1. /
  2. Security Response/
  3. Adware.TargetSaver

Adware.TargetSaver

Updated:
February 13, 2007 11:41:53 AM
Type:
Adware
Publisher:
TargetSaver
Risk Impact:
Medium
File Names:
ts2.exe tsl2.exe tsm2.exe tsp2.exe [random name]a.exe [random four letter name]l.exe [random
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.TargetSaver is executed, it performs the following actions:
  1. May create one or more of the following folders:

    • %Program Files%\Common Files\tsa
    • %Program Files%\Common Files\tsa\rainbow
    • %Program Files%\Common Files\[random four letter name]
    • %Program Files%\Common Files\[random four letter name]\[random four letter name]d
    • %Windir%\[random four letter name]

      Note:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. May create one or more of the following files:

    • %Program Files%\Common Files\tsa\inst.dat
    • %Program Files%\Common Files\tsa\ts2.exel
    • %Program Files%\Common Files\tsa\ts2lock
    • %Program Files%\Common Files\tsa\tsl2.exe
    • %Program Files%\Common Files\tsa\tsm2.exe
    • %Program Files%\Common Files\tsa\tsm2lock
    • %Program Files%\Common Files\tsa\tsm2.exe
    • %Program Files%\Common Files\tsa\tsm2lock
    • %Program Files%\Common Files\tsa\tsp2.exe
    • %Program Files%\Common Files\tsa\tsuninst.exe
    • %Program Files%\Common Files\tsa\wu
    • %Program Files%\Common Files\tsa\rainbow\class-barrel
    • %Program Files%\Common Files\tsa\rainbow\classify.dll
    • %Program Files%\Common Files\tsa\rainbow\vocabulary
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]a.exe
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]a.lck
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]l.exe
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]l.lck
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.lck
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]p.exe
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\class-barrel
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\[RANDOM FOUR LETTER NAME]c.dll
    • %Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\vocabulary
    • %UserProfile%\Temp\tsupdate_[VERSION NUMBER]_b2.exe
    • %Windir%\[RANDOM FOUR LETTER NAME]\wu
    • %Windir%\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]z.dat
    • %System%\tsuninst.exe

      Notes:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. May add the following value:

    "Tsa2" = "%Program Files%\Common Files\tsa\tsm2.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  4. May add one or more of the following values:

    "[RANDOM FOUR LETTER NAME]" = "%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  5. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\TSA
    HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM FOUR LETTER NAME]
    HKEY_CURRENT_USER\SOFTWARE\TSA
    HKEY_CURRENT_USER\SOFTWARE\[RANDOM FOUR LETTER NAME]
    HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\TSA
    HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\[RANDOM FOUR LETTER NAME]

  6. Downloads updates from a remote site.

  7. Monitors open windows for words from the vocabulary file.

  8. Displays advertisements using pop-up and pop-under windows.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver