Home / malwarePDF  

Adware:Win32/Lollipop


First posted on 11 September 2013.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/Lollipop.

Explanation :

Threat behavior

Installation


Adware:Win32/Lollipop may be installed by third-party software bundlers, such as SoftwareBundler:Win32/Lollipox and SoftwareBundler:Win32/Lollipos.

If you decline to allow the software bundler to install Adware:Win32/Lollipop, it will not be installed on your computer.

The following are screenshots of some of the software installers we have observed installing Adware:Win32/Lollipop:







Adware:Win32/Lollipop is installed with the name lollipop.exe into the following folder:

%LOCALAPPDATA%\Lollipop

When run, Adware:Win32/Lollipop creates the following files:

  • %LOCALAPPDATA%\Lollipop\lollipop.bat
  • %LOCALAPPDATA%\Lollipop\Lollipop.lpd
  • %LOCALAPPDATA%\Lollipop\Lollipop_ps.lpd
  • %LOCALAPPDATA%\Lollipop\logo.ico


The program sets itself to run every time Windows starts in one of three ways, which it chooses depending on your version of Windows and what security software you have installed.

The three ways are:

  • By modifying the following registry entry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: lollipop
    With data: "%LOCALAPPDATA%\Lollipop\lollipop.exe" lollipop
  • By modifying the following registry entry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: lollipop
    With data: "%LOCALAPPDATA%\Lollipop\lollipop.exe" lollipop
  • By dropping a shortcut to itself in the Windows <startup folder> as Lollipop.lnk


Adware:Win32/Lollipop creates an installation entry in the Programs and Features section of the Control Panel, as follows:



Running this uninstaller may remove some or all of the files related to the adware from your computer.

Behavior


Adware:Win32/Lollipop displays pop-up advertisements to you as you browse the Internet. These ads are based on keywords you enter into certain search engines. The ads differ depending on your geographical location and may be pornographic in nature.

The following is an example of the categories of advertisements displayed:



Redirects search engine results

The adware redirects search results from certain search engines, including the following:

  • Alot
  • AOL
  • Ask
  • Avg
  • Babylon
  • Bing
  • Chatzum
  • claroSearch
  • Conduit
  • DaleSearch
  • Delta
  • Ebay
  • Facemoods
  • Funmoods
  • Google
  • Incredibar
  • MSN
  • mysearch
  • Mywebsearch
  • Softonic
  • Sweetim
  • Yahoo


The adware redirects results when you use the following browsers:

  • AOL
  • Firefox
  • Google Chrome
  • Internet Explorer
  • Opera
  • Safari


For Firefox, the adware may also add an extension named {773F14E2-D643-4642-905E-1124C9A2170B}.xpi by modifying the following registry entry:

In subkey: <HKLM or HKCU>\Software\Mozilla\Extensions
Sets value: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
With data: "{773F14E2-D643-4642-905E-1124C9A2170B}.xpi"

For Google Chrome, the adware may also add an extension named nchpfiddbhbdnagofhkjlaiaejmkdcla.crx by modifying the following registry entries:

In subkey: <HKLM or HKCU>\Software\Google\Chrome\Extensions\nchpfiddbhbdnagofhkjlaiaejmkdcla
Sets value: path
With data: "nchpfiddbhbdnagofhkjlaiaejmkdcla.crx"

In subkey: <HKLM or HKCU>\Software\Wow6432Node\Google\Chrome\Extensions\nchpfiddbhbdnagofhkjlaiaejmkdcla
Sets value: path
With data: "nchpfiddbhbdnagofhkjlaiaejmkdcla.crx"

Adware:Win32/Lollipop sends the following information about your computer to a remote server:

  • The status of any antimalware or antispyware software you have
  • The status of your firewall
  • The locale or region your computer is located
  • Your Internet browsing history
  • Information about your browser session, such as the websites you have visited


In the wild, we have observed variants of Adware:Win32/Lollipop contact the following servers via HTTP port 80:

  • www.lollipop-network.com/<removed>.php
  • www.andocomparando.es/<removed>/product_check.php
  • www.andocomparando.es/<removed>/script.php




Analysis by Jaime Wong, Geoff McDonald and Michael Johnson

Symptoms

The appearance of offers or advertisements in windows outside of your main browser window may indicate the presence of Adware:Win32/Lollipop on your computer.

You may also notice the presence of an icon similar to the following in your task bar:



Last update 11 September 2013

 

TOP

Malware :