||||
Symantec.com > Security Response > Threats and Risks > Adware.MediaTicket
PRINT THIS PAGE

Adware.MediaTicket

Printer Friendly Page

Updated: February 13, 2007 11:40:45 AM
Type: Adware
Risk Impact: Low
File Names: arsetup.exe,installer.exe,MediaTicketsInstaller.ocx.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.MediaTicket is executed, it does the following:
  1. Creates the following files:
    • %Temp%\installer.exe
    • %CurrentFolder%\mt-uninstaller.exe
    • %Windir%\Downloaded Program Files\MediaTicketsInstaller.ocx
    • %Windir%\Downloaded Program Files\MediaTicketsInstaller.INF
    • %UserProfile%\Local Settings\Temp\installer.exe

      Notes:
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
    • %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

  2. Adds the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9EB320CE-BE1D-4304-A081-4B4665414BEF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3517FB25-305D-4012-B531-186E3851E7ED}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4781DAA6-4DE5-47A1-B02A-945F0D017A9E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MEDIATICKETSINSTALLER.MediaTicketsInstallerCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9EB320CE-BE1D-4304-A081-4B4665414BEF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/MediaTicketsInstaller.ocx

  3. Adds one of the values:

    "msn messanger" = "[file path to adware]"
    "    REGRUN" = "[file path to adware]"
    "    PROPRO"= "[file path to adware]"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware is executed every time Windows starts.
  4. Modifies the following registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags

    to reset the security settings of the Internet zone in Internet Explorer.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS