Home / malware Adware.Navipromo.BYT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Adware.Navipromo.BYT is also known as Navipromo.
Explanation :
Adware.Navipromo is an advanced and difficult-to-detect adware that runs silently on the infected computer. It uses rootkit techniques to hide its process in memory and its files and registry entries on disk.
This malware comes bundled with several software which can be downloaded from the following sites and is installed along with them.
<hide>netgamebox.com
<hide>ediaplayer.com
<hide>planet.com
<hide>skinner.com
<hide>stro.com
<hide>cord.com
<hide>ngerskinner.com
On first run, it creates an executable with a random generated name in the %system% directory (default is: C:Windowssystem32) and then runs it in stealth. The hidden process drops in the %system% directory a library file (msclock.dll or msplock.dll) that is injected in the explorer.exe process. The adware tracks visited URLSs from the infected computer, stores them on disk and sends them to a server. Then it receives links regarding related advertisements that are displayed as pop-up windows. During the internet transfer, several other files are created in the %system% directory. Their names are formed with the random generated name and the following suffixes and are not visible to the user either.
.dat
_nav.dat
_navps.dat
_navup.dat
_navtmp.dat
_m2s.xml
Adware.Navipromo may also create the following registry subkey:
HKEY_LOCAL_MACHINESoftwaremc
which contains information about the adware, and may add one registry value (also hidden):
[random_name] = "%system%[random_name].exe"
to one of the following registry subkeys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunLast update 21 November 2011