1. /
  2. Security Response/
  3. Adware.MediaTicket

Adware.MediaTicket

Updated:
February 13, 2007 11:40:45 AM
Type:
Adware
Risk Impact:
Low
File Names:
arsetup.exe,installer.exe,MediaTicketsInstaller.ocx.
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.MediaTicket is executed, it does the following:
  1. Creates the following files:

    • %Temp%\installer.exe
    • %CurrentFolder%\mt-uninstaller.exe
    • %Windir%\Downloaded Program Files\MediaTicketsInstaller.ocx
    • %Windir%\Downloaded Program Files\MediaTicketsInstaller.INF
    • %UserProfile%\Local Settings\Temp\installer.exe

      Notes:
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
    • %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

  2. Adds the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9EB320CE-BE1D-4304-A081-4B4665414BEF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3517FB25-305D-4012-B531-186E3851E7ED}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4781DAA6-4DE5-47A1-B02A-945F0D017A9E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MEDIATICKETSINSTALLER.MediaTicketsInstallerCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9EB320CE-BE1D-4304-A081-4B4665414BEF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/MediaTicketsInstaller.ocx


  3. Adds one of the values:

    "msn messanger" = "[file path to adware]"
    "
    REGRUN" = "[file path to adware]"
    "
    PROPRO"= "[file path to adware]"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware is executed every time Windows starts.

  4. Modifies the following registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags


    to reset the security settings of the Internet zone in Internet Explorer.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver