My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Adware.NaviPromo.Gen.1

HIGH
LOW
varies
(Skintrim.gen, Trojan:Win32/Skintrim, Win32:ScarMorph)

Symptoms

       Pop-ups advertisements may appear. Some versions create %SYSTEM%\nvs2.inf file.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Stefan Catalin HANU, virus researcher

Technical Description:

      The Adware.NaviPromo malware family is an advanced and difficult-to-detect adware that runs silently on the infected computer. It uses rootkit techniques to hide its files on disk and memory. It also hides its registry entries.

      This malware comes bundled with several software which can be downloaded from the following sites and is installed along with them.
    * <hide>netgamebox.com
    * <hide>ediaplayer.com
    * <hide>planet.com
    * <hide>skinner.com
    * <hide>stro.com
    * <hide>cord.com
    * <hide>ngerskinner.com


   Adware.Navipromo is usualy found in %SYSTEM% or  C:\Documents and Settings\[USER]\Local Settings\Application Data

     After first execution, it creates and hides one or more aditional files in the same directory, ending with
    * [random_name].dat
    * [random_name]_nav.dat
    * [random_name]_navps.dat
    * [random_name]_navup.dat
    * [random_name]_navtmp.dat
    * [random_name]_m2s.xml
    * [random_name]_m2s.zl


     It injects code into explorer.exe process and connects to the internet.NaviPromo monitors your browsing habits, sends this data to its creators and then attacks your desktop with numerous pop-up advertisements that is somewhat related with the websites you usually visit.

     It might also create: %WINDOWS%\temp\msksetup.log and download an executable ( self-update ) in %TEMPDIR%\aup.tmp that containes attached the new random name of the file.


     Adware.Navipromo may also create the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\mc
        or
    HKEY_CURRENT_USER\Software\fcn

which contains information about the adware, and adds one registry
value ( hidden ):
    [random_name] = "[PATH_TO_FILE]\[random_name].exe" [random_name]

to one of the following registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run