Updated: February 13, 2007 11:38:42 AM
Type: Adware
Risk Impact: High
File Names: Services.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.FakeMessage is run, it performs the following actions:
- Copies itself as %Windir%\system32\inetsrv\Services.exe.
Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Adds the values:
"SuperBar.Component" = %Windir%\system32\inetsrv\services.exe
"AdRotator.Application" = %Windir%\system32\inetsrv\services.exe
"{357AA41A-B7A8-4632-A27D-5B980B25CF43}" = %Windir%\system32\inetsrv\services.exe
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware will run when Windows starts.
- Displays fake Windows error messages stating that spyware has been detected on the computer and directs the user to download software to remove it. If a user clicks Yes, a browser window will open to [http://]hop.clickbank.net/[REMOVED]/?files/noadware.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
