||||
Symantec.com > Security Response > Threats and Risks > Adware.Slagent
PRINT THIS PAGE

Adware.Slagent

Printer Friendly Page

Updated: February 13, 2007 11:37:15 AM
Type: Adware
Risk Impact: High
File Names: mslagent.exe 2_mslagent.dll navpmc.exe 2_navpmc.dll uninstaller.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.Slagent is executed, it attempts to perform the following actions:
  1. May create the %Windir%\mslagent folder, and then drop the following files within it:
    • mslagent.exe
    • uninstall.exe
    • 2_mslagent.dll (A zero-byte file.)

  2. May create the %Windir%\navmpc folder and drop the following files:

    • 2_info_persist
    • 2_navpmc.dll
    • acknowledged.mc2
    • CompManagerPersist.mc2
    • except.mc2
    • navpmc.exe
    • OrderPersist.mc2
    • TimePersist
    • uninstall.exe

      Note: %Windir% is a variable. The Adware component locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and creates a folder at that location.

  3. May create the following copies of itself:

    • %System%\msegcompid.dll
    • %System%\msklive.dll

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  4. May add the values:

    "mslagent" = "%windir%\mslagent\mslagent.exe"
    "mslagent" = "%windir%\navpmc\navpmc.exe"

    to one of the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.
  5. May create one or more of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{4A6FA2EB-F381-4503-87D0-BE4CC57DEB8E}
    HKEY_CLASSES_ROOT\CLSID\{75A603E7-8BB7-4272-ABBE-9846FF1241C1}
    HKEY_CLASSES_ROOT\CLSID\{DE614603-6320-4046-A7A7-6A69CEC26F14}
    HKEY_CLASSES_ROOT\CLSID\{D7A82A12-05F5-42D8-B30D-6EF995075D2D}
    HKEY_CLASSES_ROOT\Interface\{1EF28CC5-8D97-4310-B71B-CA34EE15B897}
    HKEY_CLASSES_ROOT\Interface\{43CDAD65-AA0D-4701-8108-117F86613B69}
    HKEY_CLASSES_ROOT\Interface\{510C3373-4842-4944-8729-0AFF6725A132}
    HKEY_CLASSES_ROOT\Interface\{6D3F48F4-B40A-4C3F-A95C-85E23C3A8A91}
    HKEY_CLASSES_ROOT\TypeLib\{5630B768-1C09-4105-9E03-E35985E36B0B}
    HKEY_CLASSES_ROOT\TypeLib\{82C0673C-F1D1-47BA-B904-AB0DE82300BC}
    HKEY_CLASSES_ROOT\TypeLib\{BA49BD6A-039C-428E-AF33-8C1288D75A7B}
    HKEY_CLASSES_ROOT\TypeLib\{CA72BD3D-6044-4429-8C9A-76D90F4B29A8}
    HKEY_CLASSES_ROOT\MagicControl.MagicComponent
    HKEY_CLASSES_ROOT\MagicControl.MagicComponent.1
    HKEY_CLASSES_ROOT\mslagent.3
    HKEY_CLASSES_ROOT\mslagent.3.1
    HKEY_CLASSES_ROOT\NaviHelper.NaviHelperObject
    HKEY_CLASSES_ROOT\NaviHelper.NaviHelperObject.1
    HKEY_CLASSES_ROOT\NaviPromo.EGNaviScoring
    HKEY_CLASSES_ROOT\NaviPromo.EGNaviScoring.1
    HKEY_LOCAL_MACHINE\Software\mc
  6. May create one or more of the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Uninstall\mslagent
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Uninstall\navmpc

  7. Attempts to verify the availability of an Internet connection by contacting a predefined Web site.

  8. May download additional components from the Internet without notifying the user. This activity is described in the EULA.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS