Adware.CommAd.A

( ISearch )

SYMPTOMS:

Computer may slowdown and popup windows may appear when navigating (not related to browser page).

TECHNICAL DESCRIPTION:

Adware.CommAd is an advertising program that displays popup windows and monitors browser activity. Some version may install the hack tool netmon (a program that monitors network traffic).

When Adware.CommAd is installed, it performs the following actions:

a) Creates the following directories (and subdirectories)

Ø C:\Program Files\Network Monitor (if it installs netmon)

Ø %WINDIR%\system32\atmtd.dll

Ø %WINDIR%\Tm9vYiBTYWlib3Q\asappsrv.dll

Ø %WINDIR%\Tm9vYiBTYWlib3Q\command.exe

Ø %WINDIR%\Tm9vYiBTYWlib3Q\nA6Ss21nsq52vak.vbs (a VBScript that runs a webpage (http://command.adservs.com/ {removed}) with instruction about uninstall the application.

Ø Directory : %WINDIR%\Tm9vYiBTYWlib3Q\ is marked with hidden and system attributes so it may not be usually visible from windows explorer

b) Create the following registry keys

Ø HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920} à for commAdd

Ø HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE} à for netmon

Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE

Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (for netmon)

Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (this register file ‘%WINDIR%\Tm9vYiBTYWlib3Q\command.exe’ as a service). This will execute command.exe on windows startup.

Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv

Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (this register file ‘C:\Program Files\Network Monitor\netmon.exe’ as a service). This will execute netmon on windows startup.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dragos Gavrilut, virus researcher

Adware.CommAd.A

Intelligence Report Archives