1. /
  2. Security Response/
  3. Adware.Webext

Adware.Webext

Updated:
February 13, 2007 11:46:49 AM
Type:
Adware
Risk Impact:
High
File Names:
bho.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows Server 2003, Windows XP

When Adware.Webext is installed, it performs the following actions:
  1. Creates the file:
    • %System%\<random>.dll

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  2. Contacts trafficsector.com to download configuration and keyword information. This data is then stored in %SystemRoot%\adlog.txt.

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{09D98DB3-217F-4a37-950F-7FA1B08CE2B6}
    HKEY_CLASSES_ROOT\CLSID\{4006DCA3-433D-4FC8-AC36-42DA7797DCB7}
    HKEY_CLASSES_ROOT\CLSID\{4681B27C-CD92-4AFF-B5F6-1C53970344B6}
    HKEY_CLASSES_ROOT\CLSID\{55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC}
    HKEY_CLASSES_ROOT\Interface\{5679B16C-CD3A-471F-A503-25C528A3AD26}
    HKEY_CLASSES_ROOT\Interface\{89E9F6CF-6F80-4C5E-B8E8-78E5A6B5D3BF}
    HKEY_CLASSES_ROOT\TypeLib\{4DFD0B10-93DB-4D7E-9B34-3D92CA493BE4}
    HKEY_CLASSES_ROOT\TypeLib\{547DDE29-2299-4C8F-B613-DA17A62CF102}
    HKEY_CLASSES_ROOT\BHO.Adware
    HKEY_CLASSES_ROOT\BHO.Adware.1
    HKEY_CLASSES_ROOT\BHO.Hider
    HKEY_CLASSES_ROOT\BHO.Hider.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects
    \{4006DCA3-433D-4FC8-AC36-42DA7797DCB7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Webext
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Netstat
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{4006DCA3-433D-4FC8-AC36-42DA7797DCB7}


  4. May duplicate the current user's internet profile by copying registry values from

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

    to

    HKEY_USERS\[USER ID]\Software\Microsoft\Internet Explorer

    Note: [USER ID] refers to the unique ID associated with a particular user.

  5. Displays popup advertisements based on keywords entered into Internet Explorer windows.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver