Adware.Adlogix

Printer Friendly Page

Updated: February 13, 2007 11:40:30 AM

Type: Adware

Version: 1.0.0.1

Risk Impact: High

File Names: IEEnhancer.dll AdStartup.exe AdUpdater.exe

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Adlogix runs, it performs the following actions:

Adds the value:

"CLSID" = "{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

so that the program is launched every time Internet Explorer starts.
Creates the following files:
- %ProgramFiles%\adlcontrolcomp.xml
- %System%\adupdater.exe
- %System%\<random>.dll
- %System%\<random>a.xml
- %System%\<random>b.xml
- %System%\<random>c.exe
- %System%\<random>d.exe
- %System%\<random>e.xml
- %System%\<random>f.exe
- %System%\unpack.exe
- %System%\pacifisy.dll
- %System%\*.dat
  
  Note:
  - %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  - %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
  - <random> is a variable that refers to a 5 character random filename.
Creates the following:
- 2 randomly named executable files. These files run as watchdog processes that are hidden by the .sys file mentioned below.
- A randomly named .sys file. This is a kernel driver that overrides selected services from the Service Descriptor Table. This allows the risk to hide processes, files, and registry keys from the user.
- A randomly named dll file that acts as a Browser Helper Object.
- A randomly named Virtual Device Driver (.vxd) used for hooking selected system services on Windows 95 and Windows 98 systems.
Adds the values:

"guarnset" = "%System%\guarnset.exe" "<random_name>" = "<path to randomly named executable>"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.

Note: These values are hidden from the user by the kernel driver described in Step 3 above.
Adds the value:

"Adstartup" = "%SYSTEM%\Adstartup.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the program runs everytime Windows starts.
Refers to its built-in file data.xml for a list of server addresses to obtain advertisements.
Uses the AdStartup and AdUpdater components to update the adware from http:/ /64.69.[REMOVED].

Note: At the time of writing the site was inactive.
Creates the following registry keys:

HKEY_CLASSES_ROOT\CLSID\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF} HKEY_CLASSES_ROOT\CLSID\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B} HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} HKEY_CLASSES_ROOT\Interface\{1CFB8B32-4053-4144-AF6F-1540EEC7F101} HKEY_CLASSES_ROOT\Interface\{21194DBC-E80C-4B83-8C82-74CBF52C8AAD} HKEY_CLASSES_ROOT\TypeLib\{E2C6E243-5F01-4031-9218-6178426985B1} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BLUE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OtherHKEY_LOCAL_MACHINE\SOFTWARE\ODBC\PPSHKEY_LOCAL_MACHINE\SOFTWARE\y036HKEY_CLASSES_ROOT\Bho8.adlog HKEY_CLASSES_ROOT\Bho8.adlog.1 HKEY_CLASSES_ROOT\IEEnhancer.IEEhncrObj HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} HKEY_LOCAL_MACHINE\SOFTWARE\Adlogix
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024DE5EB-3649-445E-8D57-C09A9A33D479} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39E6EDF9-2B13-42ED-AEC6-433D22D396F7} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6C7265FA-608A-4865-8396-BBECC9BAF871}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PHelper.HelpCaller\: "PHelper.HelpCaller"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9473DDCA-1E6B-40EA-8AB4-9F83DE967D99} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4D84A744-C3DD-4BFF-B119-AC08F54714D7} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9473DDCA-1E6B-40EA-8AB4-9F83DE967D99}
Note: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} is a randomly generated CLSID.
Creates a randomly named service with the following attributes:
- Service name: random name corresponding to one of the executable files in Step 3 above.
- Display name: random name corresponding to one of the executable files in Step 3 above.
- Path to executable: "<path to randomly named executable in Step 3 above>"
- Startup type: "Automatic"
Creates a randomly named service with the following attributes:
- Service name: random name corresponding to the kernel driver in Step 3 above.
- Display name: random name corresponding to the kernel driver in Step 3 above.
- Path to executable: "<path to randomly named kernel driver in Step 3 above>"
- Startup type: "Automatic"

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}