1. Symantec/
  2. Security Response/
  3. Adware.Shorty


February 13, 2007 11:43:25 AM
Risk Impact:
File Names:
gui.exe Catcher.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT

When Adware.Shorty is executed, it performs the following actions:
  1. Copies itself as %CommonProgramFiles%\[FILE NAME].exe.

    • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
    • [FILE NAME] is a variable that refers to the file name of the original installation file.

  2. Downloads and creates the following files:

    • %CommonProgramFiles%\services.exe
    • %CommonProgramFiles%\system32.dll
    • %Temp%\version.txt
    • %ProgramFiles%\Catcher.dll
    • %ProgramFiles%\gui.exe
    • %ProgramFiles%\cwebpage.dll
    • %ProgramFiles%\version.txt
    • %ProgramFiles%\x.bmp
    • %ProgramFiles%\*.dat

    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  3. Adds the value:

    "DNS" = "%CommonProgramFiles%\[FILE NAME].exe"

    to the registry subkey:


    so that the risk runs every time Windows starts.

  4. Adds the value:

    "DisableRegistryTools" = "0"

    to the registry subkey:


    which attempts to prevent programs such as Regedt32.exe and Regedit.exe from running.

  5. Adds the value:

    "GlobalUserOffline" = "0"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

    so the default setting for Internet Explorer is Offline Browsing.

  6. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6}

  7. Executes the file %CommonProgramFiles%\services.exe. This file opens the installation file for reading, which prevents the risk from being deleted. Both these files also have the hidden and system attributes set, so a user may not see them in a normal Explorer or DOS window.

  8. Displays search results from maxifind.com when search queries are made from sites such as Yahoo! and Google.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube