1. /
  2. Security Response/
  3. Adware.Affilred

Adware.Affilred

Updated:
February 13, 2007 11:41:33 AM
Type:
Adware
Risk Impact:
High
File Names:
inetconnect.dll; comnt32.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Depending on the version of the adware, Adware.Affilred performs some of the following actions when it is executed:
  1. Copies itself as some of the following:

    • C:\CriticalUpdate.exe
    • C:\cab.exe
    • C:\winsecure.exe
    • registry.pif
    • %Windir%\twain_32.exe
    • %Windir%\mshotfix.exe
    • %Windir%\msupdate.exe
    • %System%\security32.exe
    • %System%\iProtect.exe
    • %System%\axe.exe
    • %System%\memorymanager.pif

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Copies itself to the start menu folder as:

    • usbwin32.exe
    • default.scr
    • highspeed-cable.exe
    • default.scr

  3. Creates the file %System%\inetconnect.dll or %System%\comnt32.dll.

  4. Adds some of the following values:

    "MSUpdate" = "c:\criticalUpdate.exe"
    "RegistryMonitor" = "c:\registry.pif"

    "Microsoft Security Hot Fix Update" = "%SystemRoot%\mshotfix.exe"
    "Microsoft Cab Manager" = "c:\exec.exe"
    "Windows Security Manager" = "c:\winsecure.exe"
    "Windows Security Update" = "%Windir%\security32.exe"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  5. May add the value:

    "Userinit" = "%System%\userinit.exe, %Windir%\iProtect.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    so that the adware runs every time Windows starts.

  6. May add the value:

    "WinTask" = "c:\wintask.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    so that the adware runs every time Windows starts.

  7. Adds some of the subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8E668361-C801-41B7-BF89-2FC2C8DE9167}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
    {0CDAAEC2-E245-44CC-8357-CAB70172D017}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C}

  8. May add one of the subkeys:

    HKEY_CLASSES_ROOT\CLSID\{FD3A6AB4-5527-4B52-90AF-F90CD3270861}
    HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}

    so that the adware runs every time Internet Explorer starts.

  9. May add the value:

    "Memory Manager" = "%System%\memorymanager.pif"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

    so that the adware runs every time Windows starts.

  10. May add the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}

    so that the adware runs every time Internet Explorer starts.

  11. May register itself as a service called ASecurity32.

  12. Overwrites the hosts file with some of the following text:

    127.0.0.1 www.redflagdeals.com
    127.0.0.1 www.redflagdeals.ca
    127.0.0.1 www.couponclock.com
    127.0.0.1 www.1-online-coupons.com
    127.0.0.1 www.smartqpon.com
    127.0.0.1 www.jumpondeals.com
    127.0.0.1 www.1-coupon.com
    127.0.0.1 www.ahugedeal.com
    127.0.0.1 www.1st-in-mens-clothing.com
    127.0.0.1 www.discounts-coupons.com
    127.0.0.1 www.shoppersresource.com
    127.0.0.1 www.1-free-coupons.com
    127.0.0.1 www.coupon-coupon.com
    127.0.0.1 www.online-coupons-discounts.com
    127.0.0.1 www.ebates.com
    127.0.0.1 www.247coupon.com
    127.0.0.1 www.couponmountain.com
    127.0.0.1 www.coupon-deals.com
    127.0.0.1 www.coupon-codes.us
    127.0.0.1 www.coupons-coupon-codes.com
    127.0.0.1 www.coupons-coupons-codes.com
    127.0.0.1 www.ahugedeal.com
    127.0.0.1 www.findsavings.com
    127.0.0.1 www.xpcoupons.com
    127.0.0.1 www.xpbargains.com
    127.0.0.1 www.best-cards.com
    127.0.0.1 www.voucherfreebies.co.uk
    127.0.0.1 www.ukshops.co.uk
    127.0.0.1 www.247ukshopping.com
    127.0.0.1 www.somucheasier.co.uk
    127.0.0.1 www.uk-online-store.co.uk
    127.0.0.1 www.deals-coupons.com
    127.0.0.1 www.shopping.net
    127.0.0.1 www.eshops.co.uk
    127.0.0.1 www.247ukshopping.com
    127.0.0.1 www.ukfrenzy.co.uk
    127.0.0.1 www.asmartshop.com
    127.0.0.1 www.couponmountain.co.uk
    127.0.0.1 www.redtagdeals.com
    127.0.0.1 www.freecoupons.co.uk
    127.0.0.1 www.shop-uk-online.co.uk
    127.0.0.1 www.best-online-coupons.com
    127.0.0.1 www.rather-be-shopping.com
    127.0.0.1 www.clothes-coupons.com
    127.0.0.1 www.online-coupons-coupons.com
    127.0.0.1 www.momsview.com
    127.0.0.1 www.pricezilla.com
    127.0.0.1 www.mygo.com
    127.0.0.1 www.ultimatecoupons.com
    127.0.0.1 www.specialoffers.com
    127.0.0.1 www.galacticgalaxy.com
    127.0.0.1 www.thewinnersclub.net
    127.0.0.1 www.1-online-coupons.com
    127.0.0.1 www.smartqpon.com
    127.0.0.1 www.jumpondeals.com
    127.0.0.1 www.1-coupon.com
    127.0.0.1 www.ahugedeal.com
    127.0.0.1 www.1st-in-mens-clothing.com
    127.0.0.1 www.discounts-coupons.com
    127.0.0.1 www.shoppersresource.com
    127.0.0.1 www.1-free-coupons.com
    127.0.0.1 www.coupon-coupon.com
    127.0.0.1 www.online-coupons-discounts.com
    127.0.0.1 www.ebates.com
    127.0.0.1 www.247coupon.com
    127.0.0.1 www.couponmountain.com
    127.0.0.1 www.coupon-deals.com
    127.0.0.1 www.coupon-codes.us
    127.0.0.1 www.coupons-coupon-codes.com
    127.0.0.1 www.coupons-coupons-codes.com
    127.0.0.1 www.ahugedeal.com
    127.0.0.1 www.findsavings.com
    127.0.0.1 www.xpcoupons.com
    127.0.0.1 www.xpbargains.com
    127.0.0.1 www.best-cards.com
    127.0.0.1 www.voucherfreebies.co.uk
    127.0.0.1 www.ukshops.co.uk
    127.0.0.1 www.247ukshopping.com
    127.0.0.1 www.somucheasier.co.uk
    127.0.0.1 www.uk-online-store.co.uk
    127.0.0.1 www.deals-coupons.com
    127.0.0.1 www.shopping.net
    127.0.0.1 www.eshops.co.uk
    127.0.0.1 www.247ukshopping.com
    127.0.0.1 www.ukfrenzy.co.uk
    127.0.0.1 www.asmartshop.com
    127.0.0.1 www.couponmountain.co.uk
    127.0.0.1 www.redtagdeals.com
    127.0.0.1 www.freecoupons.co.uk
    127.0.0.1 www.shop-uk-online.co.uk
    127.0.0.1 www.best-online-coupons.com
    127.0.0.1 www.rather-be-shopping.com
    127.0.0.1 www.clothes-coupons.com
    127.0.0.1 www.online-coupons-coupons.com
    127.0.0.1 www.momsview.com
    127.0.0.1 www.pricezilla.com
    127.0.0.1 www.mygo.com
    127.0.0.1 www.ultimatecoupons.com
    127.0.0.1 www.specialoffers.com
    127.0.0.1 www.galacticgalaxy.com
    127.0.0.1 www.thewinnersclub.net


  13. Redirects Internet Explorer traffic intended for certain Web sites to the URLs associated with their affiliates.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver