Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/PremiumSear.2
Date discovered:13/12/2012
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:30.208 Bytes
MD5 checksum:F21056EA283B0AD0424449D770D2CE97
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Mcafee: Adware-CWS.


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Drops files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\secserv.exe



The following files are created:

Non malicious files:
   • %HOME%\Favorites\freedating.ico
   • %HOME%\Favorites\ Free Real-time Dating Service.url
   • %TEMPDIR%\%random character string%.gif
   • %TEMPDIR%\%random character string%.gif
   • %TEMPDIR%\%random character string%.gif
   • %TEMPDIR%\%random character string%.jpg
   • %TEMPDIR%\%random character string%.html

%TEMPDIR%\%random character string%.dll Further investigation pointed out that this file is malware, too. Detected as: ADSPY/PremiumSear.1




It tries to download a file:

The location is the following:
   • http://premium-search.net/**********/ligbar.so
It is saved on the local hard drive under: %PROGRAM FILES%\google\GoogleToolbar1.dll

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "secserv.exe"="%SYSDIR%\secserv.exe"



The values of the following registry keys are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Initial Page
   • ifconfig.exe
   • bootpd.exe
   • Security iGuard

–  [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • ifconfig.exe
   • bootpd.exe
   • Security iGuard



The following registry key is added:

[HKCR\CLSID\{5483427F-93B8-1470-5A89-E6B56484CDB2}\InProcServer32]
   • @="%TEMPDIR%\%random character string%.dll"
   • "ThreadingModel"="Both"

 Hosts The host file is modified as explained:

In this case already existing entries remain unmodified.

Access to the following domains are redirected to other destinations:
   • www.google.ae
   • www.google.am
   • www.google.as
   • www.google.at
   • www.google.az
   • www.google.be
   • www.google.bi
   • www.google.ca
   • www.google.cd
   • www.google.cg
   • www.google.ch
   • www.google.ci
   • www.google.cl
   • www.google.co.cr
   • www.google.co.hu
   • www.google.co.il
   • www.google.co.in
   • www.google.co.je
   • www.google.co.jp
   • www.google.co.ke
   • www.google.co.kr
   • www.google.co.ls
   • www.google.co.nz
   • www.google.co.th
   • www.google.co.ug
   • www.google.co.uk
   • www.google.co.ve
   • www.google.com
   • www.google.com.ag
   • www.google.com.ar
   • www.google.com.au
   • www.google.com.br
   • www.google.com.co
   • www.google.com.cu
   • www.google.com.do
   • www.google.com.ec
   • www.google.com.fj
   • www.google.com.gi
   • www.google.com.gr
   • www.google.com.gt
   • www.google.com.hk
   • www.google.com.ly
   • www.google.com.mt
   • www.google.com.mx
   • www.google.com.my
   • www.google.com.na
   • www.google.com.nf
   • www.google.com.ni
   • www.google.com.np
   • www.google.com.pa
   • www.google.com.pe
   • www.google.com.ph
   • www.google.com.pk
   • www.google.com.pr
   • www.google.com.py
   • www.google.com.sa
   • www.google.com.sg
   • www.google.com.sv
   • www.google.com.tr
   • www.google.com.tw
   • www.google.com.ua
   • www.google.com.uy
   • www.google.com.vc
   • www.google.com.vn
   • www.google.de
   • www.google.dj
   • www.google.dk
   • www.google.es
   • www.google.fi
   • www.google.fm
   • www.google.fr
   • www.google.gg
   • www.google.gl
   • www.google.gm
   • www.google.hn
   • www.google.ie
   • www.google.it
   • www.google.kz
   • www.google.li
   • www.google.lt
   • www.google.lu
   • www.google.lv
   • www.google.mn
   • www.google.ms
   • www.google.mu
   • www.google.mw
   • www.google.nl
   • www.google.no
   • www.google.off.ai
   • www.google.pl
   • www.google.pn
   • www.google.pt
   • www.google.ro
   • www.google.ru
   • www.google.rw
   • www.google.se
   • www.google.sh
   • www.google.sk
   • www.google.sm
   • www.google.td
   • www.google.tm
   • www.google.tt
   • www.google.uz
   • www.google.vg
   • google.ae
   • google.am
   • google.as
   • google.at
   • google.az
   • google.be
   • google.bi
   • google.ca
   • google.cd
   • google.cg
   • google.ch
   • google.ci
   • google.cl
   • google.co.cr
   • google.co.hu
   • google.co.il
   • google.co.in
   • google.co.je
   • google.co.jp
   • google.co.ke
   • google.co.kr
   • google.co.ls
   • google.co.nz
   • google.co.th
   • google.co.ug
   • google.co.uk
   • google.co.ve
   • google.com
   • google.com.ag
   • google.com.ar
   • google.com.au
   • google.com.br
   • google.com.co
   • google.com.cu
   • google.com.do
   • google.com.ec
   • google.com.fj
   • google.com.gi
   • google.com.gr
   • google.com.gt
   • google.com.hk
   • google.com.ly
   • google.com.mt
   • google.com.mx
   • google.com.my
   • google.com.na
   • google.com.nf
   • google.com.ni
   • google.com.np
   • google.com.pa
   • google.com.pe
   • google.com.ph
   • google.com.pk
   • google.com.pr
   • google.com.py
   • google.com.sa
   • google.com.sg
   • google.com.sv
   • google.com.tr
   • google.com.tw
   • google.com.ua
   • google.com.uy
   • google.com.vc
   • google.com.vn
   • google.de
   • google.dj
   • google.dk
   • google.es
   • google.fi
   • google.fm
   • google.fr
   • google.gg
   • google.gl
   • google.gm
   • google.hn
   • google.ie
   • google.it
   • google.kz
   • google.li
   • google.lt
   • google.lu
   • google.lv
   • google.mn
   • google.ms
   • google.mu
   • google.mw
   • google.nl
   • google.no
   • google.off.ai
   • google.pl
   • google.pn
   • google.pt
   • google.ro
   • google.ru
   • google.rw
   • google.se
   • google.sh
   • google.sk
   • google.sm
   • google.td
   • google.tm
   • google.tt
   • google.uz
   • google.vg
   • search.yahoo.com
   • ar.search.yahoo.com
   • br.search.yahoo.com
   • ca.search.yahoo.com
   • cf.search.yahoo.com
   • mx.search.yahoo.com
   • espanol.search.yahoo.com
   • au.search.yahoo.com
   • ct.search.yahoo.com
   • fr.search.yahoo.com
   • de.search.yahoo.com
   • it.search.yahoo.com
   • uk.search.yahoo.com
   • search.msn.com search.msn.at search.sympatico.msn.ca search.msn.co.za search.ninemsn.com.au
   • search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi search.msn.fr
   • search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
   • search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com
   • beta.search.msn.com beta.search.msn.at beta.search.sympatico.msn.ca beta.search.msn.co.za
   • beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be
   • beta.search.msn.dk beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it
   • beta.search.msn.nl beta.search.msn.no beta.search.msn.es beta.search.msn.se beta.search.msn.ch
   • beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com
   • www.alexa.com alexa.com




The modified host file will look like this:


 Miscellaneous Mutex:
It creates the following Mutex:
   • ez-httpgrepdv1F

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Monday, October 3, 2005
Description updated by Andrei Gherman on Friday, October 14, 2005

Back . . . .