1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Adware.Nafaoz Activity

System Infected: Adware.Nafaoz Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Adware.Nafaoz communicating and requesting information from its controlling server.

Additional Information

When Adware.Nafaoz is executed, it performs the following actions:

1. Creates the following files:

* %System%\winlog0n.exe
* %System%\drivers\audiox

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the value:

"Windows Update Manager" = "%System%\Winlog0n.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the adware runs every time Windows starts.

3. Adds the value:

" " = "{00020424-0000-0000-C000-000000000046}"

to the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA1A1953}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA1A1953}\ProxyStubClsid32

4. Adds the values:

" " = "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"
"Version" = "1.1"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA1A1953}\TypeLib

5. Adds the value:

" " = "oleacc.dll"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32

6. Adds the value:

" " = "4"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\FLAGS

7. Adds the value:

" " = "C:\winnt\system32"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\HELPDIR

8. Injects itself into the explorer.exe and taskmgr.exe processes. This is done in order to immediately restart the winlog0n.exe process, if it is killed.

9. Monitors window titles and text contents for certain Chinese phrases. If certain strings are detected, then a Web page is opened in a new browser window.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

1. Update the definitions.
2. Restart the computer in Safe mode.
3. Run a full system scan.
4. Delete the value that was added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube