Home / malware Adware.CommAd.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Adware.CommAd.A is also known as ISearch.
Explanation :
Adware.CommAd is an advertising program that displays popup windows and monitors browser activity. Some version may install the hack tool netmon (a program that monitors network traffic).
When Adware.CommAd is installed, it performs the following actions:
a) Creates the following directories (and subdirectories)
Ø C:Program FilesNetwork Monitor (if it installs netmon)
Ø %WINDIR%system32atmtd.dll
Ø %WINDIR%Tm9vYiBTYWlib3Qasappsrv.dll
Ø %WINDIR%Tm9vYiBTYWlib3Qcommand.exe
Ø %WINDIR%Tm9vYiBTYWlib3Q
A6Ss21nsq52vak.vbs (a VBScript that runs a webpage (http://command.adservs.com/ {removed}) with instruction about uninstall the application.
Ø Directory : %WINDIR%Tm9vYiBTYWlib3Q is marked with hidden and system attributes so it may not be usually visible from windows explorer
b) Create the following registry keys
Ø HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall{3877C2CD-F137-4144-BDB2-0A811492F920} à for commAdd
Ø HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall{A394E835-C8D6-4B4B-884B-D2709059F3BE} à for netmon
Ø HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_CMDSERVICE
Ø HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_CMDSERVICE
Ø HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_NETWORK_MONITOR (for netmon)
Ø HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicescmdService (this register file ‘%WINDIR%Tm9vYiBTYWlib3Qcommand.exe’ as a service). This will execute command.exe on windows startup.
Ø HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmchInjDrv
Ø HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmchInjDrv
Ø HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetwork Monitor (this register file ‘C:Program FilesNetwork Monitor
etmon.exe’ as a service). This will execute netmon on windows startup.Last update 21 November 2011
