1. Symantec/
  2. Security Response/
  3. Adware.IEPlugin

Adware.IEPlugin

Updated:
February 13, 2007 11:37:42 AM
Type:
Adware
Version:
1.0
Publisher:
Not available
Risk Impact:
High
File Names:
Wupdt.exepxckdla.exe,wdskctl.exe,systb.dll,systb.exe,snbho.exe,winserv.exe,extract.exe,rgrt.exe,pa
Systems Affected:
Windows

Adware.IEPlugin may also download the following risks:
When Adware.IEPlugin is executed, it performs the following actions:
  1. Installs several files, including the following:

    • %Windir%\pxckdla.exe
    • %Windir%\pxckdlauninstall.exe
    • %Windir%\Wupdt.exe
    • %Windir%\wdskctl.exe
    • %Windir%\systb.dll
    • %Windir%\systb.exe
    • %Windir%\snbho.exe
    • %Windir%\winserv.exe
    • %Windir%\extract.exe
    • %Windir%\rgrt.exe
    • %Windir%\dsr.exe
    • %Windir%\dsr.dll
    • %Windir%\pxckdlauninstall.exe
    • %Windir%\package_IEPLUGIN4.exe
    • %Windir%\dinst.exe
    • %UserProfile%\Desktop Toolbar

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  2. Starts a running process (usually Wupdt) that can make calls to various servers to update its code.

  3. May add some of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}
    HKEY_CLASSES_ROOT\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}
    HKEY_CLASSES_ROOT\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
    HKEY_CLASSES_ROOT\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
    HKEY_CLASSES_ROOT\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}
    HKEY_CLASSES_ROOT\CLSID\{69135BDE-5FDC-4B61-98AA-82AD2091BCCC}
    HKEY_CLASSES_ROOT\CLSID\{00F1D395-4744-40F0-A611-980F61AE2C59}
    HKEY_CLASSES_ROOT\CLSID\{8B51FC2F-C687-40A3-B54A-BB9EBF8D407F}
    HKEY_CLASSES_ROOT\CLSID\{CE27D4DF-714B-4427-95EB-923FE53ADF8E}
    HKEY_CLASSES_ROOT\CLSID\{E2D2FE40-5674-4B77-802B-EC86B6C2C41D}
    HKEY_CLASSES_ROOT\CLSID\{E311D3A5-4A3B-4E49-9E0A-B40FAE1F0B28}
    HKEY_CLASSES_ROOT\Interface\{F9B9C9A3-9D2D-423D-ABA5-80D83A915023}
    HKEY_CLASSES_ROOT\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}
    HKEY_CLASSES_ROOT\Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}
    HKEY_CLASSES_ROOT\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}
    HKEY_CLASSES_ROOT\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}
    HKEY_CLASSES_ROOT\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}
    HKEY_CLASSES_ROOT\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}
    HKEY_CLASSES_ROOT\Interface\{0667935E-6350-4BF3-9F97-952363D87C1F}
    HKEY_CLASSES_ROOT\Interface\{0F72A081-4DCA-4288-970E-2F7DBBF8B54C}
    HKEY_CLASSES_ROOT\Interface\{7092C637-9298-4ACD-8E4D-E7C8157ABDCC}
    HKEY_CLASSES_ROOT\Interface\{C43CB2BC-DE30-4FDA-B982-9312ED9940F6}
    HKEY_CLASSES_ROOT\Interface\{D2378491-228B-4398-A041-8967952E79EF}
    HKEY_CLASSES_ROOT\Interface\{F8084C00-5E03-4B9F-8846-EFE24334C44A}
    HKEY_CLASSES_ROOT\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9}
    HKEY_CLASSES_ROOT\Typelib\{58D419E8-1321-4DD2-A6FC-7B41C14DCD79}
    HKEY_CLASSES_ROOT\TypeLib\{8F73AC0F-5769-4282-8762-B396A3BFF377}
    HKEY_CLASSES_ROOT\Wbho.Band.1
    HKEY_CLASSES_ROOT\Wbho.Band
    HKEY_CLASSES_ROOT\IMIToolbar.imiTool
    HKEY_CLASSES_ROOT\IMIToolbar.imiTool.1
    HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser.1
    HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser
    HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame.1
    HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame
    HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame.1
    HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame
    HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow.1
    HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow
    HKEY_CLASSES_ROOT\DSrch.Band
    HKEY_CLASSES_ROOT\DSrch.Band.1
    HKEY_CLASSES_ROOT\DSrch.PopupBrowser.1
    HKEY_CLASSES_ROOT\DSrch.PopupBrowser
    HKEY_CLASSES_ROOT\DSrch.LeftFrame.1
    HKEY_CLASSES_ROOT\DSrch.LeftFrame
    HKEY_CLASSES_ROOT\DSrch.BottomFrame.1
    HKEY_CLASSES_ROOT\DSrch.BottomFrame
    HKEY_CLASSES_ROOT\DSrch.PopupWindow.1
    HKEY_CLASSES_ROOT\DSrch.PopupWindow
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{00F1D395-4744-40F0-A611-980F61AE2C59}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{69135BDE-5FDC-4B61-98AA-82AD2091BCCC}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
    \Upspiral Desktop Search
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\intexp
    HKEY_CURRENT_USER\Software\intexp
    HKEY_CURRENT_USER\Software\inst
    HKEY_CURRENT_USER\Software\dsktb
    HKEY_CURRENT_USER\Software\dsrch
    HKEY_CURRENT_USER\Software\Classes\Remove
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{666E4D35-E955-11D0-A707-000000521958}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
    \{A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
    \C:/WINDOWS/wupdt.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
    \C:/WINNT/wupdt.exe

  4. May add some of the following values:

    "Win Server Updt" = "%WinDir%\[DROPPED ADWARE FILE]"
    "Win Server" = "%WinDir%\winserv.exe"
    "wdskctl" = "C:\Windows\wdskctl.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  5. May add one of the following values:

    "C:\WINDOWS\wupdt.exe" = ""
    "C:\WINNT\wupdt.exe
    " = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

  6. May add the following value:

    "DefaultSearchURL" = "[http://]websearch.drsnsrch.com/[REMOVED]/q.cgi?="

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\SearchAssistant

  7. May add one of the following values:

    "{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}" = ""
    "
    {69135BDE-5FDC-4B61-98AA-82AD2091BCCC}" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

  8. May attempt to change some of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
    \Search\SearchAssistant
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
    \Search\CustomizeSearch

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube