Virus Information
Prevalence:
Low
Name: Adware.Blinkator.A
Type:
How it spreads: When executed, the virus creates the following files: %WINDOWS%\system32\sprt_ads.dll%WINDOWS%\system32\superiorads-uninst.exe And the following registry keys: HKEY_CURRENT_USER\Software\Microsoft\
Affected operating:
Aliases:
Date of surface: Dec 20 2007 12:00AM
LowName: Adware.Blinkator.A
Type:
How it spreads: When executed, the virus creates the following files: %WINDOWS%\system32\sprt_ads.dll%WINDOWS%\system32\superiorads-uninst.exe And the following registry keys: HKEY_CURRENT_USER\Software\Microsoft\
Affected operating:
Aliases:
Date of surface: Dec 20 2007 12:00AM
When executed, the virus creates the following files: %WINDOWS%\system32\sprt_ads.dll%WINDOWS%\system32\superiorads-uninst.exe And the following registry keys: HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbgHKEY_LOCAL_MACHINE\SOFTWARE\Classes\AdPanel.Panel1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AdPanel.Panel1.1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\superiorads It ads itself to startup by creating the value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start and by registering itself as a BHO object. The adware keeps all information it needs to show popup in registry. It creates the following values under the key HKCU\Software\Microsoft\AdvRemoteDbg: aff_iddaydomain_listinstall_idlast_ipnext_url_post_timemax_impressimpress_statclick_statdelayclick_counterurl_listdomain_collect_enabledurl_collect_enabledmax_clickstimestamplast_update_attempt The adware works by opening a internet explorer window in background and by showing popups at some time interval. It first connects to the server http://superi[hidden]/bc/ip.php using the agent “opera” and tries to read the data from the server. It gets from the server the ip address of the server where the popups are located and saves it to the value last_ip. At some time intervals the data from registry is sent to the url http://superi[hidden]/bc/123kah.php using the agent M0zilla/4.0(compatible) where install_id is a hash made on the VolumeSerialNumber, WProcessorRevision and WProcessorLevel. At some time intervals the adware checks for the existence of an update and if an update is available , the virus downloads it from the server and executes it.
For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
