Home / malware Adware.ZAS
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Adware.ZAS.
Explanation :
When executed, the program registers a class (“REMINDER”), copies itself to the startup folder and modifies the following registry values:
hKLMsoftwareMicrosoftWindowsCurrent VersionPoliciesSystemEnableLUA: 0
hKLMsoftwareMicrosoftWindowsCurrent VersionPoliciesSystemConsentPromptBehaviorAdminn: 0
HKCUSoftwareMicrosoftWindowsCurrent VersionExplorerAdvancedEnableBallonTips: 1
Creates the following values:
HKCUSoftwareMicrosoftWindowscurrent versionRunWinHost Management: %system%winchost.exe
HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList\%system%winchost.exe : *Enabled:Winchost
HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListwinchost.exe :
*Enabled:Winchost
After that it start two timers: one that initially activates at 60 seconds and one that will activate at 3 hours
The second timer just resets the first one to 60 seconds and displays a Message Box with the text interval.
The activation period for the first timer varies from 60 second to 900 seconds
When the first timer activates, the adware will display one of the following messages to the user :
“Your Antivirus protection is LOW! Click to install TrustedAntivirus. Complete protection for user pc against malicious viruses, worms and Trojan horses. Repairs infected files Package includes firewall, antispyware and anti-popup protection.”
“Your system has errors! Use System Error Fixer to fix it, delete unnecessary files, prevent data loss, and keep hard drive neat. Click to install”
“Adult and forbidden materials found on your PC! Install PC Privacy Tool. This program deletes every sign of prohibited materials. It eliminates every implicating file on user PC and protects user privacy.”
“Your protection level is LOW! Install SpyGuardPro! this utility detects and removes adware, spyware and Trojans. It also protects your system in real-time mode and prevents online intrusions”
“Warning! Your security level is low.Your computer might be infected. You could suffer data loss, erratic PC behavior, PC freezes and crashes!. Click to install AntiSpywareControl to scan your PC”
“Warning! Porn material found on your PC. Your computer has tracks of all adult sites you had visited! It can violate your privacy and could compromise your career and your marriage. Click to install AdvancedCleaner to remove illegal materials.”
It also tries to open and close the CD-Rom door and download a highly spread virus(Trojan.Zlob). When the user clicks the message the adware will download and install a rogoue program that will from one of the links listed below:
http://go[hidden].com/MTg4Nzk=/2/5536/baloon/
http://clean. [hidden]/MTg2NTk=/2/5536/baloon/
http://privacy.pcpr[hidden]/MTg1NDM=/2/5536/baloon/
http://protect.spy[hidden]/MTk5MTk=/2/5536/baloon/
http://protect.antispywa[hidden]/MzI0NA==/2/412/ed=1/ex=1/baloon/
http://protect.advance[hidden]m/MjYyNg==/2/412/ed=1/ex=1/baloon/
http://go[hidden]/MTk4Njg=/2/5536/ax=1/ed=1/ex=1/baloonexit/
http://clean.systemer[hidden]/MTgyMDY=/2/5536/ed=1/ex=1/h=10/baloonexit/
http://privacy.pcpri[hidden]/MTgwMDg=/2/5536/ed=1/ex=1/h=10/baloonexit/
http://protect.spy[hidden]/MTg1NDI=/2/5536/ax=1/ed=1/ex=1/baloonexit/
http://protect.anti[hidden]/MjM3MQ==/2/412/ed=1/ex=1/baloonexit/
http://protect.advanced[hidden]/MjM2OQ==/2/412/ed=1/ex=1/baloonexit/
http://red[hidden]/download/redcodec4230.exe
http://89.188. [hidden]/dwn.php?file=wmvcodec2.03&type=e&aid=200412&v=v7&e=1Last update 21 November 2011