When Adware.Idocha is executed, it performs the following actions:
- Adds the value:
"Start Page" = "[http://]idolch.net/[REMOVED]?n=[USER NAME]-l"
to the registry subkey:
to redirect the Internet Explorer home page to the idolch.net domain.
Note: The Web site asks the user to pay fee for a porn service.
- Collects the following information from the compromised computer:
- Sends collected information to the following email address:
- Attempts to open a WMV file from [http://]idolch.net/[REMOVED]/movie/
- Creates the file [JAPANESE CHARACTERS].txt, which asks the user to pay fee for a porn service.
- Displays the following image:
Body: Interface ????????????.