When Adware.WinProtect is executed, it does the following:
- Creates the following files:
- %Windir%\Help\CHMRedir.chm
- %Windir%\balloon.wav
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\LocalServer
Note: [{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX} ] is a random value generated by the security risk in CLSID format.
- Adds the value:
"@" = "[path to adware]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\LocalServer
- Adds the value:
"[adware filename]" = "[path to adware file]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adds random values to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\Data
- Displays fake pop-up messages stating that suspicious network activity was detected. Clicking "OK" on this pop-up opens a browser to a webpage advertising anti-spyware software.
- Displays messages from the Taskbar at random intervals, such as the following:
