Adware.CommAd.A
Adware.CommAd is an advertising program that displays popup windows and monitors browser activity. Some version may install the hack tool netmon (a program that monitors network traffic).
When Adware.CommAd is installed, it performs the following actions:
a) Creates the following directories (and subdirectories)
Ø C:\Program Files\Network Monitor (if it installs netmon)
Ø %WINDIR%\system32\atmtd.dll
Ø %WINDIR%\Tm9vYiBTYWlib3Q\asappsrv.dll
Ø %WINDIR%\Tm9vYiBTYWlib3Q\command.exe
Ø %WINDIR%\Tm9vYiBTYWlib3Q\nA6Ss21nsq52vak.vbs (a VBScript that runs a webpage (http://command.adservs.com/ {removed}) with instruction about uninstall the application.
Ø Directory : %WINDIR%\Tm9vYiBTYWlib3Q\ is marked with hidden and system attributes so it may not be usually visible from windows explorer
b) Create the following registry keys
Ø HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920} à for commAdd
Ø HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE} à for netmon
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (for netmon)
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (this register file ‘%WINDIR%\Tm9vYiBTYWlib3Q\command.exe’ as a service). This will execute command.exe on windows startup.
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (this register file ‘C:\Program Files\Network Monitor\netmon.exe’ as a service). This will execute netmon on windows startup.
SHARE
THIS ON