Content

Adware-TryMedia!37c20d5eb098

Type
Program
SubType
Adware
Discovery Date
05/22/2009
Minimum DAT
5623 (05/22/2009)
Updated DAT
5623 (05/22/2009)
Minimum Engine
5300.2777
Description Added
05/22/2009
Description Modified
05/22/2009 7:23 PM (PT)

Tab Navigation

Characteristics

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File PropertyProperty Value
FileNamec4fe065c4ad652c6218897d06a98fd8180a4497d.exe
McAfee ArtemisArtemis!37c20d5eb098
McAfee DetectionAdware-TryMedia
Length142,784 bytes
CRCFEC3A7F9
MD537C20D5EB0980ABC38BD5B24E5C2F378
SHA1C4FE065C4AD652C6218897D06A98FD8180A4497D

Other Common Detection Aliases

Company NameDetection Name
AviraADSPY/AdSpy.Gen
clamavAdware.Trymedia-3
Dr.WebAdware.TryMedia.3
EMSI SoftwareAdWare.Win32.Trymedia.d
eSafe (Alladin)Trojan/Worm [101] (suspicious)
EsetWin32/Adware.Trymedia (application)
FortiNetAdware/Trymedia
F-ProtW32/Trymedia.A.gen!Eldorado
pandaTrj/Trymedia.gen
SophosTryMedia (PUA)
Trend MicroADW_TRYMEDIA.BEL
vba32Win32.Adware.Trymedia
V-BusterAdware.Trymedia.E (trojan)
Vet (Computer Associates)
Win32/Trymedia!Adware

Avert® Labs has observed the following system activities:

ActivityRisk Level
Enumerates open windows
Medium
Uses shared memory of other processes
Low
Creates registry keys and data values to persist on OS reboot
Informational
Performs a shell execute of downloaded or existing files
Informational

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files were analyzed:

  • %USERPROFILE%\local settings\temp\c4fe065c4ad652c6218897d06a98fd8180a4497d.exe

    • The following files have been added to the system:

  • %ALLUSERSPROFILE%\desktop\downloads

    • The following registry elements have been changed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\run\
    • d4e94d287f6fa7fbcdbc9809dc4f408a = c:\docume~1\admini~1\locals~1\temp
      \c4fe06~1.exe /r

    • The application created the following network connection(s):

  • http
    • hxxp://d.trymedia.com/adbroker
      /**********************************************************************
      **************
    • hxxp://d.trymedia.com/dd/iwin/1h_pkg542_ge/iwin_stg
      /***************************

    • Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Aliases

    Aliases

      N/A