Home / malwarePDF  

Adware:Win32/Adshot


First posted on 24 May 2010.
Source: SecurityHome

Aliases :

Adware:Win32/Adshot is also known as not-a-virus:AdWare.Win32.BHO.mcv (Kaspersky), AdSpy.AB (Norman), Trojan horse BHO.MHG (AVG), TR/BHO.315392 (Avira), Win32/Adware.Lifze.A (ESET), Trojan.BHO (Ikarus), Adware.Win32.Adshot (Sunbelt Software), Adware.EZLife (Symantec).

Explanation :

Adware:Win32/Adshot is a detection for an adware commonly installed as a Web browser helper object (BHO) along with other potentially unwanted applications like Adware:Win32/SmartAdsSolutions and Adware:Win32/BHO.G. These programs are known to deliver advertisements based on the user's Web surfing habits.
Top

Adware:Win32/Adshot is a detection for an adware commonly installed as a Web browser helper object (BHO) along with other potentially unwanted applications like Adware:Win32/SmartAdsSolutions and Adware:Win32/BHO.G. These programs are known to deliver advertisements based on the user's Web surfing habits. Installation Adware:Win32/Adshot is present in the computer as a DLL file in the Windows system folder with a random file name. It creates the following registry keys and all associated subkeys and entries to install itself as a BHO:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7CC1E29B-B863-44A8-B449-BF50F51808A0}
  • HKLM\SOFTWARE\Classes\adShotHlpr.adShotHlpr
  • HKLM\SOFTWARE\Classes\adShotHlpr.adShotHlpr.1.0
  • HKLM\SOFTWARE\Classes\CLSID\{BA8A7666-1F2A-407C-BF2B-80EC0DA6AE41}
  • HKLM\SOFTWARE\Classes\CscrptXt.CscrptXt.1.0
  • HKLM\SOFTWARE\Classes\CscrptXt.CscrptXt
  • HKLM\SOFTWARE\Classes\CLSID\{E0EC6FBA-F009-3535-95D6-B6390DB27DA1}
  • HKLM\SOFTWARE\Classes\CLSID\{7CC1E29B-B863-44A8-B449-BF50F51808A0}
    • Adware:Win32/Adshot creates the following registry entries as part of its installation routine: Adds value: "ezLife" With data: "rundll32 "<random string>.dll",,run" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "afltId" With data: "orgnl" In subkey: HKLM\SOFTWARE\Classes\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}\instl\Data Adds value: "InstallDir" With data: "%ProgramFiles%\ezlife\ezlife\1.5.4.0" In subkey: HKLM\SOFTWARE\ezLife\ezLife\Instl Adds value: "DisplayName" With data: "ezlife browser enhancer" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ezLife Execution Adware:Win32/Adshot may contact, receive, and send information from and to the following Web sites:
  • affilatemaxed.biz
  • callPrnds.net
  • clarionmediausa.com
  • ctxnetworks.net
  • kusochtak.com
  • maxsitesrevenues.net
  • ratingtheweb.net
  • revenuesmadeeasy.net
  • zigi-media-networks.biz


    • Analysis by Jireh Sanico

    Last update 24 May 2010

     

    TOP

    Malware :