1. /
  2. Security Response/
  3. Adware.Superiorads

Adware.Superiorads

Updated:
March 14, 2008 4:03:57 PM
Type:
Adware
Risk Impact:
Medium
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
When the program is executed, it creates the following files:
  • %UserProfile%\Local Settings\Temp\fupd.exe
  • %UserProfile%\Local Settings\Temp\gewhk1
  • %UserProfile%\Local Settings\Temp\s23o
  • %System%\sprt_ads.dll
  • %System%\_sprt_ads.dll
  • %System%\superiorads-uninst.exe


Next, the program creates one of the following registry entries so that it executes whenever Windows starts:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"spa_start" = "C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\sprt_ads.dll" DllInit"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"spa_start" = "C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\sprt_ads.dll" DllStart"


It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{43FC67B6-4C25-4AFD-AE7A-9EF3E4587026}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
  • HKEY_CLASSES_ROOT\AdSlice.Slice.1
  • HKEY_CLASSES_ROOT\AdSlice.Slice
  • HKEY_CLASSES_ROOT\CLSID\{43FC67B6-4C25-4afd-AE7A-9EF3E4587026}
  • HKEY_CLASSES_ROOT\Interface\{3EB045B6-6669-4E1A-A0A9-95A6DA3C76EA}
  • HKEY_CLASSES_ROOT\Interface\{BAEBD083-D541-4883-8E15-8915B15CB7DE}
  • HKEY_CLASSES_ROOT\TypeLib\{C49A1A65-4627-4F28-ABE9-E4FB2B558F05}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43FC67B6-4C25-4afd-AE7A-9EF3E4587026}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\superiorads
  • HKEY_CLASSES_ROOT\AdPanel.Panel1.1
  • HKEY_CLASSES_ROOT\AdPanel.Panel1
  • HKEY_CLASSES_ROOT\CLSID\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
  • HKEY_CLASSES_ROOT\TypeLib\{FF49E1C5-DCE3-4A5E-9033-189C945D4CE5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4AD44D3E-7316-4251-B754-9B10EC96AF92}
It then downloads the updates from the following URL:
[http://]85.92.157.141/updates/sa_10[REMOVED]

The program then installs a Browser Helper Object for Internet Explorer on the computer.

It visits the following URL when installation is complete:
[http://]superiorads.biz/bc/nsi_ins[REMOVED]

It then connects to the following Web site to download advertisements, which it displays on the computer:
[http://]superiorads.biz/bc/ads/[BANNER SIZE]/47b2ea88b[REMOVED]
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver