Home / malwarePDF  

Adware:Win32/WhenU


First posted on 08 February 2013.
Source: Microsoft

Aliases :

Adware:Win32/WhenU is also known as Gen:Adware.Heur.6025DA7878 (BitDefender), Adware.SaveNow (Dr.Web), Win32/Adware.WhenU.SaveNow (ESET), not-a-virus:WebToolbar.Win32.WhenU.a (Kaspersky), Adware/SaveNow (Panda), WhenU.Save (Sunbelt Software).

Explanation :



Adware:Win32/WhenU is a family of software products that may display sponsored advertisements on your desktop. WhenU software may install a browser search bar and a desktop search bar, or it may run without a user interface, or may also install a browser helper object (BHO).

WhenU products include:

  • WhenU.WhenUSearch
  • WhenU.SaveNow
  • WhenU.Deskbar


Installation

Adware:Win32/WhenU is installed under %USERPROFILE%\Start Menu\Programs with the name:

  • WhenU
  • WhenUSave
  • WhenUSearch


Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".

The adware installs its files in the %ProgramFiles% directory with the following directory names:

  • DaemonTools_WhenUSave_Installer
  • Save
  • VVSN
  • WhenU
  • WhenUSearch


Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".

Execution

Adware:Win32/WhenU has been observed contacting the following websites:

  • app.whenu<dot>com
  • spweb.whenu<dot>com
  • web.whenu<dot>com
  • www<dot>whenudownloads<dot>com


The Aware:Win32/WhenU search bar may display as the following:



Adware:Win32/WhenU is often bundled with other programs written by the same company, such as:

  • ClockSync
  • SaveNow
  • ScreenSaver.com
  • WeatherCast
  • WhenUSearch
Additional information

The adware may provide an uninstaller that is displayed in the "Add or Remove Programs" dialog under the names:

  • SaveNow
  • SearchBar
  • WhenU
  • WhenUSearch


Alternatively, the unistaller may be found in the directory that the program was installed in.





Analysis by Michael Johnson

Last update 08 February 2013

 

TOP

Malware :