When Adware.Inetex runs, it does the following:
- Copies itself to:
%System%\<random filename>.exe
Note: %System% is a variable. The adware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Adds the subkey:
INETEx
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\INETEx
Adware settings are stored in this key.
- Modifies the (Default) value to:
"INETEx"
in the registry key:
HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec\Application
- Resets the (Default)value to:
WWW_OpenUrl
in the registry key:
HKEY_CLASSES_ROOT\HTTP\shell\open\ddeexec\Topic
- Modifies the (Default)value to:
%System%\<random filename>.exe
in the registry key:
HKEY_CLASSES_ROOT\HTTP\shell\open\command
The effect of the registry modifications described in steps 3 to 5 is to make Adware.Inetex the default browser.
- The Adware.Inetex process remains running in the background.
- If the default browser is called, for example, when a URL is entered into the Start > Run box, Adware.Inetex is called.
Then, the adware opens two windows of the old default browser; one displays the old home page and the other displays an adult Web site.
