Adware.Findwhatever

Updated: February 13, 2007 11:42:11 AM

Type: Adware

Risk Impact: Medium

File Names: smss.exe mshepl.exe mssetup.exe svchost.exe ups.exe xcopy.exe mdm.exe dpvsetup.exe autolfn

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Findwhatever is run it does the following:

Copies itself to %Windir%\smss.exe.

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Creates a random copy of itself to one of the following:

%Windir%\mshepl.exe
%Windir%\mssetup.exe
%Windir%\svchost.exe
%Windir%\ups.exe
%Windir%\xcopy.exe
%Windir%\mdm.exe
%Windir%\dpvsetup.exe
%Windir%\autolfn.exe
%Windir%\csrss.exe
%Windir%\label.exe
%Windir%\mmc.exe
%Windir%\msswchx.exe
%Windir%\mstask.exe
%Windir%\netdde.exe
%Windir%\ntvdm.exe
%Windir%\osk.exe
%Windir%\lasss.exe
%Windir%\spoolsv.exe
%Windir%\sptsupd.exe
%Windir%\subst.exe
%Windir%\w32tm.exe
%Windir%\mshta.exe
%Windir%\dsndup.exe
Adds the value:

"Clock" = "[FILE NAME]"

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that Adware.Findwhatever runs every time Windows starts.

Note: [FILE NAME] is one of the above random copied files.
Creates the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Clock

where Adware.Findwhatever will store information about itself.
Modifies the value:

"Start Page" = "URL pointing to the www.findwhatevernow.com domain"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Mainat random intervals so that the Internet Explorer start page is set to an advertising site.

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}