Content
Generic Adware.a!F1EE19C7
- Type
- Program
- SubType
- Adware
- Discovery Date
- 05/16/2008
- Minimum DAT
- 5297 (05/16/2008)
- Updated DAT
- 5299 (05/20/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 05/16/2008
- Description Modified
- 05/16/2008 9:03 AM (PT)
Tab Navigation
Characteristics
During the initialization phase, which is initiated by its dropper, Generic Adware.a!F1EE19C7 will first unpack itself, then proceed in checking if it is executing under a VMWare image. This operation is done to make analysis of the sample more difficult.
In case VMWare is detected, Generic Adware.a!F1EE19C7 will just terminate without doing anything.
If Generic Adware.a!F1EE19C7 is satisfied with the current environment, it will proceed to register itself as a valid IExplorer addon. This means that it will start executing whenever the Internet Explorer browser is started.
After registering itself, it will additionally create the following registry value:
HKCU\Software\Microsoft\Windows\CurrentVersion\DateTime\Log\t
that will be set to a value that marks probably the moment of the first infection.
After the registration phase, everytime the Internet Explorer browser is started, the BHO will be loaded and it will then inject itself into the Explorer process. At this point, the copy injected into Explorer will start displaying message boxes telling the user that he/she is infected, and prompting to download a fake antivirus application:
When the OK button is pressed, the malware will try downloading the fake antivirus product from a malicious website. McAfee already detects the downloaded file as Generic FakeAlert.c.
It is worthy to note that, as these popups are displayed by Explorer.exe, the user interface will be unresponsive until the OK or CANCEL button are pressed.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.Aliases
Aliases
-
N/A
