Updated: February 13, 2007 11:40:59 AM
Type: Adware
Risk Impact: Low
File Names:
upmod.dll
udpmod-1.dll
questmod.dll
questmod-1.dll
tl7000.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.Sa is a BHO that attempts to connect to a particular Web site when a URL ends with .com, .co.uk, or .biz, as well as when the .txt files are viewed in Internet Explorer. It may also dial high-cost numbers using existing open modem connections.
When Adware.Sa is executed, it performs the following actions:
- Creates the mutex "M99Stub" so that only one copy of the Adware runs at a time.
- Attempts to connect to the following domains:
- sa-001.com, sa-002.com
- sa-001.biz, sa-002.biz
- sa-001.co.uk, sa-003.co.uk
- dd.tibsystems.com
Note: The URL may vary from system to system. It has been reported that the URL appears similar to:
[LISTED DOMAIN]/sa/?a=[RANDOM CLSID]&b=14&c=0&d=1&e=0&f=0&g=5.1&h=3&i=e0010000&j=<system-time>&k=15
- Adds some of the following files:
- %Windir%\questmod.dll
- %Windir%\questmod-1.dll
- %Windir%\upmod.dll
- %Windir%\upmod-1.dll
- %Windir%\sasent.dll
- %Windir%\Downloaded Program Files\tl7000.dll
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Adds the following registry keys when Adware.Sa is registered:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4BCF322B-9621-4e90-9678-F1424EB7584E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{860CE847-8298-4114-B142-14043C2942B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4BCF322B-9621-4e90-9678-F1424EB7584E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D47BD4DE-B880-4610-8A8B-C173DEC4272F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{85A886B2-29BB-4189-8046-A66733B242E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{18E6C36A-C45F-4B60-A1A4-5C0BB16D4CC2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00A322E2-7D50-4DBA-BEA4-5C8078D47269}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0191ABF4-9421-435E-9FFD-CD827A2A82D8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A94C367-815A-4D4F-A6B6-D4EB877A126C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CED445E2-8C78-4F40-87D7-F7FB6F1B6791}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SBITAX7.SBITAX7Ctrl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SBITAX7.SBITAX7Ctrl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860CE847-8298-4114-B142-14043C2942B1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3CA4F168-FDC3-425D-8812-BB1379581E85}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6637F05-74ED-4CCF-80AB-20C8EC66877A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Classes\Interface\{D6188A7D-376C-4970-91AD-675BFCF3762E}
- Adds the value:
"{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}"=""
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
