1. /
  2. Security Response/
  3. Adware.Aurora

Adware.Aurora

Updated:
February 13, 2007 11:46:02 AM
Type:
Adware
Publisher:
ABI Network - A Division of Direct Revenue
Risk Impact:
Medium
File Names:
DrPMon.dll svcproc.exe Nail.exe poller.exe aurora.exe
Systems Affected:
Windows 2000, Windows NT, Windows Server 2003, Windows XP

When Adware.Aurora is executed, it performs the following actions:
  1. Attempts to contact [http://]www.abetterinternet.com/[REMOVED] and download a number of component files.

  2. Creates the following files on the compromised computer:

    • %Windir%\Nail.exe
    • %Windir%\svcproc.exe
    • %Windir%\[RANDOM NAME].exe
    • %System%\DrPMon.dll
    • %System%\[RANDOM NAME].exe
    • %Windir%\IDDJHJM.ini
    • %Windir%\abiuninst.htm
    • %Windir%\CCEJHONM.ini

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • [RANDOM NAME] refers to a random sequence of letters used by the security risk in creating the filename.

  3. Creates the following registry subkeys.

    HKEY_CURRENT_USER\Software\aurora
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc


  4. Adds the value:

    "[RANDOM NAME]" = "%System%\[RANDOM NAME].exe r"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  5. Modifies the value:

    "Shell" = "Explorer.exe"

    to

    "Shell" = "Explorer.exe %Windir%\Nail.exe"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    so that it runs every time Windows starts.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report