1. /
  2. Security Response/
  3. Adware.ESDIexplorr

Adware.ESDIexplorr

Updated:
February 13, 2007 11:44:38 AM
Type:
Adware
Version:
1.00
Publisher:
ESD Technologies
Risk Impact:
High
File Names:
%Windir%\iexplorr11.dll %Windir%\iexplorr22.dll %Windir%\iexplorr23.dll %Windir%\iexplorr24.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.ESDIexplorr is executed, it performs the following actions:
  1. Creates the following files:

    • %Windir%\iexplorr11.dll
    • %Windir%\iexplorr22.dll
    • %Windir%\iexplorr23.dll
    • %Windir%\iexplorr24.dll
    • %Windir%\WindowsIE.dll
    • %UserProfile%\Local Settings\Temp\Install.exe

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

  2. Creates the following subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}

    so that the risk runs every time Internet Explorer starts.

  3. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{236826B1-8FDB-4D3C-8F70-E154F874703D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E12B523-3D4C-4FAC-9B04-0376A8F5E879}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39AF31DD-EAFC-45EA-A56C-385B52E25CC0}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43E2DBE5-8C8A-4519-9684-8CD7F39A5147}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CEBBC6B-5CEE-4644-80CF-38980BAE93F6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B12DABB-0B7C-44FA-B0B3-4BAFF3790256}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A76066C9-941B-4209-9D96-0AC80501100D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DA3609D1-3E96-4726-A17F-30F46AE89726}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB6D8BAA-704A-415B-BC0A-3468BFAE924E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4B191B11-A44C-4D42-B4AC-6FCD5F61587C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{943F44C0-44DA-40D5-98D7-9AAC4C15C603}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B60CEF5-2431-4F92-82CF-03FEE5BDC762}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{22EB8F60-F99B-4E29-8376-E8BC417148FD}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{338F1D89-A419-4C40-96E3-C29C978A7DF6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7FB04DE1-4340-4002-9D9E-3B6913AE6953}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B4450075-9717-43B1-BA10-4B9FD7325FD5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CBD7E8BE-0E1E-441D-B133-E26F5636CCCF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E41774F1-63E7-44ED-A03A-FF8422F9AFF0}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC385F81-0109-4FA8-AAD0-53B4A9A5DD2B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1620D17D-F2B5-43BE-8ED4-6B22E321D2A3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22CBCB4C-E9DF-4D25-86BC-FFDA4DF8FC06}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B224AFF4-0561-4B35-A91A-6F339152A482}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D6862A20-1DD6-11D3-BB7C-444553540000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsIE.clsIS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsDW
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr11.clsIS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsDW
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr22.clsIS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsDW
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr23.clsIS
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsDW
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IExplorr24.clsIS
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsIE


  4. One or more .dll files are injected into Explorer.exe. Explorer.exe then listens on a random port.

  5. Displays advertisements in Internet Explorer at random intervals.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver