Home / malwarePDF  

Adware:Win32/DealsPlugin


First posted on 31 January 2013.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/DealsPlugin.

Explanation :



Adware:Win32/DealsPlugin is an adware program that displays offers, depending on the webpages that you visit. The program also injects unrelated advertisements into the webpages that you visit.



Installation

Adware:Win32/DealsPlugin may be installed when you visit the program's website; it will appear as a BHO (Browser Helper Object) in Internet Explorer.



It stores itself in the "%ProgramFiles%\Deals Plug-in" folder, and stores its data in the "%LOCALAPPDATA%\Deals Plug-in" folder.

Note:

  • %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local".
  • %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".


Adware:Win32/DealsPlugin creates a scheduled task to run every day at 13:00, allowing it to update itself. The updater is found in the following location:

%LOCALAPPDATA%\Updater4637\Updater4637.exe



It also installs itself as extensions for Chrome and Firefox.

Execution

Once installed, Adware:Win32/DealsPlugin displays deals when you browse the Internet:



It also injects advertisements into webpages that you visit:







Adware:Win32/DealsPlugin may display a "flag" on the top right-hand corner of your browser, such as the following:



If you click on this "flag", the program will list a number of deals, such as the following:



Additional information

Adware:Win32/DealsPlugin may create an uninstaller that you can see in the Programs and Features window:



The following is a list registry keys the adware creates::

  • HK LM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110011461137}
  • HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022462237}
  • HKLM\SOFTWARE\Classes\CrossriderApp0004637.BHO
  • HKLM\SOFTWARE\Classes\CrossriderApp0004637.BHO.1
  • HKLM\SOFTWARE\Classes\CrossriderApp0004637.Sandbox
  • HKLM\SOFTWARE\Classes\CrossriderApp0004637.Sandbox.1
  • HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055465537}
  • HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066466637}
  • HKLM\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044464437}
  • HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011461137}
  • HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110011461137}
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110011461137}




Analysis by Michael Johnson

Last update 31 January 2013

 

TOP

Malware :