My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


approx 64kb


Presence of popups

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Mihai Razvan Benchea, virus researcher

Technical Description:

When executed, the virus creates the following files:

  • %WINDOWS%\system32\sprt_ads.dll
  • %WINDOWS%\system32\superiorads-uninst.exe

And the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AdPanel.Panel1.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\superiorads

It ads itself to startup by creating the value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start and by registering itself as a BHO object.

The adware keeps all information it needs to show popup in registry. It creates the following values under the key HKCU\Software\Microsoft\AdvRemoteDbg:

  • aff_id
  • day
  • domain_list
  • install_id
  • last_ip
  • next_url_post_time
  • max_impress
  • impress_stat
  • click_stat
  • delay
  • click_counter
  • url_list
  • domain_collect_enabled
  • url_collect_enabled
  • max_clicks
  • timestamp
  • last_update_attempt

The adware works by opening a internet explorer window in background and by showing popups at some time interval. It first connects to the server http://superi[hidden]/bc/ip.php using the agent “opera” and tries to read the data from the server. It gets from the server the ip address of the server where the popups are located and saves it to the value last_ip. At some time intervals the data from registry is sent to the url http://superi[hidden]/bc/123kah.php using the agent M0zilla/4.0(compatible) where install_id is a hash made on the VolumeSerialNumber, WProcessorRevision and WProcessorLevel.

    At some time intervals the adware checks for the existence of an update and if an update is available , the virus downloads it from the server and executes it.