Home / malwarePDF  

Adware:Win32/OKitSpace


First posted on 12 March 2014.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/OKitSpace.

Explanation :

Threat behavior

Installation

Adware:Win32/OKitSpace is usually installed in the following folders:

  • %APPDATA% \okitspace
  • %APPDATA% \ProtectExtension


In Internet Explorer, it's installed as a BHO with the name OKitSpace Object or BaseFlash Object:





It might create these registry entries when it's installed:

HKCR\OKitSpace
HKCR\OKitSpace.1
HKCR\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLM\SOFTWARE\OKitSpace
HKLM\SOFTWARE\Classes\OKitSpace
HKLM\SOFTWARE\Classes\OKitSpace.1
HKLM\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}

or

HKCR\BaseFlash
HKCR\BaseFlash.1
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLM\SOFTWARE\BaseFlash
HKLM\SOFTWARE\Classes\BaseFlash
HKLM\SOFTWARE\Classes\BaseFlash.1
HKLM\SOFTWARE\Classes\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}

In Firefox, it's installed as a plugin with the name OKitSpace or BaseFlash:





In Chrome, it's installed as a plugin also with the name OKitSpace or BaseFlash:





Behavior

This adware might do the following when you browse the Internet using Internet Explorer, Firefox, or Chrome:

  • Contact its servers (okitspace.com, baseflash.com) to get what pop-up ads will be displayed on your PC
  • Show ads that have nothing to do with the websites you're visiting
  • Show links that have nothing to do with the websites that you're visiting


Some of the pop-up ads might look like:











The websites hosted on its servers don't have much information about the program, and have identical text and layouts:









Analysis by Ric Robielos

Symptoms

The following could indicate that you have this program on your PC:

  • You have one of these folders:
    • %APPDATA%\okitspace
    • %APPDATA%\ProtectExtension
  • You see these keys in your registry:

    HKCR\OKitSpace
    HKCR\OKitSpace.1
    HKCR\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    HKLM\SOFTWARE\OKitSpace
    HKLM\SOFTWARE\Classes\OKitSpace
    HKLM\SOFTWARE\Classes\OKitSpace.1
    HKLM\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}

    or

    HKCR\BaseFlash
    HKCR\BaseFlash.1
    HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
    HKLM\SOFTWARE\BaseFlash
    HKLM\SOFTWARE\Classes\BaseFlash
    HKLM\SOFTWARE\Classes\BaseFlash.1
    HKLM\SOFTWARE\Classes\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}

  • You see these pop-up ads:











Last update 12 March 2014

 

TOP

Malware :