1. /
  2. Security Response/
  3. Adware.SafeTerra

Adware.SafeTerra

Updated:
April 27, 2012 5:18:32 AM
Infection Length:
2,952,646 bytes
Name:
SafeTerra
Version:
1.0
Publisher:
cpaacademy.co.kr
Risk Impact:
High
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
When the security risk executes, it creates the following files:
  • %ProgramFiles%\KeywordInfo\Wkip.exe
  • %ProgramFiles%\KeywordInfo\WkipUpdate.exe
  • %ProgramFiles%\KeywordInfo\WkipUnInst.exe
  • %ProgramFiles%\STerra\SafeTerra.exe
  • %ProgramFiles%\STerra\SafeTerraUpdate.exe
  • %ProgramFiles%\STerra\STUninstall.exe
  • %ProgramFiles%\STerra\TerraInfo.STR

Next, it creates the following registry entries so that it runs every time Windows starts:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Safeterra" = "%ProgramFiles%\STerra\SafeTerraUpdate.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"KeywordInfo" = "%ProgramFiles%\KeywordInfo\WKipUpdate.exe"

It then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"HelpLink" = "[http://]www.cpaacademy.kr"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"Publisher" = "[KOREAN CHARACTERS]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"URLInfoAbout" = "[http://]www.cpaacademy.kr"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"URLUpdateInfo" = "[http://]www.cpaacademy.kr"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"UninstallString" = "%ProgramFiles%\STerra\STUninstall.exe"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"paused_ad_time" = "3c"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\BlcokDomainList\"WEGAMES.NET"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\BlcokDomainList\"JI.WOTO.NET"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"answer_hold" = "bb8"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_middle" = "a"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_repeat" = "1"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_toast" = "a"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_under" = "a"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"Comments" = "SafeTerra 1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"DisplayName" = "Window network SafeTerra"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"DisplayVersion" = "1.0"

It then connects to the following URLs:
  • [http://]admin.keywordinfo.co.kr/app/setu[REMOVED]
  • [http://]datacheck.cpaacademy.kr/AppBlockDataApp/AppBlockVal[REMOVED]
  • [http://]admin.keywordinfo.co.kr/app/confi[REMOVED]
  • [http://]ate>http://admin.keywordinfo.co.kr/app/setu[REMOVED]

It also downloads an XML file from the following URL:
[http://]admin.keywordinfo.co.kr/app/index[REMOVED]

The downloaded XML file contains URLs to display pop-up advertisements, which it opens in Internet Explorer.

The security risk may also download more adware.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver