My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(Skintrim.gen, Trojan:Win32/Skintrim, Win32:ScarMorph)


       Pop-ups advertisements may appear. Some versions create %SYSTEM%\nvs2.inf file.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Stefan Catalin HANU, virus researcher

Technical Description:

      The Adware.NaviPromo malware family is an advanced and difficult-to-detect adware that runs silently on the infected computer. It uses rootkit techniques to hide its files on disk and memory. It also hides its registry entries.

      This malware comes bundled with several software which can be downloaded from the following sites and is installed along with them.
    * <hide>
    * <hide>
    * <hide>
    * <hide>
    * <hide>
    * <hide>
    * <hide>

   Adware.Navipromo is usualy found in %SYSTEM% or  C:\Documents and Settings\[USER]\Local Settings\Application Data

     After first execution, it creates and hides one or more aditional files in the same directory, ending with
    * [random_name].dat
    * [random_name]_nav.dat
    * [random_name]_navps.dat
    * [random_name]_navup.dat
    * [random_name]_navtmp.dat
    * [random_name]_m2s.xml
    * [random_name]_m2s.zl

     It injects code into explorer.exe process and connects to the internet.NaviPromo monitors your browsing habits, sends this data to its creators and then attacks your desktop with numerous pop-up advertisements that is somewhat related with the websites you usually visit.

     It might also create: %WINDOWS%\temp\msksetup.log and download an executable ( self-update ) in %TEMPDIR%\aup.tmp that containes attached the new random name of the file.

     Adware.Navipromo may also create the following registry subkey:

which contains information about the adware, and adds one registry
value ( hidden ):
    [random_name] = "[PATH_TO_FILE]\[random_name].exe" [random_name]

to one of the following registry subkeys: