Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADSPY/Look2Me.AB.67
Date discovered:10/10/2005
Type:Trojan
Subtype:Adware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:578.560 Bytes
MD5 checksum:242a20bae9cf9cb816a447150378c02d
VDF version:6.32.00.72

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: not-a-virus:AdWare.Win32.Look2Me.ab
   •  VirusBuster: trojan Adware.Look2Me.P
   •  Bitdefender: Trojan.Canbede.L


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Downloads files
   • Drops malicious files
   • Registry modification
   • Steals information

 Files The following files are created:

%SYSDIR%\%random character string%.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Look2Me.AB.76

%SYSDIR%\%random character string%.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: ADSPY/Look2Me.AB.76

%SYSDIR%\guard.tmp Detected as: ADSPY/Look2Me.AB.76

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   %random words%]
   • "Shutdown" = "WinShutdown"
   • "Logoff" = "WinLogoff"
   • "Logon" = "WinLogon"
   • "Impersonate" = dword:00000000
   • "DllName" = "%sysdir%\%malware dll%"
   • "Asynchronous" = dword:00000000

[HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\
   Approved]
   • "%generated CLSID%" = ""

[HKCR\CLSID\%generated CLSID%]
   • "IDEx" = "ADDR"
   • "@" = ""

[HKCR\CLSID\%generated CLSID%\Implemented Categories]
   • "@" = ""

[HKCR\CLSID\%generated CLSID%\Implemented Categories\
   {00021492-0000-0000-C000-000000000046}]
   • "@" = ""

[HKCR\CLSID\%generated CLSID%\InprocServer32]
   • "ThreadingModel" = "Apartment"
   • "@" = "%sysdir%\%malware dll%"



The following registry key is changed:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\
   Desktop]
   Old value:
   • "Taskbar" = %user defined settings%
   New value:
   • "Taskbar" = %hex values%

 Hosts Sometimes it may happen that the host file becomes modified as follows:

In this case already existing entries remain unmodified.

Access to the following domain is effectively blocked:
   • %gathered from the internet%


 Backdoor Contact server:
One of the following:
   • www.ad-w-a-r-e.com/AD/**********
   • www.a-d-w-a-r-e.com/AD/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.


Sends information about:
     Current malware status


Remote control capabilities:
     Download file
     Edit registry
     Visit a website

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Friday, March 3, 2006
Description updated by Daniel Constantin on Friday, March 3, 2006

Back . . . .