1. Symantec/
  2. Security Response/
  3. Adware.SafeTerra

Adware.SafeTerra

Updated:
April 27, 2012 5:18:32 AM
Infection Length:
2,952,646 bytes
Name:
SafeTerra
Version:
1.0
Publisher:
cpaacademy.co.kr
Risk Impact:
High
Systems Affected:
Windows
When the security risk executes, it creates the following files:
  • %ProgramFiles%\KeywordInfo\Wkip.exe
  • %ProgramFiles%\KeywordInfo\WkipUpdate.exe
  • %ProgramFiles%\KeywordInfo\WkipUnInst.exe
  • %ProgramFiles%\STerra\SafeTerra.exe
  • %ProgramFiles%\STerra\SafeTerraUpdate.exe
  • %ProgramFiles%\STerra\STUninstall.exe
  • %ProgramFiles%\STerra\TerraInfo.STR

Next, it creates the following registry entries so that it runs every time Windows starts:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Safeterra" = "%ProgramFiles%\STerra\SafeTerraUpdate.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"KeywordInfo" = "%ProgramFiles%\KeywordInfo\WKipUpdate.exe"

It then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"HelpLink" = "[http://]www.cpaacademy.kr"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"Publisher" = "[KOREAN CHARACTERS]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"URLInfoAbout" = "[http://]www.cpaacademy.kr"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"URLUpdateInfo" = "[http://]www.cpaacademy.kr"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"UninstallString" = "%ProgramFiles%\STerra\STUninstall.exe"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"paused_ad_time" = "3c"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\BlcokDomainList\"WEGAMES.NET"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\BlcokDomainList\"JI.WOTO.NET"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"answer_hold" = "bb8"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_middle" = "a"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_repeat" = "1"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_toast" = "a"
  • HKEY_CURRENT_USER\Software\Safeterra\Ad\"day_under" = "a"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"Comments" = "SafeTerra 1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"DisplayName" = "Window network SafeTerra"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafeTerra\"DisplayVersion" = "1.0"

It then connects to the following URLs:
  • [http://]admin.keywordinfo.co.kr/app/setu[REMOVED]
  • [http://]datacheck.cpaacademy.kr/AppBlockDataApp/AppBlockVal[REMOVED]
  • [http://]admin.keywordinfo.co.kr/app/confi[REMOVED]
  • [http://]ate>http://admin.keywordinfo.co.kr/app/setu[REMOVED]

It also downloads an XML file from the following URL:
[http://]admin.keywordinfo.co.kr/app/index[REMOVED]

The downloaded XML file contains URLs to display pop-up advertisements, which it opens in Internet Explorer.

The security risk may also download more adware.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube