Top

Summary

Prevalence: Medium

Name: Adware.Navipromo.BYZ

Type: Adware

How it spreads: Malicious Websites / Applicaitons

Affected operating: All versions of the Windows® Operating System

Aliases: Navipromo

Date of surface: Oct 25 2007 12:00AM

Description

Symptoms:<BR>Pop-ups advertisements may appear even when Internet Explorer (or some other browser) isn’t running.<BR><BR>Description:<BR>Adware.Navipromo is an advanced and difficult-to-detect adware that runs silently on the infected computer. It uses rootkit techniques to hide its process in memory and stores files and registry entries on disk.<BR><BR>This malware comes bundled with several software applications which can be downloaded from the below mentioned sites.<BR><BR><hide>netgamebox.com<BR><hide>ediaplayer.com<BR><hide>planet.com<BR><hide>skinner.com<BR><hide>stro.com<BR><hide>cord.com<BR><hide>ngerskinner.com<BR><BR>On first run, it creates an executable with a random generated name in the %system% directory (default is: C:\Windows\system32) and then runs in stealth mode. The hidden process drops a library file (msclock.dll or msplock.dll) in the %system% directory which is then injected into the memory space of ‘explorer.exe’. The adware tracks visited URLSs from the infected computer, stores them on disk and sends them to a server. It then receives links regarding related advertisements that are displayed as pop-up windows. During transfer, several other files are created in the %system% directory. Their names are formed with the random generated name and the following suffixes and are not visible to the user either.<BR>.dat<BR>_nav.dat<BR>_navps.dat<BR>_navup.dat<BR>_navtmp.dat<BR>_m2s.xml<BR><BR>Adware.Navipromo may also create the following registry subkey:<BR>‘HKEY_LOCAL_MACHINE\Software\mc’ – which contains information about the adware and may add one registry value (also hidden):<BR>[random_name] = "%system%\[random_name].exe"<BR>to one of the following registry subkeys:<BR><BR>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run<BR>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Recovery

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.<BR><BR>You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site > http://www.escanav.com/english/content/products/MWAV/escan_mwav.asp<BR><BR>Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities. You can download and install the product from our eScan download page > http://www.escanav.com/english/content/products/generic_eScan/eScan.asp

Advanced