1. /
  2. Security Response/
  3. Adware.Adlogix

Adware.Adlogix

Updated:
February 13, 2007 11:40:30 AM
Type:
Adware
Version:
1.0.0.1
Risk Impact:
High
File Names:
IEEnhancer.dll AdStartup.exe AdUpdater.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Adlogix runs, it performs the following actions:
  1. Adds the value:

    "CLSID" = "{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    so that the program is launched every time Internet Explorer starts.

  2. Creates the following files:

    • %ProgramFiles%\adlcontrolcomp.xml
    • %System%\adupdater.exe
    • %System%\<random>.dll
    • %System%\<random>a.xml
    • %System%\<random>b.xml
    • %System%\<random>c.exe
    • %System%\<random>d.exe
    • %System%\<random>e.xml
    • %System%\<random>f.exe
    • %System%\unpack.exe
    • %System%\pacifisy.dll
    • %System%\*.dat

      Note:
      • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
      • <random> is a variable that refers to a 5 character random filename.

  3. Creates the following:

    • 2 randomly named executable files. These files run as watchdog processes that are hidden by the .sys file mentioned below.
    • A randomly named .sys file. This is a kernel driver that overrides selected services from the Service Descriptor Table. This allows the risk to hide processes, files, and registry keys from the user.
    • A randomly named dll file that acts as a Browser Helper Object.
    • A randomly named Virtual Device Driver (.vxd) used for hooking selected system services on Windows 95 and Windows 98 systems.

  4. Adds the values:

    "guarnset" = "%System%\guarnset.exe"
    "<random_name>" = "<path to randomly named executable
    >"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

    Note: These values are hidden from the user by the kernel driver described in Step 3 above.

  5. Adds the value:

    "Adstartup" = "%SYSTEM%\Adstartup.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the program runs everytime Windows starts.

  6. Refers to its built-in file data.xml for a list of server addresses to obtain advertisements.

  7. Uses the AdStartup and AdUpdater components to update the adware from http:/ /64.69.[REMOVED].

    Note: At the time of writing the site was inactive.

  8. Creates the following registry keys:

    HKEY_CLASSES_ROOT\CLSID\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
    HKEY_CLASSES_ROOT\CLSID\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B}
    HKEY_CLASSES_ROOT\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
    HKEY_CLASSES_ROOT\Interface\{1CFB8B32-4053-4144-AF6F-1540EEC7F101}
    HKEY_CLASSES_ROOT\Interface\{21194DBC-E80C-4B83-8C82-74CBF52C8AAD}
    HKEY_CLASSES_ROOT\TypeLib\{E2C6E243-5F01-4031-9218-6178426985B1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BLUE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Other
    HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\PPS
    HKEY_LOCAL_MACHINE\SOFTWARE\y036
    HKEY_CLASSES_ROOT\Bho8.adlog
    HKEY_CLASSES_ROOT\Bho8.adlog.1
    HKEY_CLASSES_ROOT\IEEnhancer.IEEhncrObj
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
    HKEY_LOCAL_MACHINE\SOFTWARE\Adlogix

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{024DE5EB-3649-445E-8D57-C09A9A33D479}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39E6EDF9-2B13-42ED-AEC6-433D22D396F7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6C7265FA-608A-4865-8396-BBECC9BAF871}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PHelper.HelpCaller\: "PHelper.HelpCaller"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9473DDCA-1E6B-40EA-8AB4-9F83DE967D99}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4D84A744-C3DD-4BFF-B119-AC08F54714D7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9473DDCA-1E6B-40EA-8AB4-9F83DE967D99}

    Note: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} is a randomly generated CLSID.

  9. Creates a randomly named service with the following attributes:

    • Service name: random name corresponding to one of the executable files in Step 3 above.
    • Display name: random name corresponding to one of the executable files in Step 3 above.
    • Path to executable: "<path to randomly named executable in Step 3 above>"
    • Startup type: "Automatic"

  10. Creates a randomly named service with the following attributes:

    • Service name: random name corresponding to the kernel driver in Step 3 above.
    • Display name: random name corresponding to the kernel driver in Step 3 above.
    • Path to executable: "<path to randomly named kernel driver in Step 3 above>"
    • Startup type: "Automatic"

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver