||||
Symantec.com > Security Response > Threats and Risks > Adware.Incredifind
PRINT THIS PAGE

Adware.Incredifind

Printer Friendly Page

Updated: February 13, 2007 11:42:13 AM
Type: Adware
Version: 1.0.0.1
Publisher: IncrediFind
Risk Impact: High
File Names: IncFindBHO.dll date.txt delupdat.exe wupdater.exe sui.exe data1.dat data2.dat (install file
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.Incredifind runs, it does the following:

  1. Creates the following files:
    • %ProgramFiles%\IncrediFind\BHO\IncFindBHO.dll (this file is detected as Adware.Incredifind)
    • %ProgramFiles%\IncrediFind\BHO\date.txt

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following files in the %ProgramFiles%\Common files\updater folder:
    • delupdat.exe
    • wupdater.exe
    • sui.exe
    • data1.dat
    • data2.dat

  3. Adds the value:

    "updater" = "%ProgramFiles%\Common files\updater\wupdater.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the Adware.Incredifind updater program runs every time Windows starts.

  4. Deletes the value:

    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "[no value]"

    from the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

    so that searching from the Internet Explorer address bar no long functions.

  5. Adds the value:

    "{5D60FF48-95BE-4956-B4C6-6BB168A70310}" = "[no value]"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

    so that searching from the Internet Explorer address bar is redirected to the domain incredifind.com.

  6. Adds the following registry keys:

    HKEY_CLASSES_ROOT\BHO.IncrediFindBHO
    HKEY_CLASSES_ROOT\BHO.IncrediFindBHO.1
    HKEY_CLASSES_ROOT\CLSID\{5D60FF48-95BE-4956-B4C6-6BB168A70310}
    HKEY_CLASSES_ROOT\Interface\{8B8F6968-2F24-41E3-B653-E9613226F14D}
    HKEY_CLASSES_ROOT\TypeLib\{DE289BFA-737B-4ABB-A4EC-F8753551B875}
    HKEY_LOCAL_MACHINE\Software\IncrediFind
    HKEY_LOCAL_MACHINE\Software\updater
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D60FF48-95BE-4956-B4C6-6BB168A70310}

    so that the Adware.Incredifind BHO is loaded when Internet Explorer starts.

  7. Runs wupdater.exe in the background so that updates to Adware.Incredifind can be downloaded and installed.

  8. Copies the following file:

    %System%\drivers\etc\hosts

    to

    %System%\drivers\etc\hosts.bho

    so that the current hosts file can be saved.

    Notes:
    • This information is only applicable to Windows NT4 (Windows XP/2000) operating systems.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  9. Adds the following text to the %System%\drivers\etc\hosts file:

    12.129.205.209 search.netscape.com
    12.129.205.209 sitefinder.verisign.com

    so that all access to those Web sites will be redirected. However, this may fail due to a formatting error.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS