1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Cashfiesta Activity

HTTP Cashfiesta Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects Adware.Cashfiesta communicating and requesting information from its controlling server.

Additional Information

Adware.CashFiesta is an adware program that displays advertisements, Web offers, and popup boxes in Internet Explorer.

When the adware is executed, it creates the following files:

* %UserProfile%\Desktop\Cashfiesta.lnk
* Cashfiesta.exe
* CashBar.dll
* ProcMon.dll
* skin.cfx


It then creates the following registry subkey:
HKEY_USERS\Software\CashFiesta

The adware can download an installer, which can update and access the following files without the consent of the user:

* Cashfiesta.exe
* CashBar.dll
* ProcMon.dll
* skin.cfx


The above files are located in a folder that is chosen by the user during installation.

When the adware is running it displays a user interface, which offers users cash rewards for visiting Web sites. This text may be displayed in Chinese.

The user can select from various pay-per-surf Web sites and sign up to certain offers.

The adware may display advertisements from various Web sites, including the following:
sharebank.com
lmok123.com

When the adware is running it can cause a decrease in the system performance.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube