Updated: February 13, 2007 11:45:04 AM
Type: Adware
Risk Impact: High
File Names:
n.dll
VCMNet11.exe
qb.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.AFAEnhance is executed, it performs the following actions:
- Creates or downloads the following files:
- %Windir%\system\QB.exe
- %Windir%\system\QBTool.exe
- %Windir%\system\QBUninstaller.exe
- %Windir%\VCMNet11.exe
- %System%\n.dll
Note:
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- The path %Windir%\system is hardcoded into the program and will be the same location on all versions of Windows.
- The file QB.exe is later renamed to a randomly named file.
- Adds the value:
"[RANDOM NAME]" = "%Windir%\system\[RANDOM NAME].exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
so that the risk runs every time Windows starts.
- Adds the value:
"[FILE PATH]" = "%Windir%\VCMNet11.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the risk runs every time Windows starts.
- Creates the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C370527A-24A7-4583-BE01-72E59000EB17}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{C370527A-24A7-4583-BE01-72E59000EB17}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE
- Attempts to contact a remote Web site. This risk may download further programs to the compromised computer depending on the response from this Web site.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
