1. /
  2. Security Response/
  3. Adware.Margoc

Adware.Margoc

Updated:
February 13, 2007 11:37:42 AM
Type:
Adware
Risk Impact:
High
File Names:
restsrv32.sys,restsrv32a.sys,regsvrac32.dll,varies.
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Margoc runs, it performs the following actions:
  1. Creates some of the following files:

    • %System%\restsrv32.sys
    • %Windir%\restsrv32a.sys
    • %System%\regsvrac32.dll
    • %System%\[Random characters].sys
    • %Windir%\[Random characters].sys
    • %System%\[Random characters].dll
    • %UserProfile%\Local Settings\Temp\1fetrov.tmp
    • %UserProfile%\Local Settings\Temp\5ov.tmp
    • %UserProfile%\Local Settings\Temp\5ovis1.tmp
    • %UserProfile%\Local Settings\Temp\5ovis1000.tmp
    • %UserProfile%\Local Settings\Temp\ferro.tmp
    • %UserProfile%\Local Settings\Temp\ferro21.tmp
    • %UserProfile%\Local Settings\Temp\fetrov.tmp
    • %UserProfile%\Local Settings\Temp\fewrro21.tmp
    • %UserProfile%\Local Settings\Temp\gumlj.tmp
    • %UserProfile%\Local Settings\Temp\ironnew.tmp
    • %UserProfile%\Local Settings\Temp\margo.tmp
    • %UserProfile%\Local Settings\Temp\sres32a.tmp
    • %UserProfile%\Local Settings\Temp\sres32b.tmp
    • %UserProfile%\Local Settings\Temp\sres32d.tmp
    • %UserProfile%\Local Settings\Temp\sres32e.tmp
    • %UserProfile%\Local Settings\Temp\svironnew.tmp
    • %UserProfile%\Local Settings\Temp\tretr.tmp
    • %UserProfile%\Local Settings\Temp\vironnew.tmp
    • %UserProfile%\Local Settings\Temp\[Random characters].sys


      Notes:
    • %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    • %System% is a variable. The adware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).

  2. Creates the file %System%\[Random characters].exe.

  3. Adds the value:

    "[Random characters].exe" = "%System%\[Random characters].exe"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    so that Adware.Margoc runs the next time Windows starts.

  4. May add the following registry subkeys:

    HKEY_CURRENT_USER\Software\[Random characters]
    HKEY_CURRENT_USER\Software\[Random characters]\symbols
    HKEY_CURRENT_USER\Software\margo

  5. May add the values:

    "fr" = "0"
    "FirstConnected" = "00 00 00 00 00 00 00 00"
    "LastConnected" = "00 00 00 00 00 00 00 00"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\[Random characters]

  6. May add the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{D537A3D0-8C07-4D62-953F-162207F5090D}
    HKEY_CLASSES_ROOT\CLSID\{A78860C8-EE1A-46DF-A97F-E3E6D433E80B}
    HKEY_CLASSES_ROOT\CLSID\{63AC6939-D0EE-48C9-8ED7-F236344B263B}
    HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}
    HKEY_CLASSES_ROOT\CLSID\{A3E9059A-4253-4912-9585-878782F24B80}
    HKEY_CLASSES_ROOT\CLSID\{A5A350A7-C939-467A-9342-D2C8439AC411}
    HKEY_CLASSES_ROOT\CLSID\{FA040B34-FBE9-4BEF-9D85-F90BECAACA99}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{D537A3D0-8C07-4D62-953F-162207F5090D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{A78860C8-EE1A-46DF-A97F-E3E6D433E80B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{63AC6939-D0EE-48C9-8ED7-F236344B263B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{A3E9059A-4253-4912-9585-878782F24B80}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{A5A350A7-C939-467A-9342-D2C8439AC411}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{FA040B34-FBE9-4BEF-9D85-F90BECAACA99}


  7. Registers one of the following files as a Browser Helper Object:

    • %System%\Regsvrac32.dll
    • %System%\[Random characters].dll

  8. Queries a Web site for configuration information.

  9. Displays pop-up advertisements when certain Web pages are displayed.

    Note: The Web site can configure the content of the advertisements to be displayed and when they will be displayed. At the time of writing, they are triggered by queries to the Google search engine.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver