1. /
  2. Security Response/
  3. Adware.Kiswin

Adware.Kiswin

Updated:
April 9, 2007 7:24:28 AM
Type:
Adware
Infection Length:
189,128 bytes
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once executed, the risk creates the following files:
  • %ProgramFiles%\EbayShop\ebay.ico
  • %ProgramFiles%\EbayShop\EbayShop.exe
  • %ProgramFiles%\EbayShop\EbayShopSetup.exe
  • %ProgramFiles%\EbayShop\EbayShopUnwise.exe
  • %ProgramFiles%\EbayShop\setup.ini
  • %UserProfile%\Desktop\eBay%double byte strings%.lnk
  • %UserProfile%\Start Menu\eBay%double byte strings%.lnk
  • %UserProfile%\Start Menu\Programs\eBay%double byte strings%.lnk
  • C:\eBay%double byte strings%.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eBay%double byte strings%.lnk

The risk creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EbayShop\"DisplayName" = "EbayShop"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EbayShop\"UninstallString" = "%ProgramFiles%\EbayShop\EbayShopUnwise.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EbayShop\"InstallProviderId" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EbayShop\"UserId" = %random%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EbayShop\"Version" = "0x1321BAD"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EbayShop\"Url1" = "[http://]ebay.kisswin.com/kugo[REMOVED]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EbayShop\"Url2" = "[http://]ebay.kisswin.com/kugo[REMOVED]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EbayShop\"Url3" = "[http://]ebay.kisswin.com/kugo[REMOVED]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EbayShop\"Url4" = "[http://]ebay.kisswin.com/kugo[REMOVED]"

The risk displays popup advertisements on the compromised computer.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report