1. /
  2. Security Response/
  3. Adware.AllSum

Adware.AllSum

Updated:
February 13, 2007 11:50:14 AM
Type:
Adware
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Allsum is installed, it performs the following actions:
  1. Creates some of the following files:

    • %System%\wmpdrm.dll
    • %System%\msibm\cfsbho.dll
    • %System%\msibm\cfsupd.dll
    • %System%\msibm\cfsys.dll
    • %System%\msibm\linbak.dll
    • %System%\msibm\lowlvl.dll
    • %System%\msicn\msibm.dll
    • %System%\msicn\plugins\as.dll
    • %System%\msicn\plugins\bm.dll
    • %System%\msicn\plugins\bse.dll
    • %System%\msicn\plugins\lup.dll
    • %System%\spoolsv\spoolsv.exe
    • %Temp%\secp.exe

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  2. Creates the following nonmalicious files:

    • %System%\msibm\cfs7zd.DLL
    • %System%\msibm\Uninstall.exe
    • %System%\msicn\ube.exe

  3. May also create the following files, which are not executable:

    • %System%\32F77AC0.094
    • %System%\guid.vxd
    • %System%\ibmuuid_.dll
    • %System%\ibmvdr_.dll
    • %System%\msuuid_.dll
    • %System%\msvendr_.dll
    • %System%\msibm\cfscfg.7z
    • %System%\msibm\cfscfg.ini
    • %System%\msibm\intro.htm
    • %System%\msibm\intro.tpl
    • %System%\msibm\post.htm
    • %System%\msibm\post.tpl
    • %System%\msicn\ava.vxd
    • %System%\msicn\fin.vxd
    • %System%\msicn\ksite.cpz
    • %System%\msicn\ksite.vxd
    • %System%\msicn\ksites.cpz
    • %System%\msicn\ksites.vxd
    • %System%\msicn\lup.cpz
    • %System%\msicn\lup.vxd
    • %System%\msicn\md5.cpz
    • %System%\msicn\md5.vxd
    • %System%\msicn\safep.cpz
    • %System%\msicn\safep.vxd
    • %System%\msicn\scan.cpz
    • %System%\msicn\scan.vxd
    • %System%\msicn\skey.cpz
    • %System%\msicn\skey.vxd
    • %System%\msicn\ssite.cpz
    • %System%\msicn\ssite.vxd
    • %System%\msicn\wpage.cpz
    • %System%\msicn\wpage.vxd

  4. Adds one of the following registry entries:

    "mscfs" = "RUNDLL32 C:\WINDOWS\system32\msibm\cfsys.dll,cfs"
    "spoolsv" = "C:\WINDOWS\system32\spoolsv\spoolsv.exe -printer"

    to the registry entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  5. Attempts to register an uninstaller with some of the following parameters:

    Display name: Win Survey
    Uninstall string: %System%\msibm\Uninstall.exe

    or

    Display name: WinDirected 2.0
    Uninstall string: %System%\spoolsv\spoolsv.exe -uninst

    by creating and populating one of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cfs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wd2

  6. May also create and populate the following registry subkeys:

    HKEY_CLASSES_ROOT\AppID\cfsbho.DLL
    HKEY_CLASSES_ROOT\AppID\wmpdrm.DLL
    HKEY_CLASSES_ROOT\AppID\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}
    HKEY_CLASSES_ROOT\CLSID\{0E674588-66B7-4E19-9D0E-2053B800F69F}
    HKEY_CLASSES_ROOT\CLSID\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}
    HKEY_CLASSES_ROOT\Interface\{4A775183-9517-420E-9A13-D3DA47BB8A84}
    HKEY_CLASSES_ROOT\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}
    HKEY_CLASSES_ROOT\TypeLib\{8B200623-3FC5-4493-8B49-DC2AD4830AF4}
    HKEY_CLASSES_ROOT\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}
    HKEY_CLASSES_ROOT\cfsbho.BHelper
    HKEY_CLASSES_ROOT\cfsbho.BHelper.1
    HKEY_CLASSES_ROOT\wmpdrm.cfsbho
    HKEY_CLASSES_ROOT\wmpdrm.cfsbho.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow
    ser Helper Objects\{0E674588-66B7-4E19-9D0E-2053B800F69F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brow
    ser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}
    HKEY_CURRENT_USER\Software\mscfs
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E6
    74588-66B7-4E19-9D0E-2053B800F69F}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8A4
    280AD-9B37-4922-A51D-73F3C3A32AF7}

  7. May also modify the following registry entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\[DEFAULT VALUE] = "wmpdrm"

  8. May execute one of its components by executing the following command:

    rundll32 %System%\msibm\cfsys.dll,cfs

    The risk then monitors the above process.

    If this process is ended, the risk may attempt to inject the components cfsys.dll and cfsupd.dll into one of the following processes:

    abc.exe
    alg.exe
    AnyQ.exe
    Aol.exe
    Apache.exe
    ApacheMonitor.exe
    baiduX.exe
    BitComet.exe
    BitSpirit.exe
    BitTorrent.exe
    btogether.exe
    conf.exe
    ctfmon.exe
    CuteFTP.exe
    Dudu.exe
    emule.exe
    eph.exe
    explorer.exe
    firefox.exe
    FlashFXP.exe
    flashget.exe
    foobar2000.exe
    foxmail.exe
    gaim.exe
    ICQLite.exe
    iexplore.exe
    IMU.exe
    irc.exe
    KAV32.exe
    kugoo.exe
    kuro.exe
    kvolself.exe
    KVSrvXP.exe
    LeapFTP.exe
    LuComServer_2_5.exe
    Maxthon.exe
    mdm.exe
    MeteorNetTV-hj.exe
    mirc.exe
    msimn.exe
    msnmsgr.exe
    myie.exe
    myie2.exe
    MyIM.exe
    netants.exe
    netscape.exe
    NetTransport.exe
    nettv.exe
    opera.exe
    OUTLOOK.exe
    p2psrv.exe
    Poco2004.exe
    Popo.exe
    qq.exe
    QQexternal.exe
    QQMail.exe
    QQMusic.exe
    RavCopy.exe
    realplay.exe
    realsched.exe
    rtxc.exe
    rundll32.exe
    Sentinel.exe
    ServUTray.exe
    Skype.exe
    starTV.exe
    stv.exe
    svchost.exe
    Thunder.exe
    tm.exe
    TMShell.exe
    TTplayer.exe
    TTraveler.exe
    UC.exe
    vpp.exe
    winamp.exe
    wmplayer.exe
    YPager.exe

  9. May create backups of its files in the following folders:


    %System%\1116\ntjdo
    %System%\1116\tqppmtw
    %System%\1116\tzt
    %System%\bakcfs

    The risk may subsequently restore deleted files from these folders.

  10. May contact the following Web sites to update its configuration and download components:
    www.ourxin.com
    liveupdate.ourxin.com

  11. May also create the following files:

    %System%\mscache\[NUMBER].cpz
    %System%\mscache\navang.cpz

    These files contain advertisments downloaded from the following Web site:
    xz.kjxs.com

  12. Displays advertisements based on the user's Web surfing activity.

  13. May also log browser activities and send any data it gathers to the controlling Web site.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver