Home / malwarePDF  

Adware:Win32/Wheresphere


First posted on 10 February 2010.
Source: SecurityHome

Aliases :

There are no other names known for Adware:Win32/Wheresphere.

Explanation :

Adware:Win32/Wheresphere is a program that displays pop-up advertisements related to the affected user's Web browsing habits.
Top

Adware:Win32/Wheresphere is a program that displays pop-up advertisements related to the affected user's Web browsing habits. InstallationWhen installed, Adware:Win32/Wheresphere may create the following registry key: HKCU\Software\WhereSphere
Adware:Win32/Wheresphere then creates a number of registry values under this key, similar to the following values:
34gretdbgtew
dfgdfgdtmtchktbdfb
erytvrsnteryy
kyhtffcckdthkh
yukrfrthsterrre
yuktbfrnvtjlil
weffwtccdtwefv
wgmghtntptfghmv
These entries contain data consisting of encrypted configuration information. Adware:Win32/Wheresphere also modifies the registry to run its file at each system start:Adds value: "WhereSphere"
With data: "<WhereSphere file>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It also creates the following file:<system folder>\config.cfgand the following folder for its own use:
%appdata%\WhereSphere Additional informationAdware:Win32/Wheresphere may install browser extensions for Firefox and Internet Explorer browsers in order to deliver the advertisements. It uses encrypted communication and an MD5 hash in order to verify communication with a remote server.
It may communicate with clients.wheresphere.com in order to download components and update itself.

Analysis by Marian Radu

Last update 10 February 2010

 

TOP