Home / malware Adware:Win32/Dymanet
First posted on 06 August 2010.
Source: SecurityHomeAliases :
Adware:Win32/Dymanet is also known as AdWare.Win32.EZula.blt (Kaspersky), W32/AdSpy.Q (Norman), Ezula (AVG), Win32.Adware.Primawega (Sunbelt Software), Adware.Heur.rv8@WT6waami (BitDefender), Generic PUP.x!ek (McAfee).
Explanation :
Adware:Win32/Dymanet is a program that displays pop-up and notification-style advertisements based on the user's web browsing habits.
Top
Adware:Win32/Dymanet is a program that displays pop-up and notification-style advertisements based on the user's web browsing habits. Installation Adware:Win32/Dymanet is bundled with other applications; in the wild we have observed the adware bundled with SoftwareBundler:Win32/MediaPass. Adware:Win32/Dymanet drops the following files:C:\windows\system32\<unique_file_name>.exe - this is the uninstaller for the adware C:\windows\system32\<unique_file_name>.exe - this is the BHO (Browser Help Object) for Internet Explorer C:\Program Files\Mozilla Firefox\components\<unique_file_name>.dll - this is the Firefox extension of the adware Note: <unique_file_name> is a value (key) that is derived from a computer's configuration. For example, on a computer the key may look like one of the following:C:\windows\system32\21222da1-ffa2-7222-9f78-34b221d8230a.exe C:\WINDOWS\system32\b32612b4-322a-c220-822b-a31220acf831.dll C:\Program Files\Mozilla Firefox\components\457723b4-322a-c222-8213-a32350ac4361.dll When executed, the adware installs itself as a Web Browser Helper Object in Internet Explorer and makes the following registry modifications: Creates subkey: HKLM\SOFTWARE\Classes\CLSID\{<unique_value>} Adds value: "<default>" With data: €œdymanet€ To subkey: HKLM\SOFTWARE\Classes\CLSID\{<unique_value>} For example, HKLM\SOFTWARE\Classes\CLSID\{552258ec-96c1-9e8b-22ca-0d7227ca15b3} Adds value: "<default>" With data: "C:\\WINDOWS\\system32\\<unique_file_name>.dll" To subkey: HKLM\SOFTWARE\Classes\CLSID\{<unique_value>} For example, C:\\WINDOWS\\system32\\b322eab4-3a8a-c220-822b-a31a7022f831.dll Creates subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<unique_value>} Note: This <unique_value> is the same as the value under the CLSID key. Adds value: "NoExplorer" With data: "\"\"" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<unique_value>} Once installed in Internet Explorer, the adware's presence can be seen in the 'Manage Add-ons' window that can be accessed from the Tools menu. The image below displays a 'Manage Add-ons' window with the adware listed as 'dymanet'. Adware:Win32/Dymanet adds an uninstaller to the system, by creating the following subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<unique_value> Note: <unique_value> is a value that is derived from a computer's configuration. For example, on a computer the key may look like the following: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\211b2da1-ffa2-75d2-9f78-34be51d8230a With data: "DisplayName" Adds value: "Contextual Tracker Dymanet" With data: "NoModify" Adds value: "dword:00000000" With data: "NoRepair" Adds value: "dword:00000000" With data: "UninstallString" Adds value: "C:\\WINDOWS\\system32\\<unique_file_name>.dll" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<unique_value> Note: <unique_file_name> is a value that is derived from a computer's configuration. For example, on a computer the key may look like the following: "C:\\WINDOWS\\system32\\21222da1-22a2-75d2-9228-34be5122230a.exe" Once installed, Adware:Win32/Dymanet can been seen in the 'Add or Remove Programs' window that can be accessed from the Control Panel. The image below displays an 'Add or Remove Programs' window with the adware listed as the name that was derived from the system directory. Additional information Adds entries to store data > Modifies registry in order to store data Adware:Win32/Dymanet stores information about the user's browser history by making the following registry modification: Creates subkey: HKCU\Software\AppDataLow\<unique_value> Note: <unique_value> is a value that is derived from a computer's configuration. For example, on a computer the key may look like the following: HKCU\Software\AppDataLow\0330cab9-c505-2882-33f6-fee9fa3371e9 Encoded information is held in the above-listed (variable) subkey. We have observed the adware making the following modifications: Adds value: "17b77712€ With data: "dword:4c534626" To subkey: HKCU\Software\AppDataLow\0330cab9-c505-2882-33f6-fee9fa3371e9 Adds value: "2961221c€ With data: "%87%d3n3%9d%d2%b9W%f1%5c%ff%c4%19%ae%a8U%d9" To subkey: HKCU\Software\AppDataLow\0330cab9-c505-2882-33f6-fee9fa3371e9 Inserts advertisements Adware:Win32/Dymanet may insert advertisements into Internet Explorer and Firefox browsers. Pop-up advertisements are attributed by indicating 'As served by Dynamet' in the window title, as seen in the image below:
Analysis by Michael JohnsonLast update 06 August 2010
