Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Adware/Amonitize.E
Date discovered:31/10/2013
Type:Adware
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:153.120 Bytes
MD5 checksum:A5C375118695C038E6E503F9889CE1B8
VDF version:7.11.110.110

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Artemis!A5C375118695
   •  Eset: Win32/Amonetize.T
   •  DrWeb: Adware.Downware.1528


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Right after execution the following information is displayed:




 Files It tries to execute the following file:

– Filename:
   • %temp%\Updater.exe
using the following command line arguments: /update /comp DownloadManager/Yontoo1/DealPly/ /icp campid=0; /srv www.**********oad.com

 Registry The following registry keys are added:

– [HKCR\AmiBs.Installer.1]
   • @="Installer Class"

– [HKCR\AmiBs.Installer.1\CLSID]
   • @="{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}"

– [HKCR\AmiBs.Installer]
   • @="Installer Class"

– [HKCR\AmiBs.Installer\CurVer]
   • @="AmiBs.Installer.1"

– [HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}]
   • @="Installer Class"

– [HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\ProgID]
   • @="AmiBs.Installer.1"

– [HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\
   VersionIndependentProgID]
   • @="AmiBs.Installer"

– [HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Programmable]
– [HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
   • @="\"sample.exe\""
   • "ServerExecutable"="sample.exe"

– [HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\TypeLib]
   • @="{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"

– [HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Version]
   • @="1.0"

– [HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0]
   • @="InstallerLib"

– [HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS]
   • @="0"

– [HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32]
   • @="sample.exe"

– [HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR]
   • @=""

– [HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
   • @="IBoot"

– [HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\
   ProxyStubClsid32]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
   • @="{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"
   • "Version"="1.0"

– [HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG]
   • "Trace Level"=""

– [HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
   • "Name"="sample.exe"



The following registry key is changed:

– [HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT]
   New value:
   • "EventMessageFile"="c:\windows\\system32\\ESENT.dll"
   • "CategoryMessageFile"="c:\windows\\system32\\ESENT.dll"
   • "CategoryCount"=dword:00000010
   • "TypesSupported"=dword:00000007

 Miscellaneous  Checks for an internet connection by contacting the following web sites:
   • www.so**********m/finalize.php
   • cdn.cd**********/dp.exe
   • wpc.09**********n.net/80095**********d?is=am

Description inserted by Soe-liang Tan on Thursday, October 31, 2013
Description updated by Alexander Neth on Thursday, October 31, 2013

Back . . . .