1. /
  2. Security Response/
  3. Adware.Rotator

Adware.Rotator

Updated:
May 10, 2011 2:55:32 PM
Type:
Adware
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When the risk is executed, it creates the following files:
  • %System%/_[RANDOM FILE NAME].dll
  • %System%/[RANDOM FILE NAME].dll

It also creates the following non-malicious file:
%System%/[RANDOM FILE NAME TWO].exe

The risk then creates the following registry entry, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM FILE NAME]" = "%System%\regsvr32.exe %System%\[RANDOM FILE NAME].dll"

The risk also creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"[RANDOM ID]" = "brincome browser plug-in"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\[RANDOM ID]\"InProcServer32" = "%System%\[RANDOM FILE NAME].dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[RANDOM FILE NAME TWO]\"DisplayName" = "Performance Solution Brincome."
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[RANDOM FILE NAME TWO]\"UninstallString" = "%System%\[RANDOM FILE NAME 2].exe /i=%systemdir%\[RANDOM FILE NAME].dll" /d=[RANDOM FILE NAME TWO]"

It then creates a browser helper object for Internet Explorer with the following name:
Brincome Browser Plugin

The risk connects to one of the following URLs:
  • [http://]bx.brincome.biz/bc/nsi_ins[REMOVED]
  • [http://]bx.brincome.biz/bc/nsi_unin[REMOVED]
  • [http://]bx.brincome.biz/bc/nsi_ins[REMOVED]
  • [http://]bx.rincome.biz/bc/nsi_unin[REMOVED]

The risk then sends specially crafted HTTP POST requests to predetermined websites. These POST requests are designed to simulate clicks on advertisements, increasing the click count for an affiliate involved in a pay-per-click program.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver