1. /
  2. Security Response/
  3. Adware.CDT

Adware.CDT

Updated:
February 13, 2007 11:38:54 AM
Type:
Adware
Risk Impact:
Medium
File Names:
Mediatickets.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CDT is executed, it performs the following actions:
  1. Displays pop-up advertisements.

  2. Adds the following domains into the Trusted Sites zone for Internet Explorer:

    blazefind.com
    clickspring.net
    flingstone.com
    mt-download.com
    my-internet.info
    searchbarcash.com
    searchmeup.cc
    searchmiracle.com
    skoobidoo.com
    slotch.com
    xxxtoolbar.com

    by adding the value:

    "*" = "0x00000002"

    to the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmeup.cc
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com


  3. Adds the IP address, 69.31.87.223, into the Trusted Sites zone for Internet Explorer, by adding the value:

    "*" = "0x00000002"
    ":Range" = "69.31.87.223"


    to the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Internet Settings\ZoneMap\Ranges\Range1

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Internet Settings\ZoneMap\Ranges\Range1


  4. Allows the downloading of active content and running ActiveX scripts, and enables ActiveX controls and plug-ins by adding the values:

    "MinLevel" = "Code Download"
    "Safety Warning Level" = "SucceedSilent"
    "Security_RunActiveXControls" = "0x01000000"
    "Security_RunScripts" = "0x01000000"
    "Trust Warning Level" = "No Security"


    to the registry keys:

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings


  5. Allows Internet Explorer to run .NET components regardless of whether they are signed with Authenticode, by adding the values:

    "2001" = "0x00000000"
    "2004" = "0x00000000"


    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Internet Settings\Zones\2


  6. Attempts to fraudulently install the following trusted publishers:

    CDT inc.
    MediaTickets
    Integrated Search Technologies

    by adding the values:

    "ppcimdnnnjbeahepfabjipfginloedkg egckak" = "CDT inc."
    "goicfboogidikkejccmclpieicihhlpo ejemdn" = "MediaTickets"
    "goicfboogidikkejccmclpieicihhlpo bihgbp" = "Integrated Search Technologies"


    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\
    Trust Providers\Software Publishing\Trust Database\0


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver