1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Adware.DealPly Activity

System Infected: Adware.DealPly Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Adware.GoonSquad activity on the compromised computer.

Additional Information

This adware program must be downloaded manually from a website as part of ad supported software packages.

When the program is executed, it creates one of the following files:

C:\Documents and Settings\All Users\Application Data\bProtector\protector.dll
%System%\protector.dll


Next, the program creates one of the following registry entries so that it executes whenever Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%System%\protector.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "C:\Documents and Settings\All Users\Application Data\bProtector\protector.dll"


It also creates the following registry subkey:
HKEY_CURRENT_USER\Software\bProtector

It may inject the file protector.dll into several processes.

It then contacts the following URL:
[http://]guardstats.smartiengine.com/service/kupdat[REMOVED]

It may also modify browser search settings.

Affected

  • Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube