Home / malware Adware:Win32/Kraddare
First posted on 26 September 2012.
Source: MicrosoftAliases :
Adware:Win32/Kraddare is also known as Trojan/Win32.KorAd (AhnLab), Win32/Adware.Kraddare.FO application (ESET).
Explanation :
Adware:Win32/Kraddare is an application that displays Korean advertisements in your computer.
Installation
Adware:Win32/Kraddare drops its main component in the %ProgramFiles% folder as a DLL file with a random name, for example:
%ProgramFiles%\cpqojojbzhl\cpqojojbzhl.dll
It adds registry entries with the following format so that it can load as a service every time Windows starts:
In subkey: HKLM\SYSTEM\ControlSet001\Services\<random name>
Sets value: "Description"
With data: "<random name>"
Sets value: "DisplayName"
With data: "<random name>"
In subkey: HKLM\SYSTEM\ControlSet001\Services\<random name>\Parameters
Sets value: "ServiceDll"
With data: "%ProgramFiles%\<random name>\<random name>.dll"
For example:
In subkey: HKLM\SYSTEM\ControlSet001\Services\cpqojojbzhl
Sets value: "Description"
With data: "cpqojojbzhl"
Sets value: "DisplayName"
With data: "cpqojojbzhl"
in subkey: HKLM\SYSTEM\ControlSet001\Services\cpqojojbzhl\Parameters
Sets value: "ServiceDll"
With data: "%ProgramFiles%\cpqojojbzhl\cpqojojbzhl.dll"
To store its version information, Adware:Win32/Kraddare also creates a registry entry with the following format:
In subkey: HKLM\SOFTWARE\<random name>
Sets value: "ver"
With data: "<8-digit number>"
For example:
In subkey: HKLM\SOFTWARE\cpqojojbzhl
Sets value: "ver"
With data: "20120814"
Behavior
Displays advertisements
Adware:Win32/Kraddare displays Korean ads through your computer. The ads may be hosted in the following servers:
- clicko.co.kr
- groupby.kr
Analysis by Gilou Tenebro
Last update 26 September 2012
