SecurityHome.eu Adware:Win32/WTool

Home / malware PDF

Adware:Win32/WTool

First posted on 31 January 2012.
Source: Microsoft
Aliases :
Adware:Win32/WTool is also known as Win32/Adware.Kraddare.CA application (ESET).
Explanation :
Adware:Win32/WTool is an adware program installed as a Browser Helper Object (BHO). The BHO may redirect the browser to certain websites and display advertisements for certain products.

Top

Adware:Win32/WTool is an adware program installed as a Browser Helper Object (BHO). The BHO may redirect the browser to certain websites and display advertisements for certain products.

Installation

Adware:Win32/WTool makes the following changes to the affected computer:

It creates the following folder:
%ProgramFiles%\WTool

It creates the following files:

%ProgramFiles%\WTool\WTool.exe - detected as Adware:Win32/WTool

%ProgramFiles%\WTool\WTool.dll - detected as Adware:Win32/WTool

%ProgramFiles%\WTool\Uninstall.exe

%ProgramFiles%\WTool\ex.dat

%ProgramFiles%\WTool\exh.dat

Adware:Win32/WTool creates the following subkeys:

HKCU\Software\WTool

HKLM\Classes\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}

HKLM\Classes\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}

HKLM\Classes\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}

HKLM\Classes\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}

HKLM\Classes\TypeLib\{1E677998-EB26-466A-B87C-85DFCB38FAE0}

HKLM\Classes\WTool.BandHelper

HKLM\Classes\WTool.BandHelper.1

HKLM\Classes\WTool.SideBand

HKLM\Classes\WTool.SideBand.1

HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84395E42-9FF9-4B85-9264-B1762D069593}

HKLM\Microsoft\Windows\CurrentVersion\Uninstall\WTool

It also creates the following entry to ensure that it automatically runs at every Windows start:

In subkey: HKLM\Microsoft\Windows\CurrentVersion\Run
Sets value: "WTool"
With data: "%ProgramFiles%\WTool\WTool.exe"

It also creates the following uninstall entry in the registry:

In subkey: HKLM\Microsoft\Windows\CurrentVersion\Uninstall\WTool
Sets value: "DisplayName"
With data: "WTool"
Sets value: "UninstallString"
With data: "%ProgramFiles%\WTool\Uninstall.exe"

It creates the following registry entries as part of its installation routine:

In subkey: HKLM\Classes\CLSID\{84395E42-9FF9-4B85-9264-B1762D069593}
Sets value: "Default"
With data: "WToolHelper"

In subkey: HKLM\Classes\CLSID\{CD1884F6-1D50-42BC-AF79-31E85C47FC90}
Sets value: "Default"
With data: "WTool"

In subkey: HKLM\Classes\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}
Sets value: "Default"
With data: "ISideBand"

In subkey: HKLM\Classes\Interface\{A3AB09FD-1644-4CE2-A25E-CEB617F335A0}
Sets value: "Default"
With data: "IBandHelper"

In subkey: HKLM\Classes\WTool.BandHelper.1
Sets value: "Default"
With data: "BandHelper Class"

In subkey: HKLM\Classes\WTool.BandHelper
Sets value: "Default"
With data: "BandHelper Class"

In subkey: HKLM\Classes\WTool.SideBand.1
Sets value: "Default"
With data: "SideBand Class"

In subkey: HKLM\Classes\WTool.SideBand
Sets value: "Default"
With data: "SideBand Class"

In subkey: HKLM\Microsoft\Windows\CurrentVersion\Uninstall\WTool
Sets value: "DisplayName"
With data: "WTool"
Sets value: "UninstallString"
With data: "%ProgramFiles%\WTool\Uninstall.exe"

Additional information

Adware:Win32/WTool monitors the user's browser for any of the following patterns in the URL:

.akmall.com/search/
.aladin.co.kr/search/wsearchresult.
.bb.co.kr/main/search/
.career.co.kr/jobs/list/search_detail_l...
.cjmall.com/prd/front/search/
.dnshop.com/front/search/
.gsshop.com/search/
.hmall.com/front/scSearchL.
.lotte.com/ec/front/search/
.lotteimall.com/search/
.mm.co.kr/category/
.nseshop.com/jsp/item/item_search.
.ogage.co.kr/shop/search_V4.
.yeoin.com/search/
.yes24.com/SearchCenter/OzSearchResult....
.zeromarket.co.kr/openMall/search/
.zeromarket.com/openMall/search/
/search/SearchCommonMain.
100.nate.com
100.naver.com
academic.naver.com
adhow.daum.net
adshop.paran.com
ask.nate.com
blog.chosun.com
book.nate.com
book.naver.com
clix.bizshop.daum.net
club.cyworld.com
comics.nate.com
cyworld.com
dic.paran.com
enc.daum.net
endic.naver.com
engdic.daum.net
engdic.nate.com
estate.nate.com
google.co.kr/#sclient
google.co.kr/search
google.com/#sclient
google.com/search
imagesearch.naver.com
jpdic.daum.net
jpdic.naver.com
keywordshop.nate.com
ko.wikipedia.org
kordic.nate.com
korean.visitkorea.or.kr
kr.blog.yahoo.com
kr.dictionary.search.yahoo.com
kr.finance.yahoo.com
kr.fun.yahoo.com
kr.gugi.yahoo.com
kr.img.search.yahoo.com
kr.ks.yahoo.com
kr.news.yahoo.com
kr.product.shopping.yahoo.com
krdic.daum.net
krdic.naver.com
local.naver.com
mall.shinsegae.com/search/
map.cyworld.com
map.naver.com
media.paran.com
mm.search.nate.com
movie.naver.com
mt.co.kr/view/mtview
music.naver.com
myoverture.co.kr
news.msn.co.kr
news.nate.com
olv.moazine.com
q.freechal.com
report.paran.com
review.nate.com
search.11st.
search.auction.
search.danawa.
search.daum.net
search.gmarket.
search.interpark.
search.nate.com
search.naver.com
search.pandora.tv
search.paran.com
search.yahoo.com
searchad.naver.com
tourguide.tourexpress.com
tvpot.daum.net
video.cyworld.com
video.naver.com
www.mgoon.com

If the URL matches any of these strings, then the keyword in the URL is sent to "sideon.co.kr".

It may display a dialog box similar to the following:

Adware:Win32/WTool downloads files that contain keywords and advertisements sites from "data.withpop.com".

It also attempts to check and install newer versions by connecting to "wtool.searchlite.co.kr".

Analysis by Michael Johnson

Last update 31 January 2012

TOP

Malware :

Last 20