Updated: February 13, 2007 11:41:33 AM
Type: Adware
Risk Impact: High
File Names: inetconnect.dll; comnt32.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Depending on the version of the adware, Adware.Affilred performs some of the following actions when it is executed:
- Copies itself as some of the following:
- C:\CriticalUpdate.exe
- C:\cab.exe
- C:\winsecure.exe
- registry.pif
- %Windir%\twain_32.exe
- %Windir%\mshotfix.exe
- %Windir%\msupdate.exe
- %System%\security32.exe
- %System%\iProtect.exe
- %System%\axe.exe
- %System%\memorymanager.pif
Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Copies itself to the start menu folder as:
- usbwin32.exe
- default.scr
- highspeed-cable.exe
- default.scr
- Creates the file %System%\inetconnect.dll or %System%\comnt32.dll.
- Adds some of the following values:
"MSUpdate" = "c:\criticalUpdate.exe"
"RegistryMonitor" = "c:\registry.pif"
"Microsoft Security Hot Fix Update" = "%SystemRoot%\mshotfix.exe"
"Microsoft Cab Manager" = "c:\exec.exe"
"Windows Security Manager" = "c:\winsecure.exe"
"Windows Security Update" = "%Windir%\security32.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs every time Windows starts.
- May add the value:
"Userinit" = "%System%\userinit.exe, %Windir%\iProtect.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
so that the adware runs every time Windows starts.
- May add the value:
"WinTask" = "c:\wintask.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that the adware runs every time Windows starts.
- Adds some of the subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{8E668361-C801-41B7-BF89-2FC2C8DE9167}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{0CDAAEC2-E245-44CC-8357-CAB70172D017}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C}
- May add one of the subkeys:
HKEY_CLASSES_ROOT\CLSID\{FD3A6AB4-5527-4B52-90AF-F90CD3270861}
HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
so that the adware runs every time Internet Explorer starts.
- May add the value:
"Memory Manager" = "%System%\memorymanager.pif"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
so that the adware runs every time Windows starts.
- May add the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
so that the adware runs every time Internet Explorer starts.
- May register itself as a service called ASecurity32.
- Overwrites the hosts file with some of the following text:
127.0.0.1 www.redflagdeals.com
127.0.0.1 www.redflagdeals.ca
127.0.0.1 www.couponclock.com
127.0.0.1 www.1-online-coupons.com
127.0.0.1 www.smartqpon.com
127.0.0.1 www.jumpondeals.com
127.0.0.1 www.1-coupon.com
127.0.0.1 www.ahugedeal.com
127.0.0.1 www.1st-in-mens-clothing.com
127.0.0.1 www.discounts-coupons.com
127.0.0.1 www.shoppersresource.com
127.0.0.1 www.1-free-coupons.com
127.0.0.1 www.coupon-coupon.com
127.0.0.1 www.online-coupons-discounts.com
127.0.0.1 www.ebates.com
127.0.0.1 www.247coupon.com
127.0.0.1 www.couponmountain.com
127.0.0.1 www.coupon-deals.com
127.0.0.1 www.coupon-codes.us
127.0.0.1 www.coupons-coupon-codes.com
127.0.0.1 www.coupons-coupons-codes.com
127.0.0.1 www.ahugedeal.com
127.0.0.1 www.findsavings.com
127.0.0.1 www.xpcoupons.com
127.0.0.1 www.xpbargains.com
127.0.0.1 www.best-cards.com
127.0.0.1 www.voucherfreebies.co.uk
127.0.0.1 www.ukshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.somucheasier.co.uk
127.0.0.1 www.uk-online-store.co.uk
127.0.0.1 www.deals-coupons.com
127.0.0.1 www.shopping.net
127.0.0.1 www.eshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.ukfrenzy.co.uk
127.0.0.1 www.asmartshop.com
127.0.0.1 www.couponmountain.co.uk
127.0.0.1 www.redtagdeals.com
127.0.0.1 www.freecoupons.co.uk
127.0.0.1 www.shop-uk-online.co.uk
127.0.0.1 www.best-online-coupons.com
127.0.0.1 www.rather-be-shopping.com
127.0.0.1 www.clothes-coupons.com
127.0.0.1 www.online-coupons-coupons.com
127.0.0.1 www.momsview.com
127.0.0.1 www.pricezilla.com
127.0.0.1 www.mygo.com
127.0.0.1 www.ultimatecoupons.com
127.0.0.1 www.specialoffers.com
127.0.0.1 www.galacticgalaxy.com
127.0.0.1 www.thewinnersclub.net
127.0.0.1 www.1-online-coupons.com
127.0.0.1 www.smartqpon.com
127.0.0.1 www.jumpondeals.com
127.0.0.1 www.1-coupon.com
127.0.0.1 www.ahugedeal.com
127.0.0.1 www.1st-in-mens-clothing.com
127.0.0.1 www.discounts-coupons.com
127.0.0.1 www.shoppersresource.com
127.0.0.1 www.1-free-coupons.com
127.0.0.1 www.coupon-coupon.com
127.0.0.1 www.online-coupons-discounts.com
127.0.0.1 www.ebates.com
127.0.0.1 www.247coupon.com
127.0.0.1 www.couponmountain.com
127.0.0.1 www.coupon-deals.com
127.0.0.1 www.coupon-codes.us
127.0.0.1 www.coupons-coupon-codes.com
127.0.0.1 www.coupons-coupons-codes.com
127.0.0.1 www.ahugedeal.com
127.0.0.1 www.findsavings.com
127.0.0.1 www.xpcoupons.com
127.0.0.1 www.xpbargains.com
127.0.0.1 www.best-cards.com
127.0.0.1 www.voucherfreebies.co.uk
127.0.0.1 www.ukshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.somucheasier.co.uk
127.0.0.1 www.uk-online-store.co.uk
127.0.0.1 www.deals-coupons.com
127.0.0.1 www.shopping.net
127.0.0.1 www.eshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.ukfrenzy.co.uk
127.0.0.1 www.asmartshop.com
127.0.0.1 www.couponmountain.co.uk
127.0.0.1 www.redtagdeals.com
127.0.0.1 www.freecoupons.co.uk
127.0.0.1 www.shop-uk-online.co.uk
127.0.0.1 www.best-online-coupons.com
127.0.0.1 www.rather-be-shopping.com
127.0.0.1 www.clothes-coupons.com
127.0.0.1 www.online-coupons-coupons.com
127.0.0.1 www.momsview.com
127.0.0.1 www.pricezilla.com
127.0.0.1 www.mygo.com
127.0.0.1 www.ultimatecoupons.com
127.0.0.1 www.specialoffers.com
127.0.0.1 www.galacticgalaxy.com
127.0.0.1 www.thewinnersclub.net
- Redirects Internet Explorer traffic intended for certain Web sites to the URLs associated with their affiliates.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
