Home / malware Adware:Win32/FastSaveApp
First posted on 10 January 2013.
Source: MicrosoftAliases :
Adware:Win32/FastSaveApp is also known as Win32/Adware.MultiPlug.E (ESET).
Explanation :
Adware:Win32/FastSaveApp may be installed from the program's website:
It may also be installed by offers in third-party software installation programs.
Installation
When run, the installer for Adware:Win32/FastSaveApp creates a folder named "SaveAs" in the %APPDATA% folder and installs the following items there:
- an Internet Explorer BHO (browser helper object) file
- a Google Chrome extension, by placing the following files in the folder:
- background.html
- chrome.manifest
- content.js
- manifest.json
- preferences
- sqlite.j
- a component file used by the program: "settings.ini"
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".
It may also install these files to the following folders it creates in the %APPDATA% folder:
- Zoomex
- Vaudix
- wxDownloa
- Download and Sa
Adware:Win32/FastSaveApp creates an entry in the <start menu> called "SaveAs", which contains links to the program's website and uninstaller.
Note: <start menu> refers to a variable location that is determined by the software by querying the operating system. The default location for the Start Menu folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Start Menu" or "C:\Users\<user>\Start Menu". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu".
Adware:Win32/FastSaveApp installs itself as a BHO which can be seen in Internet Explorer's Manage Add-ons window, as in the following screenshot:
The program is installed as an extension for Google Chrome by placing the following files in the folder "%LOCALAPPDATA%\google\chrome\user data\default\extensions\<randomly named folder>":
- background.html
- chrome.manifest
- content.js
- manifest.json
- preferences
- sqlite.js
Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local".
The program is configured to check for updates when you open your browser.
Adware:Win32/FastSaveApp creates an installation entry in the Programs and Features section of the Control Panel. Running this uninstaller may remove some or all of the files related to Adware:Win32/FastSaveApp from your computer.
Execution
Once installed, Adware:Win32/FastSaveApp displays "coupons" to you as you browse the Internet, as in the following examples:
Analysis by Mihai Calota
Last update 10 January 2013