1. /
  2. Security Response/
  3. Adware.Zhong

Adware.Zhong

Updated:
May 24, 2006 11:08:51 PM
Risk Impact:
High
Systems Affected:
Windows 2000, Windows XP
Once executed, the program creates the following files:
%System%\explorer.exe
%System%\sysreal32.dll
%ProgramFiles%\weather\config.ini
%ProgramFiles%\weather\unins000.dat
%ProgramFiles%\weather\unins000.exe
%ProgramFiles%\weather\Weather.exe
%ProgramFiles%\weather\weather.lnk

Next, the program creates the following registry entry so that it runs when Windows runs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"rundll32" = "%System%\explorer.exe"

Note: This file is a hidden process and cannot be seen running using the Windows Task Manager.

The risk creates the following registry subkeys:
HKEY_CLASSES_ROOT\Chajian.ChajianHelper
HKEY_CLASSES_ROOT\Chajian.ChajianHelper.1
HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\weather_is1

Then the risk creates the following folders:
%UserProfile%\all users\start menu\programs\weather
%ProgramFiles%\weather

The risk then opens Web sites, including the following URL:
http://www.zinanjing.com/
Writeup By: David Curran
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver