Home / malwarePDF  

Adware:Win32/FastSaveApp


First posted on 10 January 2013.
Source: Microsoft

Aliases :

Adware:Win32/FastSaveApp is also known as Win32/Adware.MultiPlug.E (ESET).

Explanation :



Adware:Win32/FastSaveApp may be installed from the program's website:





It may also be installed by offers in third-party software installation programs.



Installation

When run, the installer for Adware:Win32/FastSaveApp creates a folder named "SaveAs" in the %APPDATA% folder and installs the following items there:

  • an Internet Explorer BHO (browser helper object) file
  • a Google Chrome extension, by placing the following files in the folder:
    • background.html
    • chrome.manifest
    • content.js
    • manifest.json
    • preferences
    • sqlite.j
  • a component file used by the program: "settings.ini"


Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".

It may also install these files to the following folders it creates in the %APPDATA% folder:

  • Zoomex
  • Vaudix
  • wxDownloa
  • Download and Sa


Adware:Win32/FastSaveApp creates an entry in the <start menu> called "SaveAs", which contains links to the program's website and uninstaller.

Note: <start menu> refers to a variable location that is determined by the software by querying the operating system. The default location for the Start Menu folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Start Menu" or "C:\Users\<user>\Start Menu". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu".

Adware:Win32/FastSaveApp installs itself as a BHO which can be seen in Internet Explorer's Manage Add-ons window, as in the following screenshot:



The program is installed as an extension for Google Chrome by placing the following files in the folder "%LOCALAPPDATA%\google\chrome\user data\default\extensions\<randomly named folder>":

  • background.html
  • chrome.manifest
  • content.js
  • manifest.json
  • preferences
  • sqlite.js


Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local".

The program is configured to check for updates when you open your browser.

Adware:Win32/FastSaveApp creates an installation entry in the Programs and Features section of the Control Panel. Running this uninstaller may remove some or all of the files related to Adware:Win32/FastSaveApp from your computer.

Execution

Once installed, Adware:Win32/FastSaveApp displays "coupons" to you as you browse the Internet, as in the following examples:







Analysis by Mihai Calota

Last update 10 January 2013

 

TOP

Malware :