When Adware.Sheldor is executed, it does the following:
- Displays the error message:
"E47250: Incorrect MPEG Data format"
- Copies itself as %System%\Shellexpl.exe or %System%\shellexp.exe
Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Adds one of the following values:
"Explorer"="%System%\Shellexpl.exe"
"Explorer"="%System%\shellexp.exe en.."
to one of the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the Adware runs when Windows starts.
- Creates one or more of the following configuration files:
- %System%\Hndldt.ini
- %System%\Winhndl.ini
- %System%\windll.ini
- Modifies the Hosts file (located at %SYSTEM%\drivers\etc\hosts in Windows XP and 2K and %Windir%\hosts in Windows 98/ME) by adding the line:
64.237.37.47 auto.search.msn.com
which redirects searches to Adware.Sheldor's search site.
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Monitors any new cookies that are created. If the cookies contain certain keywords, advertisements for an adult-content Web site will be displayed.
The following keywords trigger advertisements:
- adult
- adware
- amateur
- anal
- babes
- bbw
- bdsm
- blowjob
- bondage
- cartrige
- casino
- celeb
- centerfold
- chubby
- cumshot
- dating
- diet
- digital camera
- DVD
- ebony
- escort
- facial
- fat
- fetish
- ffm
- fisting
- gambling
- gangbang
- gay
- grann
- groupsex
- hairy
- hardcore
- health
- hentai
- horoscope
- hosting
- hunks
- incest
- insurance
- interracial
- jobs
- lesb
- lingerie
- loan
- lolita
- manga
- mature
- midget
- milf
- mmf
- mortgage
- mp3 player
- naturist
- nudist
- older
- orgy
- panty
- peeing
- penis enlargement
- perfume
- pharma
- pheromones
- phone
- pills
- piss
- plump
- poker
- preg
- rape
- ringtones
- sexual+enhancement
- shemale
- spyware
- teens
- teeny
- toon
- top
- tranny
- travel
- twinks
- viagra
- virgin
- voyeur
- watersport
- webserver
- weight loss
- wive
- xxx
