1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Adware.DesktopMedia Activity

System Infected: Adware.DesktopMedia Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Adware.DesktopMedia communicating and requesting information from its controlling server.

Additional Information

When Adware.DesktopMedia is installed, it performs the following actions:

Creates the following files:

%UserProfile%\Application Data\Share Helper\Cast\GGS\hmd.idx
%UserProfile%\Application Data\Share Helper\Cast\bfrw_2150.inf
%UserProfile%\Application Data\Share Helper\Cast\bfyswj.inf
%UserProfile%\Application Data\Share Helper\Cast\dxgdgjc.inf
%UserProfile%\Application Data\Share Helper\Cast\yxssj_2150.inf
%UserProfile%\Application Data\Desktop Media\Cast\dmclient\GG5\hmd.idx
%UserProfile%\Application Data\Desktop Media\Cast\dmclient\ bfrw_2111.inf
%UserProfile%\Application Data\Desktop Media\Cast\dmclient\ bfyswj.inf
%UserProfile%\Application Data\Desktop Media\Cast\dmclient\ dxgdgjc.inf
%UserProfile%\Application Data\Desktop Media\Cast\dmclient\ yxssj_2111.inf
%ProgramFiles%\IE-BAR\Cast\2.1.0.0\dmbar.dll
%ProgramFiles%\IE-BAR\Cast\2.1.5.0\dmplayer.dll
%ProgramFiles%\IE-BAR\Cast\dmsched.exe
%ProgramFiles%\IE-BAR\Cast\Uninstall.exe
%ProgramFiles%\IE-BAR\Cast\dmbar.dll
%ProgramFiles%\IE-BAR\Cast\dmipn.dll
%ProgramFiles%\IE-BAR\Cast\dmshell.dll
%ProgramFiles%\IE-BAR\Cast\license.txt
%ProgramFiles%\Desktop Media\Cast\dmsched.exe
%ProgramFiles%\Desktop Media\Cast\Uninstall.exe
%ProgramFiles%\Desktop Media\Cast\dmbar.dll
%ProgramFiles%\Desktop Media\Cast\dmdaemon.dll
%ProgramFiles%\Desktop Media\Cast\dmipn.dll
%ProgramFiles%\Desktop Media\Cast\license.txt
%Windir%\Start Menu\Programs\Startup\IE-BAR.lnk
%Windir%\Start Menu\Programs\Startup\×ÀÃ洫ý.lnk

Notes:
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP)


Creates the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{16358834-52FC-4981-9A79-BFECE7C08CD3}
HKEY_CLASSES_ROOT\CLSID\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
HKEY_CLASSES_ROOT\CLSID\{53965717-3D50-4ef9-9105-99F22DDA3B82}
HKEY_CLASSES_ROOT\Dmbar.dmbar.1
HKEY_CLASSES_ROOT\Dmbar.dmbar
HKEY_CLASSES_ROOT\Installer\Features\974A14EF650E5A0489C21D945B6D17D2
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\A039C09F9001BF34CB53ED91FD9AB216
HKEY_CLASSES_ROOT\Interface\{8C9377D3-D823-46A6-A8AC-B3913F9B6CA2}
HKEY_CLASSES_ROOT\TypeLib\{25649A6A-637D-4416-9D03-98146330492A}
HKEY_CLASSES_ROOT\CLSID\{6A2FF9B4-C31C-4BE8-86D4-4443B7411FE5}
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\Explorer Bars
\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
HKEY_ALL_USERS\Software\Desktop Media
HKEY_LOCAL_MACHINE\SOFTWARE\Desktop Media
HKEY_LOCAL_MACHINE\SOFTWARE\sharehelper
HKEY_ALL_USERS\Software\sharehelper
HKEY_LOCAL_MACHINE\SOFTWARE\dmshareware
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
\974A14EF650E5A0489C21D945B6D17D2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
\UserData\S-1-5-18\Products\974A14EF650E5A0489C21D945B6D17D2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Products\71C455D361DEA8443BECF6CB15FF7B50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Components\2E217ECAF65686D48B415D248C656BEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Components\981BF04810E13E242B7489698554198A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Components\6E57B995DBC361644A707DFD9CCA5F02
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Components\9D7309678137CB444BFEE3AFCB6DFD5F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Components\A6B6B7ABCFDDAC74E98B0394AD8585BE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Components\DEF45035AA8DDEB4A920169ADE823D9C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
\S-1-5-18\Components\A21CA71F768E1F84089EF9B843801293
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\{FE41A479-E056-40A5-982C-D149B5D6712D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\{3D554C17-ED16-448A-B3CE-6FBC51FFB705}
HKEY_CLASSES_ROOT\Dmbar.dmbar.1
HKEY_CLASSES_ROOT\Dmbar.dmbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
HKEY_ALL_USERS\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
HKEY_CLASSES_ROOT\TypeLib\{25649A6A-637D-4416-9D03-98146330492A}
HKEY_CLASSES_ROOT\Interface\{8C9377D3-D823-46A6-A8AC-B3913F9B6CA2}
HKEY_CLASSES_ROOT\CLSID\{C6EFBEA1-6D51-4d01-A274-211831E624DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
\UpgradeCodes\A039C09F9001BF34CB53ED91FD9AB216
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes
\A039C09F9001BF34CB53ED91FD9AB216
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes
\5DB62E375A896F6408081040C15B769B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
\UpgradeCodes\5DB62E375A896F6408081040C15B769B
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features
\974A14EF650E5A0489C21D945B6D17D2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features
\71C455D361DEA8443BECF6CB15FF7B50
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
\974A14EF650E5A0489C21D945B6D17D2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
\71C455D361DEA8443BECF6CB15FF7B50


Installs a download manager toolbar for Internet Explorer.


Displays advertisements on the computer from the following Chinese Web site:

[http://]211.100.33.157

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

Update the definitions.
Run a full system scan.
Delete any values added to the registry.

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube