English
Deutsch
Français
Español
Italiano
Home
Virus Info
ADSPY/WinAD.AF.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
ADSPY/WinAD.AF.1 - Adware / Spyware
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
ADSPY/WinAD.AF.1
Date discovered:
07/07/2005
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low to medium
Static file:
Yes
File size:
51.272 Bytes
MD5 checksum:
7c282c5a5c5491f753284a614f57c375
VDF version:
6.31.00.168
- Thu, 07 Jul 2005 17:04 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Eset: Win32/Adware.WUpd
• Bitdefender: Trojan.Delautoexec.51272.A
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Downloads files
• Drops a file
• Registry modification
Files
It copies itself to the following location:
•
%PROGRAM FILES%
\Media Access\MediaAccess.exe
It creates the following directory:
•
%PROGRAM FILES%
\Media Access
The following file is created:
– Non malicious file:
•
%SYSDIR%
\ide21201.vxd
It tries to download some files:
– The location is the following:
• http://static.windupdates.com/Release/v20/**********
It is saved on the local hard drive under:
%PROGRAM FILES%
\Media Access\MediaAccK.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.
– The location is the following:
• http://static.windupdates.com/Release/v20/**********
It is saved on the local hard drive under:
%PROGRAM FILES%
\Media Access\MediaAccC.dll At the time of writing this file was not online for further investigation.
– The location is the following:
• http://static.windupdates.com/Release/v20/**********
It is saved on the local hard drive under:
%PROGRAM FILES%
\Media Access\Info.txt At the time of writing this file was not online for further investigation.
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Media Access"="
%PROGRAM FILES%
\Media Access\MediaAccK.exe"
The following registry keys are added:
– [HKCR\AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}]
• @="LoaderX"
– [HKCR\AppID\LoaderX.EXE]
• "AppID"="{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}"
– [HKCR\MediaAccess.Installer]
• @="Installer Class"
– [HKCR\MediaAccess.Installer\CLSID]
• @="{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}"
– [HKCR\MediaAccess.Installer\CurVer]
• @="MediaAccess.Installer"
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}]
• @="Installer Class"
• "AppID"="{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}"
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\
Implemented Categories]
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\
Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\LocalServer32]
• @="
%PROGRAM FILES%
\Media Access\MediaAccess.exe"
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\ProgID]
• @="MediaAccess.Installer"
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\Programmable]
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\TypeLib]
• @="{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}"
– [HKCR\CLSID\{1E5F0D38-214B-4085-AD2A-D2290E6A2D2C}\
VersionIndependentProgID]
• @="MediaAccess.Installer"
– [HKCR\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}]
– [HKCR\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0]
• @="LoaderX 1.0 Type Library"
– [HKCR\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0]
– [HKCR\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0\win32]
• @="
%PROGRAM FILES%
\Media Access\MediaAccess.exe"
– [HKCR\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\FLAGS]
• @="0"
– [HKCR\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\HELPDIR]
• @="
%PROGRAM FILES%
\Media Access\"
– [HKCR\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}]
• @="IInstaller"
– [HKCR\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\
ProxyStubClsid]
• @="{00020424-0000-0000-C000-000000000046}"
– [HKCR\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\
ProxyStubClsid32]
• @="{00020424-0000-0000-C000-000000000046}"
– [HKCR\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib]
• @="{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}"
• "Version"="1.0"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Media Access]
• "UninstallString"="
%PROGRAM FILES%
\Media Access\MediaAccess.exe /Remove"
• "DisplayName"="Media Access"
Backdoor
Contact server:
The following:
• http://www.windupdates.com/**********
As a result it may send some information.
Miscellaneous
Mutex:
It creates the following Mutex:
• MediaAccess
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Adriana Popa on Tue, 19 Dec 2006 11:05 (GMT+1)
Description updated by Adriana Popa on Tue, 19 Dec 2006 12:56 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info ADSPY/WinAD.AF.1
Print this page
.gif)
