Home / malwarePDF  

Adware.Blinkator.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Adware.Blinkator.A.

Explanation :

When executed, the virus creates the following files:

%WINDOWS%system32sprt_ads.dll%WINDOWS%system32superiorads-uninst.exe

And the following registry keys:

HKEY_CURRENT_USERSoftwareMicrosoftAdvRemoteDbgHKEY_LOCAL_MACHINESOFTWAREClassesAdPanel.Panel1HKEY_LOCAL_MACHINESOFTWAREClassesAdPanel.Panel1.1HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallsuperiorads

It ads itself to startup by creating the value HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunspa_start and by registering itself as a BHO object.



The adware keeps all information it needs to show popup in registry. It creates the following values under the key HKCUSoftwareMicrosoftAdvRemoteDbg:

aff_iddaydomain_listinstall_idlast_ipnext_url_post_timemax_impressimpress_statclick_statdelayclick_counterurl_listdomain_collect_enabledurl_collect_enabledmax_clickstimestamplast_update_attempt





The adware works by opening a internet explorer window in background and by showing popups at some time interval. It first connects to the server http://superi[hidden]/bc/ip.php using the agent “opera” and tries to read the data from the server. It gets from the server the ip address of the server where the popups are located and saves it to the value last_ip. At some time intervals the data from registry is sent to the url http://superi[hidden]/bc/123kah.php using the agent M0zilla/4.0(compatible) where install_id is a hash made on the VolumeSerialNumber, WProcessorRevision and WProcessorLevel.

At some time intervals the adware checks for the existence of an update and if an update is available , the virus downloads it from the server and executes it.

Last update 21 November 2011

 

TOP