1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP AdsAlert Activity

HTTP AdsAlert Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application Adsalert communicating to it's host server.

Additional Information

When AdsAlert is executed, it performs the following actions:

1. Creates the following files:

%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\adsalert.chm
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\adsalert.exe
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\Activity.log
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\block.adf
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\cookies.adf
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\datafile.adf
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\deep.adf
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\deleting.nfo
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\desc.nfo
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\folder.nfo
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\Include\internet.adf
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\license.txt
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\readme.txt
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\unins000.dat
%ProgramFiles%\PcPrivacySoftware.com\AdsAlert\unins000.exe
%UserProfile%\Desktop\AdsAlert.lnk
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\Quick Launch\AdsAlert.lnk
%UserProfile%\Start Menu\AdsAlert.lnk
%UserProfile%\Start Menu\Programs\PcPrivacySoftware.com\AdsAlert\AdsAlert.lnk
%UserProfile%\Start Menu\Programs\PcPrivacySoftware.com\AdsAlert\Help - AdsAlert.lnk
%UserProfile%\Start Menu\Programs\PcPrivacySoftware.com\AdsAlert\Order AdsAlert.lnk
%UserProfile%\Start Menu\Programs\PcPrivacySoftware.com\AdsAlert\ReadMe - AdsAlert.lnk
%UserProfile%\Start Menu\Programs\PcPrivacySoftware.com\AdsAlert\uninstall.lnk

Note:

%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Adds the value:

"AdsAlert" = "%ProgramFiles%\PcPrivacySoftware\AdsAlert\AdsAlert.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

3. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PcPrivacySoftware.com - AdsAlert_is1
HKEY_ALL_USERS\Software\PCPrivacySoftware\AdsAlert
HKEY_ALL_USERS\Software\PCPrivacySoftware\AdsAlert\Settings

Affected

  • Windows 2000
  • Windows NT
  • Windows XP

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube