1. Symantec/
  2. Security Response/
  3. Adware.CashSaver

Adware.CashSaver

Updated:
February 13, 2007 11:41:17 AM
Type:
Adware
Version:
225
Publisher:
eLink (South Korea)
Risk Impact:
High
File Names:
csinstall.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CashSaver is executed, it performs the following actions:
  1. Creates the following files:
    • %System%\mscsclient.exe
    • %System%\cashsaverbho.dll
    • %System%\csuninstall.exe
    • %System%\56171D04\E5C5BDB4.exe (detected as SecurityRisk.Downldr)

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following files: (Created by mscsclient.exe)
    • %System%\csupdate.info
    • %System%\mscsclient.ekw

  3. Adds the following values:

    "00D34A52" = "%System%\56171D04\E5C5BDB4.exe"
    "MSCSCLIENT" = "%System%\mscsclient.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  4. Adds the following values:

    "DisplayName" = "MSCSCLIENT"
    "TargetDir"= "%System%"
    "UninstallString" = "%System%\mscsclient.exe -remove"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Uninstall\MSCSCLIENT

    so that "MSCSCLIENT" is displayed in the Control Panel Add/Remove Programs utility.

  5. Adds the following values:

    "[default]" = "%System%\cashsaverbho.dll"
    "ThreadingModel" = "Apartment"

    to the registry key:

    HKEY_CLASSES_ROOT\CLSID\{BC5D79A8-DFFD-47B0-A8EF-70C70379FC20}\InprocServer

    so that the adware runs every time Internet Explorer starts.

  6. Adds the following value:

    "[default]" = "%System%\cashsaverbho.dll"

    to the registry key:

    HKEY_CLASSES_ROOT\CLSID\{B9ADBF45-B136-4FC5-8582-48C2A22600CE}\InprocServer32

    so that the adware runs every time Internet Explorer starts.

  7. Adds the following values:

    "[default]" = ""
    "ThreadingModel" = "Apartment"

    to the registry key:

    HKEY_CLASSES_ROOT\CLSID\{B9ADBF45-B136-4FC5-8582-48C2A22600CE}

    so that the adware runs every time Internet Explorer starts.

  8. Adds the following values:

    "{BC5D79A8-DFFD-47B0-A8EF-70C70379FC20}" = ""
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks

    so that the adware is called by Internet Explorer when a user types a keyword in the URL field.

  9. Adds the following values:

    "ClientVersion" = "225"
    "TodayPopupCount" = "DWORD:0x0"
    "LastBootDate" = "[date]"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Elink\CashSaver

    so that the adware can manage and control its own version and behavior.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube