Home / malware Adware:Win32/DealsPlugin
First posted on 31 January 2013.
Source: MicrosoftAliases :
There are no other names known for Adware:Win32/DealsPlugin.
Explanation :
Adware:Win32/DealsPlugin is an adware program that displays offers, depending on the webpages that you visit. The program also injects unrelated advertisements into the webpages that you visit.
Installation
Adware:Win32/DealsPlugin may be installed when you visit the program's website; it will appear as a BHO (Browser Helper Object) in Internet Explorer.
It stores itself in the "%ProgramFiles%\Deals Plug-in" folder, and stores its data in the "%LOCALAPPDATA%\Deals Plug-in" folder.
Note:
- %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local".
- %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".
Adware:Win32/DealsPlugin creates a scheduled task to run every day at 13:00, allowing it to update itself. The updater is found in the following location:
%LOCALAPPDATA%\Updater4637\Updater4637.exe
It also installs itself as extensions for Chrome and Firefox.
Execution
Once installed, Adware:Win32/DealsPlugin displays deals when you browse the Internet:
It also injects advertisements into webpages that you visit:
Adware:Win32/DealsPlugin may display a "flag" on the top right-hand corner of your browser, such as the following:
If you click on this "flag", the program will list a number of deals, such as the following:
Additional information
Adware:Win32/DealsPlugin may create an uninstaller that you can see in the Programs and Features window:
The following is a list registry keys the adware creates::
- HK LM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110011461137}
- HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022462237}
- HKLM\SOFTWARE\Classes\CrossriderApp0004637.BHO
- HKLM\SOFTWARE\Classes\CrossriderApp0004637.BHO.1
- HKLM\SOFTWARE\Classes\CrossriderApp0004637.Sandbox
- HKLM\SOFTWARE\Classes\CrossriderApp0004637.Sandbox.1
- HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055465537}
- HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066466637}
- HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044464437}
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011461137}
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110011461137}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110011461137}
Analysis by Michael Johnson
Last update 31 January 2013