Content

Adware-TryMedia!FB633590

Type
Program
SubType
Adware
Discovery Date
09/11/2008
Minimum DAT
5382 (09/11/2008)
Updated DAT
5382 (09/11/2008)
Minimum Engine
5.3.00
Description Added
09/11/2008
Description Modified
09/11/2008 11:10 AM (PT)

Tab Navigation

Characteristics

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File PropertyProperty Value
FileNamebookwo~1.exe
McAfee DetectionAdware-TryMedia
Length142,784 bytes
CRCFB633590
MD5DD8B8BCDBE7D874C7B4E1A0AA080DBA6
SHA158CB6DA4C3D77EB8FE00F3AF62A43B16E749DAD5

Avert® Labs has observed the following system activities:

ActivityRisk Level
Enumerates open windows
Medium
Uses shared memory of other processes
Low
Creates registry keys and data values to persist on OS reboot
Informational
Performs a shell execute of downloaded or existing files
Informational

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %ALLUSERSPROFILE%\desktop\downloads

    • The following registry elements have been changed:

  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\run\
    • c14b81b0f38bd224e51f95f53f65b6e5 = c:\docume~1\admini~1\locals~1\temp
      \bookwo~1.exe /r

    • The application created the following network connection(s):

  • http
    • hxxp://172.16.199.200/adbroker
      /**********************************************************************
      **************
    • hxxp://172.16.199.200/dd/zylom/60m_d_fr/t_25oa_frca
      /e8cab8efd74d43a12832971688d51fe9/********************

    • Removal

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore (Windows ME/XP only).

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

    Aliases

    Aliases

      N/A