1. /
  2. Security Response/
  3. Adware.Shorty

Adware.Shorty

Updated:
February 13, 2007 11:43:25 AM
Risk Impact:
High
File Names:
gui.exe Catcher.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT

When Adware.Shorty is executed, it performs the following actions:
  1. Copies itself as %CommonProgramFiles%\[FILE NAME].exe.

    Notes:
    • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
    • [FILE NAME] is a variable that refers to the file name of the original installation file.

  2. Downloads and creates the following files:

    • %CommonProgramFiles%\services.exe
    • %CommonProgramFiles%\system32.dll
    • %Temp%\version.txt
    • %ProgramFiles%\Catcher.dll
    • %ProgramFiles%\gui.exe
    • %ProgramFiles%\cwebpage.dll
    • %ProgramFiles%\version.txt
    • %ProgramFiles%\x.bmp
    • %ProgramFiles%\*.dat

      Notes:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  3. Adds the value:

    "DNS" = "%CommonProgramFiles%\[FILE NAME].exe"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Adds the value:

    "DisableRegistryTools" = "0"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

    which attempts to prevent programs such as Regedt32.exe and Regedit.exe from running.

  5. Adds the value:

    "GlobalUserOffline" = "0"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

    so the default setting for Internet Explorer is Offline Browsing.

  6. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{31CA5C07-7F5F-4502-8C77-99A91558ADD0}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{223A26D8-9F91-42F6-8ED3-094B637DE020}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shorty.Gopher
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shorty.Gopher.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6}
    HKEY_CURRENT_USER\Software\DNS


  7. Executes the file %CommonProgramFiles%\services.exe. This file opens the installation file for reading, which prevents the risk from being deleted. Both these files also have the hidden and system attributes set, so a user may not see them in a normal Explorer or DOS window.

  8. Displays search results from maxifind.com when search queries are made from sites such as Yahoo! and Google.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver