1. /
  2. Security Response/
  3. Adware.Look2Me

Adware.Look2Me

Updated:
February 13, 2007 11:37:12 AM
Type:
Adware
Risk Impact:
High
File Names:
VT09.exe VT09_Installer.exe ffInst.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

As of this writing, Symantec Security Response has received a submission of a .dll file that is one component of Adware.Look2Me. The file name appears to be random and may vary. We have not received a submission of the file that actually installs this .dll file.

If this .dll file is executed, it may install itself as a Browser Helper Object (BHO), or it may directly install itself. The CLSID key in the registry, which the BHO adds, will vary but it will always begin with {DDFFA75A-.

The adware component performs some or all of the following actions:
  1. Creates the following files:

    • %System%\[RANDOM NAME].dll

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds one or more of the following registry keys and values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"ID"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"Idex"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"[CLSID VALUE]"

  3. May add the values:

    "(Default)" = ""
    "IDEX" = "AD"
    "InProcServer32\(Default)" = "[PATH TO %System%\[RANDOM NAME].DLL]"

    "InProcServer32\ThreadingModel" = "Apartment"


    to the registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID KEY]

  4. May add the values:

    "Asynchronous" = "0"
    "DllName" = "[PATH TO %System%\[RANDOM NAME].DLL]"

    "Impersonate" = "0"

    "Logoff" = "WinLogoff"

    "Logon" = "WinLogon"
    "Shutdown" = "WinShutdown"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run

    so that it runs every time Windows starts.

  5. Uses HTTP or FTP to download executables from a Web site, and then runs them.

    Note: These could be updates or components of other adware.

  6. Opens advertisements in Internet Explorer.

  7. May change the Internet Explorer home page by modifying the value of the following registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

  8. Deletes the following registry key, which prevents BHOs from running:

    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  9. May monitor user Web site traffic and send this information to www.look2me.com.

  10. May creates a Web page locally, and makes that particular page the default search page.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver