1. /
  2. Security Response/
  3. Adware.Getup

Adware.Getup

Updated:
February 13, 2007 11:35:57 AM
Type:
Adware
Publisher:
Getupdate.com
Risk Impact:
High
File Names:
bpvt2.dll myexplore.exe updtr.exe WinExplore.exe xm2s.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Getup is executed, it performs the following actions:
  1. Creates the following files:

    • %System%\bpvt2.dll
    • %System%\myexplore.exe
    • %System%\xm2s.dll (a clean helper .dll)
    • %System%\WinExplore.exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Attempts to create the following registry keys:

    HKEY_CLASSES_ROOT\TypeLib\{B570FFE8-3ACB-4A4D-AAB3-546D1C445928}
    HKEY_CLASSES_ROOT\Interface\{83B84CB7-F69D-4CB2-BC8A-9D19D762D4F6}
    HKEY_CLASSES_ROOT\CLSID\{F4A645D0-D4D5-439E-9DBC-B31BBD9CB890}
    HKEY_CLASSES_ROOT\WinSystem.Best2
    HKEY_CLASSES_ROOT\TypeLib\{E43F2D8C-12DE-4A0B-805E-84AD4FC4325C}
    HKEY_LOCAL_MACHINE\SOFTWARE\2F 2E 31 3832 32 33 38 39 3B
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6D336187-169D-45DA-B76F-53B2840916FB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3A051814-4E16-49D3-ACCF-76484CF6BC80}
    HKEY_LOCAL_MACHINE\SOFTWARE\DF E1 DA E4 E2 DD E5 E0 (poss Random)
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Zedd4Proj.clsUnoOne
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Default Behaviors\7809607178\
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
    Subscription Folder\AID: "GVMI"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\
    Subscription Folder\ASET:"Matrix_01"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Default Behaviors\
    A7 A9 A2 AC AA A5 AD A8 AF B1\
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08227B4B-54FE-4C4D-809F-BCA46292FC5B}
    HKEY_ALL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {08227B4B-54FE-4C4D-809F-BCA46292FC5B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
    Browser Helper Objects\{08227B4B-54FE-4C4D-809F-BCA46292FC5B}


  3. Adds the values:

    "C:\WINNT\System32\BPV2t.dll" = "1"
    "C:\WINNT\System32\xm2s.dll" = "1"
    "C:\WINDOWS\System32\Zedd4.dl" = "1"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs

  4. Attempts to connect to the getupdate.com domain, and check for updated versions of itself.

  5. Redirects certain URLs, such as search requests.

  6. Adds the values:

    "AllowWindowReuse" = "0"
    "Enable Browser Extensions" = "yes"


    to the registry subkey:

    HKEY_USERS\S-1-5-21-1960408961-507921405-725345543-500\Software\Microsoft\
    Internet Explorer\Main


    and the value:

    "ShowGoButton" = "no"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Internet Explorer\Main

    so as to modify Internet Explorer settings.

  7. Adds the value:

    "BrowseNewProcess" = "yes"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\BrowseNewProcess


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver