Adware.WebRebates

Printer Friendly Page

Updated: February 13, 2007 11:40:51 AM

Type: Adware

Publisher: TopRebates, Inc.

Risk Impact: High

File Names: disp1150.exe disp2000.exe SupportInstall.exe Webcpr0.exe Webcpr1.exe WebRebates0.exe WebReba

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.WebRebates is executed, it performs the following actions:

Creates the following folders:
- %ProgramFiles%\Web_Cpr
- %ProgramFiles%\Web_Cpr\Ap2000
- %ProgramFiles%\Web_Cpr\Da2000
- %ProgramFiles%\Web_Cpr\Da2000\[USER NAME]
- %ProgramFiles%\Web_Cpr\Sy2000
- %ProgramFiles%\Web_Cpr\Sy2000\Html
- %ProgramFiles%\Web_Cpr\Sy2000\Images
- %ProgramFiles%\Web_Cpr\Sy2000\Sy2000
- %ProgramFiles%\Web_Cpr\Sy2000\Tp2000
- %ProgramFiles%\Web_Rebates
- %ProgramFiles%\Web_Rebates\Ap1150
- %ProgramFiles%\Web_Rebates\Da1150
- %ProgramFiles%\Web_Rebates\Da1150\[USER NAME]
- %ProgramFiles%\Web_Rebates\Sy1150
- %ProgramFiles%\Web_Rebates\Sy1150\Html
- %ProgramFiles%\Web_Rebates\Sy1150\Images
- %ProgramFiles%\Web_Rebates\Sy1150\Sy1150
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150
  
  Note:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- [USER NAME] refers to one or more of the user names that your computer uses.
Creates the following legitimate files:
- %UserProfile%\Local Settings\Temp\jkill.exe
  
  Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
Creates the following files:
- %UserProfile%\Local Settings\Temp\djtopr1150.exe
- %ProgramFiles%\Web_Rebates\WebRebates0.exe
- %ProgramFiles%\Web_Rebates\WebRebates1.exe
- %ProgramFiles%\Web_Rebates\WebRebates2.exe
- %ProgramFiles%\Web_Rebates\WebRebates2.dll
- %ProgramFiles%\Web_Rebates\disp1150.exe
- %ProgramFiles%\Web_Rebates\README.txt
- %ProgramFiles%\Web_Rebates\Ap1150\cmpt70000.dat
- %ProgramFiles%\Web_Rebates\Ap1150\merc1167.dat
- %ProgramFiles%\Web_Rebates\Ap1150\psid1167.dat
- %ProgramFiles%\Web_Rebates\Ap1150\psid1187.dat
- %ProgramFiles%\Web_Rebates\Ap1150\topr1150.dat
- %ProgramFiles%\Web_Rebates\Ap1150\toprex.dat
- %ProgramFiles%\Web_Rebates\Sy1150\Sy1150\1150_0.dat
- %ProgramFiles%\Web_Rebates\Sy1150\Sy1150\1150_1.dat
- %ProgramFiles%\Web_Rebates\Sy1150\Sy1150\1150_2.dat
- %ProgramFiles%\Web_Rebates\Sy1150\Html\foot1150c_rb.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\foot1150c_ub.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\f_popo1150c_rb.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\f_popo1150c_ub.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\f_spec1150c_rb.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\f_spec1150c_ub.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\popo1150c.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\pref1150c.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\remv1150c.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\scri1150a.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Html\spec1150c.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Images\[RANDOM LETTER].gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_envelope.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_footer.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_hdr_autotrack_remove.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_hdr_settings.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_hdr_settings_toprebates.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_pop_circles.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_pop_circles_bg2.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_c_warning.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_envelope.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_popup_toprebates_hdr_small.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_popup_toprebates_hdr_small2.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_pop_circles.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_pop_circles_2.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_pop_circles_3.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_pop_settings.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_register.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Images\topr_register_footer.gif
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\f_popo1150[RANDOM LETTER]_rb.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\f_popo1150[RANDOM LETTER]_ub.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\f_spec1150[RANDOM LETTER]_rb.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\f_spec1150[RANDOM LETTER]_ub.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\foot1150[RANDOM LETTER]_rb.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\foot1150[RANDOM LETTER]_ub.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\popo1150[RANDOM LETTER].htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\pref1150[RANDOM LETTER].htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\spec1150c.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\remv1150c.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\log.txt
- %ProgramFiles%\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
- %ProgramFiles%\Web_Rebates\Sy1150\Sy1150\1150_0.dat
- %ProgramFiles%\Web_Rebates\Sy1150\Sy1150\1150_1.dat
- %ProgramFiles%\Web_Rebates\Sy1150\Sy1150\1150_2.dat
- %ProgramFiles%\Web_Rebates\Da1150\41a3c264191.dat
- %ProgramFiles%\Web_Rebates\Da1150\1150sh.dat
- %ProgramFiles%\Web_Rebates\Da1150\42d3837c6f64.dat
- %ProgramFiles%\Web_Rebates\Da1150\42d385b14548.dat
- %ProgramFiles%\Web_Rebates\Da1150\[USER NAME]\[RANDOM NAME].dat
- %ProgramFiles%\Web_Rebates\Da1150\41a3c264191.dat
- %ProgramFiles%\Web_Rebates\Da1150\[USER NAME]\41a3c26c4d33.da
- %ProgramFiles%\Web_Cpr\WebCpr1.exe
- %ProgramFiles%\Web_Cpr\WebCpr0.exe
- %ProgramFiles%\Web_Cpr\disp2000.exe
- %ProgramFiles%\Web_Cpr\README.txt
- %ProgramFiles%\Web_Cpr\Ap2000\ [DATA FILES]
- %ProgramFiles%\Web_Cpr\Sy2000\ [DATA FILES]
- %ProgramFiles%\Web_Cpr\Da2000\ [DATA FILES]
  
  Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Deletes the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WebRebates
Creates the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ins HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Web Rebates
Adds the value:

"WebRebates0" = "%ProgramFiles%\Web_Rebates\WebRebates0.exe" "WebCpr0" = "%ProgramFiles%\Web_Cpr\WebCpr0.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so the adware runs when Windows starts.
Adds the value:

"djtopr1150.exe" = "%Userprofile%\Local Settings\Temp\djtopr1150.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

so that the adware runs when Windows starts.
Adds the values:

"(Default)" = "WebRebates (by TopRebates.com)" "DisplayName" = "WebRebates (by TopRebates.com)" "UninstallString" = "%ProgramFiles%\Web_Rebates\WebRebates1.exe" untopr1150"

to one of the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\untopr1150
Adds the values:

"(Default)" = "Web CPR" "DisplayName" = "Web CPR" "UninstallString" = "%ProgramFiles%\Web_Cpr\WebCpr1.exe" unwcpr2000"

to one of the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unwcpr2000
Attempts to connect to the following Web sites:
- www.toprebates.com
- www.topmoxie.com
- www.topmoxie2.com

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}