||||
Symantec.com > Security Response > Threats and Risks > Spyware.ActualNames
PRINT THIS PAGE

Spyware.ActualNames

Printer Friendly Page

Updated: February 13, 2007 11:39:20 AM
Type: Spyware
Publisher: ActualNames
Risk Impact: High
File Names: finddll.dll,findservice.exe,mailbook.exe,mailbookproxy.dll,mydll.dll,nn7dll.dll,nndll.dll,spredirect
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.ActualNames is executed, it performs the following actions:
  1. Hijacks the Web browser address bar, redirecting searches.

  2. Installs a mail proxy that may interfere with sending some email.

  3. Updates itself by downloading new versions from its controlling server.

  4. Creates the following files and folders:
    • %ProgramFiles%\AdvSearch\cliner.exe
    • %ProgramFiles%\AdvSearch\finddll.dll (CBT hook library for monitoring clicks and window movement)
    • %ProgramFiles%\AdvSearch\findservice.exe (finds AOL, Netscape, Internet Explorer threads)
    • %ProgramFiles%\AdvSearch\mailbook.exe (related to mail proxy)
    • %ProgramFiles%\AdvSearch\mailbookproxy.dll (mail proxy library, registers mail proxy)
    • %ProgramFiles%\AdvSearch\mydll.dll (windows message hook library)
    • %ProgramFiles%\AdvSearch\nn7dll.dll (windows message hook library)
    • %ProgramFiles%\AdvSearch\nndll.dll (windows message hook library)
    • %ProgramFiles%\AdvSearch\regsvr32.exe
    • %ProgramFiles%\AdvSearch\spredirect.dll (Browser Helper Object)
    • %ProgramFiles%\AdvSearch\update.exe (component of update function)
    • %ProgramFiles%\AdvSearch\updater.exe (component of update function)
    • %ProgramFiles%\AdvSearch\updaterproxy.dll (mail proxy update library)
    • %ProgramFiles%\AdvSearch\unins000.exe
    • %ProgramFiles%\AdvSearch\unins000.dat

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  5. Creates the following registry keys:

    HKEY_CLASSES_ROOT\AdvSearch.AlarIT.LioN.Updater
    HKEY_CLASSES_ROOT\AdvSearch.AlarIT.LioN.Updater.1
    HKEY_CLASSES_ROOT\CLSID\{80751B22-3FB8-4ED9-B029-E6F568BB48A8}
    HKEY_CLASSES_ROOT\CLSID\{B9CD23F0-086D-4190-9C04-FBFA1EA09FF8}
    HKEY_CLASSES_ROOT\Interface\{B9CD23F0-086D-4190-9C04-FBFA1EA09FF8}
    HKEY_CLASSES_ROOT\TypeLib\{7197649B-548D-41C0-B2C1-45ED402594A}
    HKEY_CLASSES_ROOT\CLSID\{92C7D65C-52F3-4545-8A35-213D730DB1ED}
    HKEY_CLASSES_ROOT\Interface\{92C7D65C-52F3-4545-8A35-213D730DB1ED}
    HKEY_CLASSES_ROOT\TypeLib\{4CD051DD-AA90-4C5C-BD55-EA52969BE48B}
    HKEY_CLASSES_ROOT\CLSID\{33403499-E238-4F35-8F5A-7F53D24FF9E2}
    HKEY_CLASSES_ROOT\Interface\{33403499-E238-4F35-8F5A-7F53D24FF9E2}
    HKEY_CLASSES_ROOT\TypeLib\{300D6635-E419-47E3-9642-6D73337684CD}
    HKEY_CLASSES_ROOT\CLSID\{DEE456F3-A075-4F60-BEA0-8748D0917701}


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS