When Adware.Allsum is installed, it performs the following actions:
- Creates some of the following files:
- %System%\wmpdrm.dll
- %System%\msibm\cfsbho.dll
- %System%\msibm\cfsupd.dll
- %System%\msibm\cfsys.dll
- %System%\msibm\linbak.dll
- %System%\msibm\lowlvl.dll
- %System%\msicn\msibm.dll
- %System%\msicn\plugins\as.dll
- %System%\msicn\plugins\bm.dll
- %System%\msicn\plugins\bse.dll
- %System%\msicn\plugins\lup.dll
- %System%\spoolsv\spoolsv.exe
- %Temp%\secp.exe
Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
- Creates the following nonmalicious files:
- %System%\msibm\cfs7zd.DLL
- %System%\msibm\Uninstall.exe
- %System%\msicn\ube.exe
- May also create the following files, which are not executable:
- %System%\32F77AC0.094
- %System%\guid.vxd
- %System%\ibmuuid_.dll
- %System%\ibmvdr_.dll
- %System%\msuuid_.dll
- %System%\msvendr_.dll
- %System%\msibm\cfscfg.7z
- %System%\msibm\cfscfg.ini
- %System%\msibm\intro.htm
- %System%\msibm\intro.tpl
- %System%\msibm\post.htm
- %System%\msibm\post.tpl
- %System%\msicn\ava.vxd
- %System%\msicn\fin.vxd
- %System%\msicn\ksite.cpz
- %System%\msicn\ksite.vxd
- %System%\msicn\ksites.cpz
- %System%\msicn\ksites.vxd
- %System%\msicn\lup.cpz
- %System%\msicn\lup.vxd
- %System%\msicn\md5.cpz
- %System%\msicn\md5.vxd
- %System%\msicn\safep.cpz
- %System%\msicn\safep.vxd
- %System%\msicn\scan.cpz
- %System%\msicn\scan.vxd
- %System%\msicn\skey.cpz
- %System%\msicn\skey.vxd
- %System%\msicn\ssite.cpz
- %System%\msicn\ssite.vxd
- %System%\msicn\wpage.cpz
- %System%\msicn\wpage.vxd
- Adds one of the following registry entries:
"mscfs" = "RUNDLL32 C:\WINDOWS\system32\msibm\cfsys.dll,cfs"
"spoolsv" = "C:\WINDOWS\system32\spoolsv\spoolsv.exe -printer"
to the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
- Attempts to register an uninstaller with some of the following parameters:
Display name: Win Survey
Uninstall string: %System%\msibm\Uninstall.exe
or
Display name: WinDirected 2.0
Uninstall string: %System%\spoolsv\spoolsv.exe -uninst
by creating and populating one of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wd2
- May also create and populate the following registry subkeys:
HKEY_CLASSES_ROOT\AppID\cfsbho.DLL
HKEY_CLASSES_ROOT\AppID\wmpdrm.DLL
HKEY_CLASSES_ROOT\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}
HKEY_CLASSES_ROOT\CLSID\{0E674588-66B7-4E19-9D0E-2053B800F69F}
HKEY_CLASSES_ROOT\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}
HKEY_CLASSES_ROOT\Interface\{4A775183-9517-420E-9A13-D3DA47BB8A84}
HKEY_CLASSES_ROOT\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}
HKEY_CLASSES_ROOT\TypeLib\{8B200623-3FC5-4493-8B49-DC2AD4830AF4}
HKEY_CLASSES_ROOT\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}
HKEY_CLASSES_ROOT\cfsbho.BHelper
HKEY_CLASSES_ROOT\cfsbho.BHelper.1
HKEY_CLASSES_ROOT\wmpdrm.cfsbho
HKEY_CLASSES_ROOT\wmpdrm.cfsbho.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow
ser Helper Objects\{0E674588-66B7-4E19-9D0E-2053B800F69F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow
ser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}
HKEY_CURRENT_USER\Software\mscfs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E6
74588-66B7-4E19-9D0E-2053B800F69F}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A4
280AD-9B37-4922-A51D-73F3C3A32AF7}
- May also modify the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\[DEFAULT VALUE] = "wmpdrm"
- May execute one of its components by executing the following command:
rundll32 %System%\msibm\cfsys.dll,cfs
The risk then monitors the above process.
If this process is ended, the risk may attempt to inject the components cfsys.dll and cfsupd.dll into one of the following processes:
abc.exe
alg.exe
AnyQ.exe
Aol.exe
Apache.exe
ApacheMonitor.exe
baiduX.exe
BitComet.exe
BitSpirit.exe
BitTorrent.exe
btogether.exe
conf.exe
ctfmon.exe
CuteFTP.exe
Dudu.exe
emule.exe
eph.exe
explorer.exe
firefox.exe
FlashFXP.exe
flashget.exe
foobar2000.exe
foxmail.exe
gaim.exe
ICQLite.exe
iexplore.exe
IMU.exe
irc.exe
KAV32.exe
kugoo.exe
kuro.exe
kvolself.exe
KVSrvXP.exe
LeapFTP.exe
LuComServer_2_5.exe
Maxthon.exe
mdm.exe
MeteorNetTV-hj.exe
mirc.exe
msimn.exe
msnmsgr.exe
myie.exe
myie2.exe
MyIM.exe
netants.exe
netscape.exe
NetTransport.exe
nettv.exe
opera.exe
OUTLOOK.exe
p2psrv.exe
Poco2004.exe
Popo.exe
qq.exe
QQexternal.exe
QQMail.exe
QQMusic.exe
RavCopy.exe
realplay.exe
realsched.exe
rtxc.exe
rundll32.exe
Sentinel.exe
ServUTray.exe
Skype.exe
starTV.exe
stv.exe
svchost.exe
Thunder.exe
tm.exe
TMShell.exe
TTplayer.exe
TTraveler.exe
UC.exe
vpp.exe
winamp.exe
wmplayer.exe
YPager.exe
- May create backups of its files in the following folders:
%System%\1116\ntjdo
%System%\1116\tqppmtw
%System%\1116\tzt
%System%\bakcfs
The risk may subsequently restore deleted files from these folders.
- May contact the following Web sites to update its configuration and download components:
www.ourxin.com
liveupdate.ourxin.com
- May also create the following files:
%System%\mscache\[NUMBER].cpz
%System%\mscache\navang.cpz
These files contain advertisments downloaded from the following Web site:
xz.kjxs.com
- Displays advertisements based on the user's Web surfing activity.
- May also log browser activities and send any data it gathers to the controlling Web site.
