1. /
  2. Security Response/
  3. Adware.SmartDove

Adware.SmartDove

Updated:
February 13, 2007 11:49:37 AM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.SmartDove is executed, it performs the following actions:
  1. Creates the following files:

    %ProgramFiles%\Common Files\smartde\sde.exe
    %ProgramFiles%\SDAstro\SDAstro.exe
    %ProgramFiles%\SDAstro\Uninst.exe (clean file)
    %ProgramFiles%\SDAstro\olullj.uaf
    %ProgramFiles%\SDAstro\olullj.vdf
    %ProgramFiles%\SDAstro\xd.dll
    %System%\obwbkya.dll
    %System%\sdxbeia.dll
    %System%\shwasobj.dll
    %System%\smgykeb.dll
    %Temp%\SDSMyDll\MySetup.dll
    %UserProfile%\Start Menu\Programs\[CHINESE CHARACTERS]\[CHINESE CHARACTERS].lnk

    Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  2. Creates and populates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{4136C3F6-7636-49bf-A122-D4DA53B1ADDF}
    HKEY_CLASSES_ROOT\CLSID\{4293276E-3BEB-4F53-B65D-A395E6725941}
    HKEY_CLASSES_ROOT\CLSID\{4F7F2311-C8C2-4246-85A0-1556CEA02830}
    HKEY_CLASSES_ROOT\CLSID\{A228F9F7-3FDF-48AF-985C-EEC8757F3282}
    HKEY_CLASSES_ROOT\CLSID\{D4D5C535-BA95-4327-870D-A33826FDD17A}
    HKEY_CLASSES_ROOT\Interface\{0B48B708-C8AB-4D1C-A15B-64252C70B502}
    HKEY_CLASSES_ROOT\Interface\{4220DEFB-35D8-47E9-A271-A29B3DBB70FF}
    HKEY_CLASSES_ROOT\Interface\{A06B9FC8-270B-4EBD-A9E4-FA98326D94D0}
    HKEY_CLASSES_ROOT\Interface\{A49CBD7C-1DC2-493A-BD42-9E1847EF9E34}
    HKEY_CLASSES_ROOT\Interface\{B74110A8-6831-488B-8220-3BC937A66249}
    HKEY_CLASSES_ROOT\Interface\{D35CE37C-3DCF-40B3-9F3B-306D15A5B441}
    HKEY_CLASSES_ROOT\TypeLib\{15775971-D9E8-4E3D-8B1D-AABA4D37FCD1}
    HKEY_CLASSES_ROOT\TypeLib\{3D51C539-37DF-4F7A-AF3D-6CA73445F024}
    HKEY_CLASSES_ROOT\TypeLib\{6E6F665C-7A30-49A4-9A66-612CC2C378E9}
    HKEY_CLASSES_ROOT\TypeLib\{8F90BDF2-4CE4-4C67-903B-41178FADB5A6}
    HKEY_CLASSES_ROOT\MEobjectSDT.MDEobject
    HKEY_CLASSES_ROOT\MEobjectSDT.MDEobject.1
    HKEY_CLASSES_ROOT\MEobjectSDT.SDObmObj
    HKEY_CLASSES_ROOT\MEobjectSDT.SDObmObj.1
    HKEY_CLASSES_ROOT\XBEIAEC.ABase
    HKEY_CLASSES_ROOT\XBEIAEC.ABase.1
    HKEY_CLASSES_ROOT\XBEIAEC.BBase
    HKEY_CLASSES_ROOT\XBEIAEC.BBase.1
    HKEY_CLASSES_ROOT\XBEIAEC.EBase
    HKEY_CLASSES_ROOT\XBEIAEC.EBase.1
    HKEY_LOCAL_MACHINE\SOFTWARE\HappioSoft
    HKEY_LOCAL_MACHINE\SOFTWARE\SDAstro
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdstSedp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4136C3F6-7636-49bf-A122-D4DA53B1ADDF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4D5C535-BA95-4327-870D-A33826FDD17A}
    HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\[CHINESE CHARACTERS]
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4136C3F6-7636-49bf-A122-D4DA53B1ADDF}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4D5C535-BA95-4327-870D-A33826FDD17A}

  3. Attempts to register an uninstaller with the following parameters:

    Display name: [CHINESE CHARACTERS]
    Uninstall string: C:\Program Files\SDAstro\Uninst.exe

    by creating and populating the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SDAstro

  4. May add a service with the following attributes:

    Service name: SDAgentService
    Display name: SDAgent Service
    Path to executable: %ProgramFiles%\Common Files\smartde\sde.exe
    Startup type: Automatic

    and register the executable as an event message file for EventLog

  5. May create the following folders:
    • %Windir%\Temp\myeoludl
    • %Windir%\Temp\~xhres11

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  6. May also create the following registry subkeys:

    HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\[CHINESE CHARACTERS]
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4136C3F6-7636-49bf-A122-D4DA53B1ADDF}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4D5C535-BA95-4327-870D-A33826FDD17A}

  7. Displays advertisements based on the user's Web surfing activity. It may also log browser activities and send any data it gathers to the following Web site:
    apps.smartdove.com

    The risk has the capability to download updates of itself from the above site. When updating itself it may create the following files:
    • %ProgramFiles%\Common Files\smartde\~my[NUMBER].tmp
    • %System%\~my[NUMBER].tmp


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver