1. /
  2. Security Response/
  3. Adware.CWSConyc

Adware.CWSConyc

Updated:
February 13, 2007 11:41:48 AM
Type:
Adware
Publisher:
conyc.com
Risk Impact:
Medium
File Names:
mt.exe setup.exe popup_bl.dll serch_hook.dll toolband_atl.dll systr.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CWSConyc is executed, it does the following:
  1. Drops the following files:

    • %CurrentFolder%\mt.exe
    • %CurrentFolder%\popup_bl.dll
    • %CurrentFolder%\serch_hook.dll
    • %CurrentFolder%\setup.exe
    • %CurrentFolder%\toolband_atl.dll
    • %System%\popup_bl.dll
    • %System%\searchdll.dll
    • %System%\systr.dll

      Note:
      • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %CurrentFolder% is a variable that refers to the directory that the Security Risk was executed from.

  2. Creates following registry keys:

    HKEY_CLASSES_ROOT\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}
    HKEY_CLASSES_ROOT\CLSID\{28F65FCB-D130-11D8-BA48-8BE0C49AF370}
    HKEY_CLASSES_ROOT\CLSID\{815A82AE-CDEF-11D8-BA48-A6D245798277}
    HKEY_CLASSES_ROOT\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
    HKEY_CLASSES_ROOT\CLSID\{CF70455E-EDC1-4067-B824-CD0314BC3B2E}
    HKEY_CLASSES_ROOT\Interface\{05AAE5E5-47A1-4F65-8C32-8913EAD54DBF}
    HKEY_CLASSES_ROOT\Interface\{28F65FCA-D130-11D8-BA48-8BE0C49AF370}
    HKEY_CLASSES_ROOT\Interface\{815A82AD-CDEF-11D8-BA48-A6D245798277}
    HKEY_CLASSES_ROOT\Interface\{A77BD0A1-A8FA-48C0-8FFF-5A4DDCAD4581}
    HKEY_CLASSES_ROOT\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}
    HKEY_CLASSES_ROOT\TypeLib\{28F65FBE-D130-11D8-BA48-8BE0C49AF370}
    HKEY_CLASSES_ROOT\TypeLib\{815A82A1-CDEF-11D8-BA48-A6D245798277}
    HKEY_CLASSES_ROOT\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}
    HKEY_CLASSES_ROOT\Popup_bl.BL
    HKEY_CLASSES_ROOT\Popup_bl.BL.1
    HKEY_CLASSES_ROOT\Popup_bl.onClick
    HKEY_CLASSES_ROOT\Popup_bl.onClick.1
    HKEY_CLASSES_ROOT\Serch_hook.transURL
    HKEY_CLASSES_ROOT\Serch_hook.transURL.1
    HKEY_CLASSES_ROOT\Toolband_atl.Band_IE
    HKEY_CLASSES_ROOT\Toolband_atl.Band_IE.1
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{28F65FCB-D130-11D8-BA48-8BE0C49AF370}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{815A82AE-CDEF-11D8-BA48-A6D245798277}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CF70455E-EDC1-4067-B824-CD0314BC3B2E}
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{05AAE5E5-47A1-4F65-8C32-8913EAD54DBF}
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{28F65FCA-D130-11D8-BA48-8BE0C49AF370}
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{815A82AD-CDEF-11D8-BA48-A6D245798277}
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A77BD0A1-A8FA-48C0-8FFF-5A4DDCAD4581}
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70}
    HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{28F65FBE-D130-11D8-BA48-8BE0C49AF370}
    HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{815A82A1-CDEF-11D8-BA48-A6D245798277}
    HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70}
    HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.BL
    HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.BL.1
    HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.onClick
    HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.onClick.1
    HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
    HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28F65FCB-D130-11D8-BA48-8BE0C49AF370}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Popup Blocker
    HKEY_LOCAL_MACHINE\SOFTWARE\Tim


  3. Creates the following registry entries:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use Search Assistant" = "yes"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use Search Asst" = "no"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\"(Default)" = "
    [http://]www.v73.us/[REMOVED]"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\ "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{815A82AE-CDEF-11D8-BA48-A6D245798277}" = "Popup Blocker 17.08.04"

  4. Modifies the following value:

    "SearchAssistant" = "[http://]www.v73.us/[REMOVED]/search.htm"

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  5. Adds the following value:

    "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

  6. Adds the following lines to the hosts file:

    69.50.164.213   google.com   www.google.com   www.aol.com   aol.com   www.yahoo.com   yahoo.com   www.msn.com   msn.com   www.go.com   go.com
    69.50.164.213   google.com   www.google.com   www.aol.com   aol.com   www.yahoo.com   yahoo.com   www.msn.com   msn.com   www.go.com   go.com


  7. May adds the following line to the %Windir%\system.ini file:

    load = %Windir%\inet10050\services.exe

    to allow the W32.Conycspa.g@mm threat associated with this risk to run at startup.

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  8. Contacts the domain conyc.com to display advertisements when Internet Explorer is started.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver