Home / malware

PDF

Adware.Navipromo.M

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Adware.Navipromo.M.

Explanation :

Adware.Navipromo.M was written in MFC. Once executed, it runs explorer.exe and inject in explorer.exe process. After injection, it removes the original file from disk.

It creates the following key: [HKEY_LOCAL_MACHINESoftwaremc] where some information about this adware is stored (such as remove, install, etc).

It copies itself in system directory using the name mstmpreg32.dll.

The following files may be written to windows directory: mslagent.exe, mslagent_.exe and uninstall.exe.

It also modifies following registry keys in order to run itself on startup:

a) HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

b) HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



If internet connection is avaible, the adware can download components from different web sites.



MSClock32.dll contains cod that can override functionality of several system functions (for registry, dialing, etc) witch makes Adwar.Navipromo difficult to detect.

Last update 21 November 2011

 

TOP