Updated: February 13, 2007 11:40:06 AM
Type: Spyware
Version: 1.0.0.1
Publisher: Spyware.e2giveLLC
Risk Impact: High
File Names:
iebhos.dll
askearth17.exe
pruttct.exe
prutpct.exe
skytown.exe
ptech.exe
prutsct.exe
filgmo.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Spyware.e2give runs, it does the following:
- Downloads files from Prutect.com and 216.122.144.200.
- Creates one or more of the following files:
- %ProgramFiles%\E2G\IeBHOs.dll
- %ProgramFiles%\data19
- %Windir%\pi1.exe
- %System%\pruttct.exe
- %System%\skytown.exe
- %UserProfile%\Desktop\filgmo.exe
- %UserProfile%\Desktop\skytown.exe
- %CurrentFolder%\[RANDOM NAME].exe
- %CurrentFolder%\data.~
- %CurrentFolder%\key.~
- %CurrentFolder%\log.~
- %UserProfile%\Local Settings\Temp\ei.exe
Notes:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
- Creates the following registry subkeys:
HKEY_CURRENT_USER\SOFTWARE\PTech
HKEY_CLASSES_ROOT\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}
HKEY_CLASSES_ROOT\AppID\IeBHOs.DLL
HKEY_CLASSES_ROOT\IeBHOs.Control.1
HKEY_CLASSES_ROOT\IeBHOs.Control
HKEY_CLASSES_ROOT\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}
HKEY_CLASSES_ROOT\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
HKEY_CLASSES_ROOT\CLSID\{4A5B0528-1EE4-4871-8546-AB34DF31E861}
HKEY_CLASSES_ROOT\CLSID\{4A5B0D43-13BE-4B7C-820E-660CED71CDBF}
HKEY_CLASSES_ROOT\CLSID\{4A5B482D-E087-43C9-8FD6-0F36510CF2B9}
HKEY_CLASSES_ROOT\CLSID\{4A5ADB4F-48EE-4840-8DAB-166A239F7E86}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\[Random CLSID]
HKEY_LOCAL_MACHINE\Software\E2G
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g plugin
HKEY_LOCAL_MACHINE\Software\Classes\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}
HKEY_LOCAL_MACHINE\Software\Classes\AppID\IeBHOs.DLL
HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control.1
HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}
- Adds one or more of the following values:
[RANDOM NAME] = [PATH TO ADWARE]
to the registry subkeys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
