1. /
  2. Security Response/
  3. Adware.WebDir

Adware.WebDir

Updated:
February 13, 2007 11:46:57 AM
Type:
Adware
Risk Impact:
High
File Names:
pxwma.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Adware.WebDir is executed, it performs the following actions:
  1. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\AppID\pxwma.DLL
    HKEY_CLASSES_ROOT\CLSID\{58F07DD3-924D-4141-BC74-299F523A95F1}
    HKEY_CLASSES_ROOT\Interface\{B1317C08-617A-435D-A24F-A930F4540696}
    HKEY_CLASSES_ROOT\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}
    HKEY_CLASSES_ROOT\interface.InterfaceOBJ
    HKEY_CLASSES_ROOT\interface.InterfaceOBJ.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Browser Helper Objects\
    {58F07DD3-924D-4141-BC74-299F523A95F1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DLP.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B1E22EB8-2AE8-4E8E-96AE-74F2A1764533}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BDBEBF18-7615-4971-9AC3-BD6FFB7AD6C1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DLP.DLPObj
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DLP.DLPObj.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}
    HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}

  2. Downloads the following files from a remote server when Internet Explorer is launched:

    • %Temp%\whoiscache.dat
    • %Temp%\2921.dat

      Note:
    • This is an encrypted file which contains a list of URLs.
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  3. Adds the value:

    "(Default)" = "DLP"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID

  4. When a URL contained in the file downloaded in Step 2 is visited, the risk will append an affiliate ID onto that URL, and redirect Internet Explorer to a new URL.

    Note: The user will most likely not notice this redirect since the Web page they originally requested is normally displayed. However, the author of the risk will gain financially when the user visits particular Web sites.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report