1. /
  2. Security Response/
  3. Adware.Purityscan.D

Adware.Purityscan.D

Updated:
February 13, 2007 11:51:17 AM
Type:
Adware
Publisher:
purityscan.com
Risk Impact:
Low
File Names:
hoor.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.PurityScan.D is installed, it performs the following actions:
  1. Adds the values:

    "Itsh"=D4 11 51 50 57 F5 B4 D1 B4 00 E1 71
    "Ctsu"=24 13 51 50
    "Potd"=24 9E BE 52 85

    to the registry key:

    HKEY_CURRENT_USER\Software\Toos

  2. Adds the values:

    "Eech"="%SystemDrive%\Documents and Settings\[user name]\Application Data\hoor.exe"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the spyware is run every time Windows starts.

  3. Creates the following files:
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\hoor.exe
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\rbap.exe

  4. Creates the following folders:
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\mbaa
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\isrd

  5. Creates the registry key HKCU\Software\Aubt. This key has the following values:

    "Ieta"="24 1f 2f db"
    "Smci"="24 92 c0 d9 85"
    "Sust"="d4 1d 2f db 57 d1 4a 50 b4 9c 30 6f"

  6. Creates the reg value "Timb"="<%SystemDrive%>\Documents and Settings\<user name>\Application Data\rbap.exe.

  7. Scans Internet Explorer files, including browser files, cache, history, and cookies for adult-related keywords. It then displays advertisements.

  8. Downloads and displays ads from the following Web sites:
      • legend.psdtools.com
      • pisces.clickspring.com
      Note: %SystemDrive% is a variable that refers to the drive on which the Windows installation resides. By default, this is drive C.
[user name] refers to the current user name when the threat was installed.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver