1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Aurora Activity

HTTP Aurora Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detect Adware.Aurora communicating and requesting information from its controlling server.

Additional Information

When Adware.Aurora is executed, it performs the following actions:

1. Attempts to contact [http://]www.abetterinternet.com/[REMOVED] and download a number of component files.

2. Creates the following files on the compromised computer:

* %Windir%\Nail.exe
* %Windir%\svcproc.exe
* %Windir%\[RANDOM NAME].exe
* %System%\DrPMon.dll
* %System%\[RANDOM NAME].exe
* %Windir%\IDDJHJM.ini
* %Windir%\abiuninst.htm
* %Windir%\CCEJHONM.ini

* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* [RANDOM NAME] refers to a random sequence of letters used by the security risk in creating the filename.

3. Creates the following registry subkeys.


4. Adds the value:

"[RANDOM NAME]" = "%System%\[RANDOM NAME].exe r"

to the registry subkey:


so that it runs every time Windows starts.

5. Modifies the value:

"Shell" = "Explorer.exe"


"Shell" = "Explorer.exe %Windir%\Nail.exe"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

so that it runs every time Windows starts.


  • Windows 2000
  • Windows NT
  • Windows Server 2003
  • Windows XP


The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Uninstall the security risk.
2. Update the definitions.
3. Run the scan.
4. Restart the computer in Safe mode with Command Prompt (Windows 2000/XP).
5. Delete any remaining files manually.
6. Reverse the changes made to the registry.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube