||||
Symantec.com > Security Response > Threats and Risks > Adware.Mirar
PRINT THIS PAGE

Adware.Mirar

Printer Friendly Page

Updated: February 13, 2007 11:39:33 AM
Type: Adware
Risk Impact: Low
File Names: MirarSetup.exe,WinDmy.dll,NN_Bar21.dll,installer.cab,WinNB[xx].dll ([xx] = Version Number)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


When Adware.Mirar is installed, it does the following:
  1. Creates the following files:

    • %System%\WinDmy.dll
    • %System%\Winnb56.dll
    • %System%\WinNB57.dll
    • %WinDir%\Downloaded Program Files\MirarSetup.exe
    • %UserProfile%\Local Settings\Temp\875455-NOSB.exe
    • %UserProfile%\Local Settings\Temp\mit3.tmp
    • %UserProfile%\Local Settings\Temp\mit3.tmp.cab

      Note:
      • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Creates the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall

    and adds subkeys and values to the subkey to set flags and configurations.

  3. Adds the value:

    "ToolbarInstall" = "MirarSetup.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the Adware runs when you start Windows.

    Note: The value added to the run key may point to the location the Adware was run from.

  4. Adds the value:

    "{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}" = ""

    to the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

  5. Adds the values:

    "C:\WINDOWS\Downloaded Program Files\MirarSetup.exe" = ""
    "C:\WINDOWS\System32\WinDmy.dll" = ""

    to the registry keys:

    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
  6. Attempts to download and install the Mirar Toolbar.

    Depending on the version of the toolbar being installed, an End-User License Agreement is displayed outlining the functionality of the toolbar.

  7. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{179E4B4A-76C3-4F65-BCED-C9FA1A28D2EF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NN_Bar.NN_Bar_Helper.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\    NN_Bar.NN_WebBand
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\    NN_Bar.NN_WebBand.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\    {4035DE1B-D54A-411E-9EE7-923295D2E86E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\    {753B9349-7E46-4E5C-A27F-A60A6BF1EAB5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MirarSetup.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/WinDmy.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}

    to install the Mirar Toolbar.

    Note: Later variants of the toolbar are known to create two random entries in the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.


Search by name
Example: W32.Beagle.AG@mm
Learn more about Zero-Day / Operation Aurora / Hydraq
Symantec DeepSight Screensaver
©1995 - 2010 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS