Content
Generic Adware.a!F1EE19C7
- Type
- Program
- SubType
- Adware
- Discovery Date
- 05/16/2008
- Minimum DAT
- 5297 (05/16/2008)
- Updated DAT
- 5299 (05/20/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 05/16/2008
- Description Modified
- 05/16/2008 9:03 AM (PT)
Tab Navigation
Characteristics
During the initialization phase, which is initiated by its dropper, Generic Adware.a!F1EE19C7 will first unpack itself, then proceed in checking if it is executing under a VMWare image. This operation is done to make analysis of the sample more difficult.
In case VMWare is detected, Generic Adware.a!F1EE19C7 will just terminate without doing anything.
If Generic Adware.a!F1EE19C7 is satisfied with the current environment, it will proceed to register itself as a valid IExplorer addon. This means that it will start executing whenever the Internet Explorer browser is started.
After registering itself, it will additionally create the following registry value:
HKCU\Software\Microsoft\Windows\CurrentVersion\DateTime\Log\t
that will be set to a value that marks probably the moment of the first infection.
After the registration phase, everytime the Internet Explorer browser is started, the BHO will be loaded and it will then inject itself into the Explorer process. At this point, the copy injected into Explorer will start displaying message boxes telling the user that he/she is infected, and prompting to download a fake antivirus application:
When the OK button is pressed, the malware will try downloading the fake antivirus product from a malicious website. McAfee already detects the downloaded file as Generic FakeAlert.c.
It is worthy to note that, as these popups are displayed by Explorer.exe, the user interface will be unresponsive until the OK or CANCEL button are pressed.
Removal
All Users:
Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:
1.Disable System Restore (Windows ME/XP only).
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.
Aliases
Aliases
-
N/A