1. /
  2. Security Response/
  3. Adware.FlashEnhancer

Adware.FlashEnhancer

Updated:
February 13, 2007 11:39:02 AM
Type:
Adware
Publisher:
flashtrack.net
Risk Impact:
High
File Names:
XML.dll,Xcpy1_inst.exe,xclean.exe,flnclean.exe. flaclean.exe,Uninst.exe,flncpy.exe,ftkcpy.exe,ftk.dl
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.FlashEnhancer is running, it may display pop-up advertisements whose content is based on keywords found in the Web page that is being visited.

Adware.FlashEnhancer runs as a Browser Helper Object, which means that the adware component will receive information regarding all the actions inside Internet Explorer. Browser Helper Objects require Internet Explorer 4 or later to function.

When Adware.FlashEnhancer is installed, it does the following:
  1. Creates the following files:

    • %CommonProgramFiles%\Java\flnclean.exe
    • %CommonProgramFiles%\Java\flncpy.exe
    • %CommonProgramFiles%\Java\ftkclean.exe
    • %CommonProgramFiles%\Java\ftkcpy.cfg
    • %CommonProgramFiles%\Java\ftkcpy.exe
    • %Windir%\Temp\ft30s.exe

      Note:
    • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Installs itself to one of the following folders:

    • %ProgramFiles%\Xml\*.*
    • %ProgramFiles%\Fen\*.*
    • %ProgramFiles%\Fla\*.*
    • %ProgramFiles%\Flcp\*.*
    • %ProgramFiles%\Flen\*.*
    • %ProgramFiles%\Fln\*.*
    • %ProgramFiles%\Flt\*.*
    • %ProgramFiles%\Ftk\*.*
    • %ProgramFiles%\Reg2\*.*
    • %ProgramFiles%\Xmod\*.*

      Note:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • The filenames the risk uses in each folder varies depending on the name of the folder being used.

  3. Creates the following registry subkeys and adds a number of values under these subkeys:


    HKEY_CLASSES_ROOT\CLSID\{5EDB03AF-0341-4e96-9E9B-3171522E4BAF}
    HKEY_CLASSES_ROOT\CLSID\{63CF97E8-4133-438a-A831-CC9C6D47D673}
    HKEY_CLASSES_ROOT\CLSID\{665ACD90-4541-4836-9FE4-062386BB8F05}
    HKEY_CLASSES_ROOT\CLSID\{7371F073-AC0F-4b80-BB2F-96A488CEFB32}
    HKEY_CLASSES_ROOT\CLSID\{7CD20E91-1F31-41da-8379-479EA31DF969}
    HKEY_CLASSES_ROOT\CLSID\{A749B4BC-7621-4a80-9220-D0A283367DD5}
    HKEY_CLASSES_ROOT\CLSID\{D7E588AB-A5D9-4422-B313-22A3470F9700}
    HKEY_CLASSES_ROOT\Interface\{06542764-7BB2-412B-80D6-D103D1474C93}
    HKEY_CLASSES_ROOT\Interface\{28168CCE-5310-4F12-AB58-9DA99A55AAEB}
    HKEY_CLASSES_ROOT\Interface\{6E83AE1C-F69C-4AED-AF98-D23C24C6FA4B}
    HKEY_CLASSES_ROOT\Interface\{890089B7-B385-442F-97B6-99060E8BD08F}
    HKEY_CLASSES_ROOT\Interface\{BAEF4039-3C02-4C9E-A2F4-87B513AB0E87}
    HKEY_CLASSES_ROOT\TypeLib\{1BD49631-AE36-42F4-A37B-CA7F53146821}
    HKEY_CLASSES_ROOT\TypeLib\{48E832EC-B061-49E2-BBC1-AC818623B742}
    HKEY_CLASSES_ROOT\TypeLib\{7955EA20-E0D6-4A77-88B6-120674D979EA}
    HKEY_CLASSES_ROOT\TypeLib\{DB9F4C00-65E8-4FA1-917B-E4844DDF5909}
    HKEY_CLASSES_ROOT\TypeLib\{E6C71E83-E02B-4BC4-958D-A9194916EC19}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0AD937E7-2F37-4873-A05E-548A67EF1D0E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5EDB03AF-0341-4e96-9E9B-3171522E4BAF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63CF97E8-4133-438a-A831-CC9C6D47D673}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{665ACD90-4541-4836-9FE4-062386BB8F05}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7371F073-AC0F-4b80-BB2F-96A488CEFB32}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7CD20E91-1F31-41da-8379-479EA31DF969}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A749B4BC-7621-4a80-9220-D0A283367DD5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7E588AB-A5D9-4422-B313-22A3470F9700}
    HKEY_CLASSES_ROOT\BRedObj.BRedObj
    HKEY_CLASSES_ROOT\BRedObj.BRedObj.1
    HKEY_CLASSES_ROOT\UnawareObj.UnawareObj
    HKEY_CLASSES_ROOT\UnawareObj.UnawareObj.1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Reg2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fla
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xmod
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ftk
    HKEY_LOCAL_MACHINE\Software\Netfilter
    HKEY_LOCAL_MACHINE\Software\Xmod
    HKEY_LOCAL_MACHINE\Software\XML
    HKEY_LOCAL_MACHINE\Software\Persistent Bytes
    HKEY_LOCAL_MACHINE\SOFTWARE\FEN
    HKEY_LOCAL_MACHINE\SOFTWARE\Flen
    HKEY_LOCAL_MACHINE\SOFTWARE\Flt
    HKEY_LOCAL_MACHINE\SOFTWARE\Fln
    HKEY_LOCAL_MACHINE\SOFTWARE\Ftk
    HKEY_LOCAL_MACHINE\SOFTWARE\Fla
    HKEY_LOCAL_MACHINE\SOFTWARE\Flcp
    HKEY_USERS\S-1-5-21-1187800756-1387622775-1527857685-500\Software\Microsoft
    \Windows\CurrentVersion\Ext\Stats\{63CF97E8-4133-438A-A831-CC9C6D47D673}
    HKEY_USERS\S-1-5-21-1187800756-1387622775-1527857685-500\Software\Microsoft
    \Windows\CurrentVersion\Ext\Stats\{7371F073-AC0F-4B80-BB2F-96A488CEFB32}


  4. Adds the values:

    "FlnCPY" = "[PATH TO ORIGINAL FILE]"
    "FlaCPY" = "[PATH TO ORIGINAL FILE]"
    "Jreg" = "[PATH TO ORIGINAL FILE]"
    "t" = "[PATH TO ORIGINAL FILE]"
    "fecpy" = "[PATH TO ORIGINAL FILE]"
    "flencpy" = "[PATH TO ORIGINAL FILE]"
    "flnCPY" = "[PATH TO ORIGINAL FILE]"
    "ftkCPY" = "[PATH TO ORIGINAL FILE]"
    "Xcpy1" = "[PATH TO ORIGINAL FILE]"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  5. Adds the values:

    "fln" = "[PATH TO ORIGINAL FILE]"
    "f"
     = "[PATH TO ORIGINAL FILE]"
    "t" = "[PATH TO ORIGINAL FILE]"
    "fla" = "[PATH TO ORIGINAL FILE]"
    "fln" = "[PATH TO ORIGINAL FILE]"
    "ftk" = "[PATH TO ORIGINAL FILE]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    so that the risk runs every time Windows starts.

  6. May contact [http:/ /]ads.flashtrack.net/[REMOVED] and display pop-up advertisements with content based on keywords found on the Web page that is being visited.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver