1. /
  2. Security Response/
  3. Adware.Rugo

Adware.Rugo

Updated:
April 26, 2007 4:11:21 PM
Type:
Adware
Risk Impact:
Medium
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
When the program is executed, it creates the following files:
  • %Temp%\bofang.dll
  • %Temp%\GTIAPI.dll
  • %Temp%\hbcmd.dll
  • %Temp%\lfrmewrk.exe
  • %Temp%\RGInstall.dll
  • %System%\[NINE TO TWELVE RANDOM CHARACTERS]
  • %System%\[FOUR RANDOM CHARACTERS].exe
  • %System%\[FOUR RANDOM CHARACTERS FILE NAME 1].dll
  • %System%\[FOUR RANDOM CHARACTERS FILE NAME 2].dll
  • %System%\[FOUR RANDOM CHARACTERS FILE NAME 3].dll
  • %Windir%\[FIVE RANDOM CHARACTERS].avi
  • %Windir%\[FIVE RANDOM CHARACTERS].dat
  • %Windir%\[FIVE RANDOM CHARACTERS].cfg
  • %Windir%\[FIVE RANDOM CHARACTERS].jpg


Next, the program creates registry entries under the following subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EmonSrv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C2C482-D4EE-42A5-AEF7-0B124F278D47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\myieex.ExtentIE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\myieex.ExtentIE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3D1C8E89-EBBD-4601-BA85-B190BF01F8C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{375E356E-0A40-4D1E-9D1B-DC4BBEAAC79F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{90E65E8F-5642-4A76-973A-ACED440797BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66C2C482-D4EE-42A5-AEF7-0B124F278D47}

The program installs itself as a Browser Helper Object and a service.

It may also periodically displays advertisements.

The program gathers system information from the computer and uses it to download updates of itself by downloading files from the following location:
[http://]ccc.boolans.com/player/blog.[REMOVED]

The program then assigns a unique identifier to the computer and contacts the following location:
[http://]ccc.boolans.com/ue000/38s[REMOVED]
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver