Adware.CasinoClient

Printer Friendly Page

Updated: February 13, 2007 11:45:05 AM

Type: Adware

Publisher: www1.consumetalertsystems.com

Risk Impact: High

File Names: casstub.exe cassetup.exe casclient.exe casmf.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CasinoClient is executed, it performs the following actions:

Creates the following files:
- %ProgramFiles%\Cas\Client\86.ico
- %ProgramFiles%\Cas\Client\casclient.exe
- %ProgramFiles%\Cas\Client\casmf.dll
- %ProgramFiles%\Cas\Client\hf.txt
- %ProgramFiles%\Cas\Client\sf.txt
- %ProgramFiles%\Cas\Client\Uninstall.exe
- %ProgramFiles%\CasStub\casstub.exe
- %ProgramFiles%\Cas2Stub\casstub.exe
- %UserProfile%\Desktop\Free Plasma TV.lnk
- %UserProfile%\Desktop\Weather.lnk
- %UserProfile%\Desktop\Poker Shortcut.lnk
- %UserProfile%\Desktop\chat now.lnk
- %UserProfile%\Desktop\Play Poker Online.lnk
- %UserProfile%\Favorites\Play Poker Online.lnk
- %ProgramFiles%\System Files\kwdata.cdb
- %ProgramFiles%\System Files\hldata.cdb
- %ProgramFiles%\System Files\System.exe
- %ProgramFiles%\System Files\plugin.dll
- %ProgramFiles%\System Files\Uninstall.exe
- %ProgramFiles%\System Icons
- %UserProfile%\Local Settings\Temp\cassetup.exe
- %UserProfile%\Local Settings\Temp\cas2setup.exe
- %UserProfile%\Local Settings\Temp\install.exe
  
  Notes:
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Adds the values:

"CAS Client" = "%ProgramFiles%\Cas\Client\casclient.exe""CAS2" = "%ProgramFiles%\System Files\system.exe"

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that the risk runs every time Windows starts.
Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Main.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID \{E0DC5CC4-25A5-4BC7-A3AA-3525733DC796} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{8293D547-38DD-4325-B35A-F1817EDFA5FC} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib \{D4C89C18-B4F3-46A9-8800-E9E7A55AFBD9} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Main.MimeFilter HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Main.MimeFilter.1 HKEY_CURRENT_USER\Software\CASHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{8253D547-38DD-4325-B35A-F1817EDFA5F5} HKEY_CURRENT_USER\Software\CASHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID \{8253D547-38DD-4325-B35A-F1817EDFA5F5}\InprocServer32\: "C:\Program Files\System Files\plugin.dll"
Maintains a list of search engines and sends keywords typed into these search engines to a remote Web site.
Creates shortcuts on the desktop.
Displays advertisements in Internet Explorer windows.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}