Adware.CWSConyc

Printer Friendly Page

Updated: February 13, 2007 11:41:48 AM

Type: Adware

Publisher: conyc.com

Risk Impact: Medium

File Names: mt.exe setup.exe popup_bl.dll serch_hook.dll toolband_atl.dll systr.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CWSConyc is executed, it does the following:

Drops the following files:
- %CurrentFolder%\mt.exe
- %CurrentFolder%\popup_bl.dll
- %CurrentFolder%\serch_hook.dll
- %CurrentFolder%\setup.exe
- %CurrentFolder%\toolband_atl.dll
- %System%\popup_bl.dll
- %System%\searchdll.dll
- %System%\systr.dll
  
  Note:
  - %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  - %CurrentFolder% is a variable that refers to the directory that the Security Risk was executed from.
Creates following registry keys:

HKEY_CLASSES_ROOT\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4} HKEY_CLASSES_ROOT\CLSID\{28F65FCB-D130-11D8-BA48-8BE0C49AF370} HKEY_CLASSES_ROOT\CLSID\{815A82AE-CDEF-11D8-BA48-A6D245798277} HKEY_CLASSES_ROOT\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} HKEY_CLASSES_ROOT\CLSID\{CF70455E-EDC1-4067-B824-CD0314BC3B2E} HKEY_CLASSES_ROOT\Interface\{05AAE5E5-47A1-4F65-8C32-8913EAD54DBF} HKEY_CLASSES_ROOT\Interface\{28F65FCA-D130-11D8-BA48-8BE0C49AF370} HKEY_CLASSES_ROOT\Interface\{815A82AD-CDEF-11D8-BA48-A6D245798277} HKEY_CLASSES_ROOT\Interface\{A77BD0A1-A8FA-48C0-8FFF-5A4DDCAD4581} HKEY_CLASSES_ROOT\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70} HKEY_CLASSES_ROOT\TypeLib\{28F65FBE-D130-11D8-BA48-8BE0C49AF370} HKEY_CLASSES_ROOT\TypeLib\{815A82A1-CDEF-11D8-BA48-A6D245798277} HKEY_CLASSES_ROOT\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70} HKEY_CLASSES_ROOT\Popup_bl.BL HKEY_CLASSES_ROOT\Popup_bl.BL.1 HKEY_CLASSES_ROOT\Popup_bl.onClick HKEY_CLASSES_ROOT\Popup_bl.onClick.1 HKEY_CLASSES_ROOT\Serch_hook.transURL HKEY_CLASSES_ROOT\Serch_hook.transURL.1 HKEY_CLASSES_ROOT\Toolband_atl.Band_IE HKEY_CLASSES_ROOT\Toolband_atl.Band_IE.1 HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4} HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{28F65FCB-D130-11D8-BA48-8BE0C49AF370} HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{815A82AE-CDEF-11D8-BA48-A6D245798277} HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CF70455E-EDC1-4067-B824-CD0314BC3B2E} HKEY_LOCAL_MACHINE\Software\Classes\Interface\{05AAE5E5-47A1-4F65-8C32-8913EAD54DBF} HKEY_LOCAL_MACHINE\Software\Classes\Interface\{28F65FCA-D130-11D8-BA48-8BE0C49AF370} HKEY_LOCAL_MACHINE\Software\Classes\Interface\{815A82AD-CDEF-11D8-BA48-A6D245798277} HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A77BD0A1-A8FA-48C0-8FFF-5A4DDCAD4581} HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C7EDAB2D-D7F9-11D8-BA48-C79B0C409D70} HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{28F65FBE-D130-11D8-BA48-8BE0C49AF370} HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{815A82A1-CDEF-11D8-BA48-A6D245798277} HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{C7EDAB21-D7F9-11D8-BA48-C79B0C409D70} HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.BL HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.BL.1 HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.onClick HKEY_LOCAL_MACHINE\Software\Classes\Popup_bl.onClick.1 HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28F65FCB-D130-11D8-BA48-8BE0C49AF370} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Popup Blocker HKEY_LOCAL_MACHINE\SOFTWARE\Tim
Creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use Search Assistant" = "yes" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use Search Asst" = "no" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\"(Default)" = "[http://]www.v73.us/[REMOVED]" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\ "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{815A82AE-CDEF-11D8-BA48-A6D245798277}" = "Popup Blocker 17.08.04"
Modifies the following value:

"SearchAssistant" = "[http://]www.v73.us/[REMOVED]/search.htm"

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
Adds the following value:

"{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
Adds the following lines to the hosts file:

69.50.164.213 google.com www.google.com www.aol.com aol.com www.yahoo.com yahoo.com www.msn.com msn.com www.go.com go.com 69.50.164.213 google.com www.google.com www.aol.com aol.com www.yahoo.com yahoo.com www.msn.com msn.com www.go.com go.com
May adds the following line to the %Windir%\system.ini file:

load = %Windir%\inet10050\services.exe

to allow the W32.Conycspa.g@mm threat associated with this risk to run at startup.

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Contacts the domain conyc.com to display advertisements when Internet Explorer is started.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}