Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/WinAD
Date discovered:13/12/2012
Type:Trojan
Subtype:Adware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:47,104 Bytes
MD5 checksum:7daf5088982008bca681a5ede35860ab
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Adware-WinAd.
   •  Kaspersky: AdWare.WinAD.ar
   •  VirusBuster: Adware.WinAd.AH


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Registry modification
   • Steals information

 Files The following file is created:

%sysdir%\ide21201.vxd

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Media Access"="%PROGRAM FILES%\Media Access\MediaAccK.exe"



The values of the following registry key are removed:

–  [HKLM\Software\Media Access]
   • Updating
   • Request



The following registry keys are added:

[HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\LocalServer32]
   • @="C:\PROGRA~1\MEDIAA~1\MEDIAA~2.EXE"

[HKLM\SOFTWARE\Media Access]
   • "track"="1"
   • "param"="%hex values%:other::winxp:exe"
   • "LastUpdate"=dword:4315a0a0
   • "reqcount"=dword:00000002

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   Media Access]
   • "UninstallString"="%PROGRAM FILES%\Media Access\MediaAccess.exe /Remove"
   • "DisplayName"="Media Access"

[HKCR\MediaAccess.Installer]
   • @="Installer Class"

[HKCR\MediaAccess.Installer\CLSID]
   • @="{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}"

[HKCR\MediaAccess.Installer\CurVer]
   • @="MediaAccess.Installer"

 Backdoor Contact server:
The following:
   • **********.windupdates.com/index.php

As a result it may send some information. This is done via the HTTP POST method using a PHP script.

 Miscellaneous Mutex:
It creates the following Mutexes:
   • MediaAccess
   • MediaAcck

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Iulia Diaconescu on Friday, September 2, 2005
Description updated by Iulia Diaconescu on Monday, September 19, 2005

Back . . . .