1. Symantec/
  2. Security Response/
  3. PUA.SponsorKeyword

PUA.SponsorKeyword

Updated:
June 29, 2015 10:32:10 AM
Type:
Potentially Unwanted App
Version:
1.0.0.1
Risk Impact:
Low
Systems Affected:
Windows
When the program is executed, it creates the following files:
  • %ProgramFiles%\sponsormatch\sponsormatchagent.exe
  • %ProgramFiles%\sponsormatch\sponsormatch.exe
  • %ProgramFiles%\sponsormatch\sponsormatch_uninstall.exe

Next, it creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"sponsormatch" = "%ProgramFiles%sponsormatch\sponsormatchagent.exe"
  • HKEY_CURRENT_USER\Software\sponsormatch\"run" = "[DATE OF EXECUTION]"

It also creates the following registry entries:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BC92C53E-A5C1-4D33-995C-AB7BB869E0E6}\"Version" = "*"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BC92C53E-A5C1-4D33-995C-AB7BB869E0E6}\"Flags" = "[HEXADECIMAL VALUE]"

The program then creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sponsormatch

Next, the program creates the following mutex:
sponsorkeyword

It then retrieves certain system information, including:
  • IE version
  • OS version

The program may download an updated version of itself from the following location:
[http://]in.sponsorkeyword.co.kr

It retrieves search engine information from the following location:
[http://]api.sponsorkeyword.co.kr

The program may then display advertisements on the computer by using certain keyword matches.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube