Details
MediumName: Adware.Navipromo.BYZ
Type: Adware
How it spreads: Malicious Websites / Applicaitons
Affected operating: All versions of the Windows® Operating System
Aliases: Navipromo
Date of surface: Oct 25 2007 12:00AM
Virus Information
Summary
Prevalence: Medium
Name: Adware.Navipromo.BYZ
Type: Adware
How it spreads: Malicious Websites / Applicaitons
Affected operating: All versions of the Windows® Operating System
Aliases: Navipromo
Date of surface: Oct 25 2007 12:00AM
MediumName: Adware.Navipromo.BYZ
Type: Adware
How it spreads: Malicious Websites / Applicaitons
Affected operating: All versions of the Windows® Operating System
Aliases: Navipromo
Date of surface: Oct 25 2007 12:00AM
Description
Symptoms:
Pop-ups advertisements may appear even when Internet Explorer (or some other browser) isn’t running.
Description:
Adware.Navipromo is an advanced and difficult-to-detect adware that runs silently on the infected computer. It uses rootkit techniques to hide its process in memory and stores files and registry entries on disk.
This malware comes bundled with several software applications which can be downloaded from the below mentioned sites.
netgamebox.com
ediaplayer.com
planet.com
skinner.com
stro.com
cord.com
ngerskinner.com
On first run, it creates an executable with a random generated name in the %system% directory (default is: C:\Windows\system32) and then runs in stealth mode. The hidden process drops a library file (msclock.dll or msplock.dll) in the %system% directory which is then injected into the memory space of ‘explorer.exe’. The adware tracks visited URLSs from the infected computer, stores them on disk and sends them to a server. It then receives links regarding related advertisements that are displayed as pop-up windows. During transfer, several other files are created in the %system% directory. Their names are formed with the random generated name and the following suffixes and are not visible to the user either.
.dat
_nav.dat
_navps.dat
_navup.dat
_navtmp.dat
_m2s.xml
Adware.Navipromo may also create the following registry subkey:
‘HKEY_LOCAL_MACHINE\Software\mc’ – which contains information about the adware and may add one registry value (also hidden):
[random_name] = "%system%\[random_name].exe"
to one of the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Pop-ups advertisements may appear even when Internet Explorer (or some other browser) isn’t running.
Description:
Adware.Navipromo is an advanced and difficult-to-detect adware that runs silently on the infected computer. It uses rootkit techniques to hide its process in memory and stores files and registry entries on disk.
This malware comes bundled with several software applications which can be downloaded from the below mentioned sites.
On first run, it creates an executable with a random generated name in the %system% directory (default is: C:\Windows\system32) and then runs in stealth mode. The hidden process drops a library file (msclock.dll or msplock.dll) in the %system% directory which is then injected into the memory space of ‘explorer.exe’. The adware tracks visited URLSs from the infected computer, stores them on disk and sends them to a server. It then receives links regarding related advertisements that are displayed as pop-up windows. During transfer, several other files are created in the %system% directory. Their names are formed with the random generated name and the following suffixes and are not visible to the user either.
.dat
_nav.dat
_navps.dat
_navup.dat
_navtmp.dat
_m2s.xml
Adware.Navipromo may also create the following registry subkey:
‘HKEY_LOCAL_MACHINE\Software\mc’ – which contains information about the adware and may add one registry value (also hidden):
[random_name] = "%system%\[random_name].exe"
to one of the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Recovery
For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site > http://www.escanav.com/english/content/products/MWAV/escan_mwav.asp
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities. You can download and install the product from our eScan download page > http://www.escanav.com/english/content/products/generic_eScan/eScan.asp
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site > http://www.escanav.com/english/content/products/MWAV/escan_mwav.asp
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities. You can download and install the product from our eScan download page > http://www.escanav.com/english/content/products/generic_eScan/eScan.asp
