Home / malwarePDF  

Adware:Win32/Loones


First posted on 22 October 2015.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/Loones.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • %LOCALAPPDATA%\y0w5bzdvzw4yczy\y0w5bzdvzw4yczy.exe - copy of the threat
  • \loons.lnk - shortcut that points to the executable


The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.



Payload
Displays ads that you can't control

This program can show you extra ads by trying to access a certain URL. These ads can appear:

  • In your web browser: such as search helpers, hover links, and banner ads.
  • Outside of your web browser: such as pop ups, balloon ads, and toast notifications.


These advertisements would not be shown if this program wasn't installed on your PC.

We have seen it try to access the following:

  • http://avj22eyj.systotal.com/settings.json
  • http://avj22eyj.systotal.com/settings.php
  • http://b1dtdo0r.dataurls.com/settings.json
  • http://b1dtdo0r.dataurls.com/settings.php
  • http://kqs7scug.recordgate.com/settings.json
  • http://kqs7scug.recordgate.com/settings.php
  • http://tx8ivujx.data-url.com/settings.json
  • http://tx8ivujx.data-url.com/settings.php


The URL contains the message that is displayed, a redirection link, and other configuration information used to display the ads.

The ads or messages contain an invitation to perform a survey, and include information such as your IP address and the location of your PC.

The following are some examples of the messages:

  • Title: "Missing drivers",
    Text: "there are missing drivers in your system , drivers are the software makes sure your hardware will work properly, click here to restore missing drivers"
  • Title: "Poor performance",
    Text: "Your PC seems to be slower than usual. Click here to speed up performance."
  • Title: "Critical error",
    Text: "it seems that your registry is damaged , it might cause performance issues , click here to improve your PC performance"
  • Title: "Survey",
    Text: "We would like to improve the service you are getting ,please click here and answer few questions and we even reward you for that"
  • Title: "Survey",
    Text: "We would like to improve the service you are getting ,please click here and answer few questions and we even reward you for that"
  • Title: "Update available",
    Text: "your PDF reader is outdated , click here to update"




Analysis by Ric Robielos



Symptoms

The following can indicate that you have this threat on your PC:

  • You see messages or ads inviting you to perform a survey
  • You see a file similar to:
    • %LOCALAPPDATA%\y0w5bzdvzw4yczy\y0w5bzdvzw4yczy.exe
    • \loons.lnk




Last update 22 October 2015

 

TOP

Malware :