Content

Adware-IEDriver

Type
Program
SubType
Adware
Discovery Date
05/12/2004
Minimum DAT
4253 (03/19/2003)
Updated DAT
5028 (05/10/2007)
Minimum Engine
5.1.00
Description Added
04/20/2004
Description Modified
03/21/2005 5:13 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

 This is not a virus or trojan. It is a direct-marketing adware application. This application generates extra pop-up ads while using Internet Explorer.

In most cases, users agree to have the Adware installed in the license agreement, although they may not realise at first that this file was packaged with the product they installed.

The application adds a menu button in Internet Explorer "tools" menu with the name MaxSpeed. Clicking on this button will execute a file "ms.exe" (name may vary) stored in %windir%\system32 that displays the window as shown below, for configuring download accelerator settings. Upon execution, ms.exe copies itself as IExplore.exe in the hidden folder %windir%\system32\IEDriver and prompts the user to restart the computer if slider bar settings are changed. This file is responsible for supporting ads through site www.adserve.com .

Following adwares are downloaded upon execution of main application.

  • Dp-him.exe - detected as Application Downloader-js.
  • IEHost.exe -detected as adware-IEDriver

Figures displaying various options upon execution of file "ms.exe"

Note: %windir% is windows directory, For example C:\Windows for XP

The names of files associated with the adware are

  • Overpro323.exe
  • IEhost.exe
  • Terabyte.exe

The application contacts following websites to display ads and install other adwares.

Figure shows pattern of downloads by Overpro323.exe

 

Installation

It adds the downloaded files to run registry key (under the values ‘Bakra’ and ‘Dsi’) in order to get executed on each reboot.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\Bakra: "C:\WINDOWS\System32\IEHost.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\Dsi: "C:\WINDOWS\System32\dp-him.exe"

Following registry keys are added in order to show the menu button in Internet Explorer

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{120E090D-9136-4b78-8258-F0B44B4BD2AC}\Exec: "C:\WINDOWS\System32\ms.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{120E090D-9136-4b78-8258-F0B44B4BD2AC}\MenuText: "MaxSpeed"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{120E090D-9136-4b78-8258-F0B44B4BD2AC}\MenuStatusBar: "MaxSpeed"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\{120E090D-9136-4b78-8258-F0B44B4BD2AC}\UninstallString: "C:\WINDOWS\System32\ms.exe /c"
  • HKEY_USERS\S-1-5-21-854245398-1383384898-842925246-500\Software\Microsoft\Internet Explorer\Main\Search Bar: file://C:\WINDOWS\System32\SearchBar.htm

In case ms.exe gets executed following registry entries also gets added

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\IEDriver: "C:\WINDOWS\System32\IEDriver\IExplore.exe /U"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\{120E090D-9136-4b78-8258-F0B44B4BD2AC}\UninstallString: "C:\WINDOWS\System32\ms.exe /c"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\{BC3BBF86-E4EC-4412-9676-8355468B3B05}\UninstallString: "C:\WINDOWS\System32\IEDriver\3.exe /c IEDriver"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\{F20239CB-33DC-4ec6-959E-73EDEA0FE4D7}\UninstallString: "C:\WINDOWS\System32\IEDriver\3.exe /c PopKiller"

Creates following files upon execution

  • C:\Documents and Settings\Administrator\Local Settings\Temp\kmin.exe
  • C:\Documents and Settings\Administrator\Local Settings\Temp\vmstmp\vmstmp.exe
  • C:\Documents and Settings\Administrator\Local Settings\Temp\~MySetup.exe
  • C:\Documents and Settings\All Users\Application Data\vmss\vmss.inf
  • C:\Documents and Settings\All Users\Application Data\wsxs\Adverts\*
  • C:\Program Files\MaxSpeed\Privacy Info.url
  • C:\Program Files\MaxSpeed\Terms and Conditions.url
  • C:\Program Files\MaxSpeed\Uninstall Instructions.url
  • C:\WINDOWS\inf\iskeysdk.PNF
  • C:\WINDOWS\system32\datastore.dll
  • C:\WINDOWS\system32\dp-him.exe
  • C:\WINDOWS\system32\IEHost.EXE
  • C:\WINDOWS\system32\IEDriver\IExplore.exe
  • C:\WINDOWS\system32\master.dll
  • C:\WINDOWS\system32\ms.exe
  • C:\WINDOWS\system32\SearchBar.htm
  • C:\WINDOWS\system32\Searchx.htm
  • C:\WINDOWS\system32\sub.dll
  • C:\WINDOWS\system32\terrabyte.exe
  • C:\WINDOWS\system32\uninstall.exe
  • C:\WINDOWS\system32\vmss\vmss.exe
  • C:\WINDOWS\system32\wsxsvc\License.txt
  • C:\WINDOWS\system32\wsxsvc\uninstall.html
  • C:\WINDOWS\system32\wsxsvc\wsx.dll
  • C:\WINDOWS\system32\wsxsvc\wsx.ocx
  • C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
  • C:\keys.ini.

* Multiple files in folder “C:\Documents and Settings\All Users\Application Data\wsxs”

Users who would like to check for the presence of potentially unwanted programs on their system should run the command line scanner with the /PROGRAM switch.
Please note that VirusScan 7, and higher, has an option that enables users to detect this kind of program automatically (see below).

Aliases

Aliases

    N/A