Updated: February 13, 2007 11:46:02 AM
Type: Adware
Publisher: ABI Network - A Division of Direct Revenue
Risk Impact: Medium
File Names:
DrPMon.dll
svcproc.exe
Nail.exe
poller.exe
aurora.exe
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP
When Adware.Aurora is executed, it performs the following actions:
- Attempts to contact [http://]www.abetterinternet.com/[REMOVED] and download a number of component files.
- Creates the following files on the compromised computer:
- %Windir%\Nail.exe
- %Windir%\svcproc.exe
- %Windir%\[RANDOM NAME].exe
- %System%\DrPMon.dll
- %System%\[RANDOM NAME].exe
- %Windir%\IDDJHJM.ini
- %Windir%\abiuninst.htm
- %Windir%\CCEJHONM.ini
Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- [RANDOM NAME] refers to a random sequence of letters used by the security risk in creating the filename.
- Creates the following registry subkeys.
HKEY_CURRENT_USER\Software\aurora
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc
- Adds the value:
"[RANDOM NAME]" = "%System%\[RANDOM NAME].exe r"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
- Modifies the value:
"Shell" = "Explorer.exe"
to
"Shell" = "Explorer.exe %Windir%\Nail.exe"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
so that it runs every time Windows starts.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
