Windows starts.
- Uses HTTP or FTP to download executables from a Web site, and then runs them.
Note: These could be updates or components of other adware.
- Opens advertisements in Internet Explorer.
- May change the Internet Explorer home page by modifying the value of the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
- Deletes the following registry key, which prevents BHOs from running:
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- May monitor user Web site traffic and send this information to www.look2me.com.
- May creates a Web page locally, and makes that particular page the default search page.
