1. /
  2. Security Response/
  3. Adware.Crossid

Adware.Crossid

Updated:
June 8, 2012 3:28:33 AM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When the security risk is executed, it creates the following files:
  • %ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK].ico
  • %ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK].ini
  • %Temp%\[NAME OF SECURITY RISK]Installer_[RANDOM NUMBER].log
  • %ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK]Installer.log
  • %UserProfile%\Application Data\[NAME OF SECURITY RISK]\Chrome\[NAME OF SECURITY RISK].crx
  • %UserProfile%\Application Data\Google\Chrome\User Data\Default\databases\chrome-extension_[RANDOM CHARACTERS]_0\3
  • %ProgramFiles%\[NAME OF SECURITY RISK]\Uninstall.exe
  • %ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK].exe
  • %ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK]Gui.exe
  • %ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK].dll
  • %UserProfile%\Application Data\Google\Chrome\User Data\Default\databases\chrome-extension_[RANDOM CHARACTERS]_0\3

Next, it creates the following registry entries:
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"BundledFirefox" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011221158}\"NoExplorer" = "1"
  • HKEY_CURRENT_USER\Software\Cr_Installer\2258\"InstallationThankYouPage" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\20\"Version" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\17\"Version" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\15\"Version" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\14\"Version" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\13\"Version" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"BundledChrome" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Log\"WriteHelperLogFile" = "0"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"GroupId" = "0" =
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"Version" = "0"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\"PluginsManifestVersion" = "2"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"PlatformVersion" = "1"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Code\"NewTabJavaScript" = ""
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"SetNewTab" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"SetHomepage" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"UserConfirmation" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"SetNewTab" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"RunInFrame" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"EnableSearchIE" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"ChangePrevious" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"SetSearch" = "False"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"BgVersion" = "10"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"DisableIe" = "TRUE"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"ThankYouPage" = "TRUE"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"ScriptVersion" = "18"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"subid" = "default"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Log\"LogFilesFolder" = "%UserProfile%\My Documents"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\"HelperRunningVersion" = "149"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[NAME OF SECURITY RISK]\"CrPublisherId" = "390"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"Version" = "57"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"UpdateInterval" = 0x00000168
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\OpenSearch\"SearchShortName" = "Search The Web"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"SettingsUrl" = "na"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"TrustedDomain" = "na"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"AddressbarURL" = "na"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"CertifiedInstall" = "na"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"HomePageUrl" = "na"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"Manifest" = "na"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"RemoteFbApiUrl" = "na"
  • HKEY_CURRENT_USER\Software\Cr_Installer\2258\"InstallationUserSettings" =
  • "{"searchUserConifrmation": false, "setSearch": false, "setHomepage": false, "setNewTab": false}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[NAME OF SECURITY RISK]\"CrAppId" = "2258"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\"ActiveAppId" = "2258"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"Description" = "[NAME OF SECURITY RISK]!"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[NAME OF SECURITY RISK]\"DisplayName" = "[NAME OF SECURITY RISK]"
  • HKEY_CURRENT_USER\Software\InstalledBrowserExtensions\215 Apps\"2258" = "[NAME OF SECURITY RISK]"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"Name" = "[NAME OF SECURITY RISK]"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"PublisherName" = "215 Apps"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[NAME OF SECURITY RISK]\"Publisher" = "215 Apps"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\OpenSearch\"SearchIcon" = "[http://]crossrider.com/plugin/images/opensea[REMOVED]"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\OpenSearch\"SearchUrl" = "[http://]search.crossrider.com/goo[REMOVED]"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Manifest\"ThanksUrl" = "[http://]iw.antthis.com/thanky[REMOVED]"
  • HKEY_CLASSES_ROOT\CLSID\{11111111-1111-1111-1111-110011221158}\InprocServer32\"(Default)" = "%ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK].dll"
  • HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220022222258}\InprocServer32\"(Default)" = "%ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK].dll"
  • HKEY_CLASSES_ROOT\CLSID\{33333333-3333-3333-3333-330033223358}\InprocServer32\"(Default)" = "%ProgramFiles%\[NAME OF SECURITY RISK]\[NAME OF SECURITY RISK].dll"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"Folder" = "%ProgramFiles%\[NAME OF SECURITY RISK]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158}\"AppPath" = "%PROGRAMFILES%\[NAME OF SECURITY RISK]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk\"path" = "%UserProfile%\Application Data\[NAME OF SECURITY RISK]\Chrome\[NAME OF SECURITY RISK].crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk\"path" = "%UserProfile%\Application Data\[NAME OF SECURITY RISK]\Chrome\[NAME OF SECURITY RISK].crx"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011221158}\"AppName" = "[NAME OF SECURITY RISK].exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[NAME OF SECURITY RISK]\"DisplayIcon" = "%PROGRAMFILES%\[NAME OF SECURITY RISK]\Uninstall.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[NAME OF SECURITY RISK]\"UninstallString" = "%PROGRAMFILES%\[NAME OF SECURITY RISK]\Uninstall.exe"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\"AppPluginList" = "17,14,13,20,15"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\"BgPluginList" = "17,14,20"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\"NewTabPluginList" = "17,14,13,20"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\13\"Name" = "CrossriderAppUtils"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\14\"Name" = "CrossriderUtils"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\15\"Name" = "FacebookFFIE"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Plugins\20\"Name" = "IEAppAPIWrapper"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"FullVersion" = "1_18_149_149"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[NAME OF SECURITY RISK]\"DisplayVersion" = "1.18.149.149"
  • HKEY_CURRENT_USER\Software\[NAME OF SECURITY RISK]\Installer\"Time" = "1337785237"

The security risk may display advertisements in certain social networking sites.

It may also replace advertisements with its own in Web browsers and collect information about the user, such as IP address, operating system, and Web browser information.

It may connect to the following locations:
  • app-static.crossrider.com
  • crt.usertrust.com
  • stats.crossrider.com
  • crossrider.cotssl.net
  • cotssl.crossrider.com
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver