1. /
  2. Security Response/
  3. Adware.Sheldor

Adware.Sheldor

Updated:
February 13, 2007 11:42:27 AM
Type:
Adware
Risk Impact:
High
File Names:
AdServerCJ.exe
Systems Affected:
Windows 2000, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Sheldor is executed, it does the following:

  1. Displays the error message:

    "E47250: Incorrect MPEG Data format"

  2. Copies itself as %System%\Shellexpl.exe or %System%\shellexp.exe

    Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Adds one of the following values:

    "Explorer"="%System%\Shellexpl.exe"
    "Explorer"="%System%\shellexp.exe en.."
     

    to one of the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    so that the Adware runs when Windows starts.

  4. Creates one or more of the following configuration files:

    • %System%\Hndldt.ini
    • %System%\Winhndl.ini
    • %System%\windll.ini

  5. Modifies the Hosts file (located at %SYSTEM%\drivers\etc\hosts in Windows XP and 2K and %Windir%\hosts in Windows 98/ME) by adding the line:

    64.237.37.47 auto.search.msn.com

    which redirects searches to Adware.Sheldor's search site.

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  6. Monitors any new cookies that are created. If the cookies contain certain keywords, advertisements for an adult-content Web site will be displayed.

    The following keywords trigger advertisements:

    • adult
    • adware
    • amateur
    • anal
    • babes
    • bbw
    • bdsm
    • blowjob
    • bondage
    • cartrige
    • casino
    • celeb
    • centerfold
    • chubby
    • cumshot
    • dating
    • diet
    • digital camera
    • DVD
    • ebony
    • escort
    • facial
    • fat
    • fetish
    • ffm
    • fisting
    • gambling
    • gangbang
    • gay
    • grann
    • groupsex
    • hairy
    • hardcore
    • health
    • hentai
    • horoscope
    • hosting
    • hunks
    • incest
    • insurance
    • interracial
    • jobs
    • lesb
    • lingerie
    • loan
    • lolita
    • manga
    • mature
    • midget
    • milf
    • mmf
    • mortgage
    • mp3 player
    • naturist
    • nudist
    • older
    • orgy
    • panty
    • peeing
    • penis enlargement
    • perfume
    • pharma
    • pheromones
    • phone
    • pills
    • piss
    • plump
    • poker
    • preg
    • rape
    • ringtones
    • sexual+enhancement
    • shemale
    • spyware
    • teens
    • teeny
    • toon
    • top
    • tranny
    • travel
    • twinks
    • viagra
    • virgin
    • voyeur
    • watersport
    • webserver
    • weight loss
    • wive
    • xxx

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver