1. /
  2. Security Response/
  3. Adware.Locator

Adware.Locator

Updated:
February 13, 2007 11:40:53 AM
Type:
Adware
Version:
1.0.0.53
Publisher:
Locators Inc
Risk Impact:
Medium
File Names:
Locators.dll lupdtr.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Adware.Locator runs, it does the following:
  1. Creates the following files:
    • Locators.dll
    • lupdtr.exe

  2. Installs its own Search and Links toolbar in Internet Explorer.

  3. Changes the default start page and search page to point to a URL on the locators.com domain.

  4. Attempts to download remote files and update itself, if newer versions of the adware are available.

  5. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{E720B458-B65A-438C-9FF3-B1DF65D7DB3E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{E720B458-B65A-438C-9FF3-B1DF65D7DB3F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    \{AB88FC82-FCDC-4062-BCC4-887F0D73EC1D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    \{B4F8E732-4793-4F90-B40A-829331861D54}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LocatorS.LocatorBar
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LocatorS.LocatorBar.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LocatorS.LocatorLinks
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LocatorS.LocatorLinks.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
    \{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    \{E720B458-B65A-438C-9FF3-B1DF65D7DB3E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    \{E720B458-B65A-438C-9FF3-B1DF65D7DB3F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Locators Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Locators Toolbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{4E7BD74F-2B8D-469E-92B0-A921F8D5E22E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{4E7BD74F-2B8D-469E-92B0-A921F8D5E22F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    \{4E7BD74F-2B8D-469E-92B0-A921F8D5E230}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    \locatorstoolbar.LOCATORSTOOLBAR
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    \locatorstoolbar.LOCATORSTOOLBARMenu Button
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    \locatorstoolbar.LOCATORSTOOLBARToggle Button
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{4E7BD74F-2B8D-469E-92B0-A921F8D5E22E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\LOCATORSTOOLBAR
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units
    \{4E7BD74F-2B8D-469E-92B0-A921F8D5E22E}
    HKEY_CURRENT_USER\Software\LOCATORSTOOLBAR TOOLBAR
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    \{4E7BD74F-2B8D-469E-92B0-A921F8D5E22E}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    \{4E7BD74F-2B8D-469E-92B0-A921F8D5E22E}

  6. Modifies the value:

    "SearchAssistant"="[URL on the locators.com/sidebar domain]"

    in the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

  7. Modifies the value:

    "SearchUrl"="[URL on the locators.com domain]"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

  8. Modifies the value:

    "Start Page"="[URL on the locators.com domain]"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver