1. /
  2. Security Response/
  3. Adware.WinProtect

Adware.WinProtect

Updated:
February 13, 2007 11:42:49 AM
Type:
Adware
Risk Impact:
Medium
File Names:
dosxpd.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Adware.WinProtect is executed, it does the following:

  1. Creates the following files:

    • %Windir%\Help\CHMRedir.chm
    • %Windir%\balloon.wav

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\Data
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\LocalServer


    Note: [{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX} ] is a random value generated by the security risk in CLSID format.

  3. Adds the value:

    "@" = "[path to adware]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\LocalServer

  4. Adds the value:

    "[adware filename]" = "[path to adware file]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. Adds random values to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX}]\Data

  6. Displays fake pop-up messages stating that suspicious network activity was detected. Clicking "OK" on this pop-up opens a browser to a webpage advertising anti-spyware software.

  7. Displays messages from the Taskbar at random intervals, such as the following:



Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver