When Adware.ESDIexplorr is executed, it performs the following actions:
- Creates the following files:
- %Windir%\iexplorr11.dll
- %Windir%\iexplorr22.dll
- %Windir%\iexplorr23.dll
- %Windir%\iexplorr24.dll
- %Windir%\WindowsIE.dll
- %UserProfile%\Local Settings\Temp\Install.exe
Note:
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
- Creates the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}
so that the risk runs every time Internet Explorer starts.
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{236826B1-8FDB-4D3C-8F70-E154F874703D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43E2DBE5-8C8A-4519-9684-8CD7F39A5147}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A76066C9-941B-4209-9D96-0AC80501100D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DA3609D1-3E96-4726-A17F-30F46AE89726}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB6D8BAA-704A-415B-BC0A-3468BFAE924E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4B191B11-A44C-4D42-B4AC-6FCD5F61587C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{943F44C0-44DA-40D5-98D7-9AAC4C15C603}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B60CEF5-2431-4F92-82CF-03FEE5BDC762}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{22EB8F60-F99B-4E29-8376-E8BC417148FD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{338F1D89-A419-4C40-96E3-C29C978A7DF6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7FB04DE1-4340-4002-9D9E-3B6913AE6953}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B4450075-9717-43B1-BA10-4B9FD7325FD5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CBD7E8BE-0E1E-441D-B133-E26F5636CCCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E41774F1-63E7-44ED-A03A-FF8422F9AFF0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC385F81-0109-4FA8-AAD0-53B4A9A5DD2B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1620D17D-F2B5-43BE-8ED4-6B22E321D2A3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22CBCB4C-E9DF-4D25-86BC-FFDA4DF8FC06}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B224AFF4-0561-4B35-A91A-6F339152A482}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE.clsIS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsDW
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsIS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsDW
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsIS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsDW
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsIS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsDW
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsIS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsIE
- One or more .dll files are injected into Explorer.exe. Explorer.exe then listens on a random port.
- Displays advertisements in Internet Explorer at random intervals.
