Home / malware

PDF

Adware:Win32/OKitSpace

First posted on 08 February 2020.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/OKitSpace.

Explanation :

Installation

Adware:Win32/OKitSpace is usually installed in the following folders:

%APPDATA%okitspace %APPDATA%ProtectExtension

In Internet Explorer, it's installed as a BHO with the name OKitSpace Object or BaseFlash Object:

It might create these registry entries when it's installed:

HKCROKitSpace
HKCROKitSpace.1
HKCRCLSID{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLMSOFTWAREOKitSpace
HKLMSOFTWAREClassesOKitSpace
HKLMSOFTWAREClassesOKitSpace.1
HKLMSOFTWAREClassesCLSID{3543619C-D563-43f7-95EA-4DA7E1CC396A}
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{3543619C-D563-43f7-95EA-4DA7E1CC396A}

or

HKCRBaseFlash
HKCRBaseFlash.1
HKCRCLSID{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLMSOFTWAREBaseFlash
HKLMSOFTWAREClassesBaseFlash
HKLMSOFTWAREClassesBaseFlash.1
HKLMSOFTWAREClassesCLSID{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}

In Firefox, it's installed as a plugin with the name OKitSpace or BaseFlash:

In Chrome, it's installed as a plugin also with the name OKitSpace or BaseFlash:

Behavior

This adware might do the following when you browse the Internet using Internet Explorer, Firefox, or Chrome:

Contact its servers (okitspace.com, baseflash.com) to get what pop-up ads will be displayed on your PC Show ads that have nothing to do with the websites you're visiting Show links that have nothing to do with the websites that you're visiting

Some of the pop-up ads might look similar to these:

The websites hosted on its servers have identical text and layouts, with slight changes for each version:

Analysis by Ric Robielos

Last update 08 February 2020

 

TOP