Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Adware.Primawega.AB

Aliases:Suspicious:W32/Malware!Gemini (F-Secure) 
Type of infiltration:Adware  
Size:669360 B 
Affected platforms:Microsoft Windows 
Signature database version:5081 (20100503) 

Short description

Win32/Adware.Primawega.AB is an adware - an application designed for delivery of unsolicited advertisements. The adware collects various information when a certain application is being used. The adware can send the information to a remote machine.

Installation

The adware contains a list of (2) URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %temp%%variablestr1%downloaded%variablestr2%.ex_ (507685 B)
  • %temp%%variablestr1%downloaded%variablestr3%.ex_ (762739 B, Win32/Adware.Primawega.AB)
The files are then executed.

A string with variable content is used instead of %variablestr1-3%.

The adware creates the following files:
  • %system%%variable1%.dll
  • %system%%variable2%.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID%variable3%]
    "(Default)"="everyflv"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID%variable3%
    InProcServer32]
    "(Default)"="%system%%variable1%.dll"
    "ThreadingModel"="Apartment"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID%variable3%]
    "(Default)"="everyflv"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID%variable3%
    InProcServer32]
    "(Default)"="%system%%variable1%.dll"
    "ThreadingModel"="Apartment"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID%variable4%]
    "2512411649"=%variable5%
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerBrowser Helper Objects%variable3%]
    "NoExplorer"=""""
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Uninstall%variable2%]
    "DisplayName"="LoudMo Contextual Ad Assistant"
    "UninstallString"="%system%%variable2%.exe"
    "NoModify"= 0
    "NoRepair "= 0
A string with variable content is used instead of %variable1-5%.

This causes the adware to be executed on every application start.

The adware may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareAppDataLow%string1%]
  • [HKEY_CURRENT_USERSoftwareAppDataLow%string1%%string2%]
The adware keeps various information in the following Registry key:
  • [HKEY_CURRENT_USERSoftwareAppDataLow%string1%]
A string with variable content is used instead of %string1-2%.

The adware may create the following files:
  • %mozillafirefoxinstallfolder%extensions%variable1%components%variable2%.dll
  • %mozillafirefoxinstallfolder%extensions%variable1%chrome.manifest
  • %mozillafirefoxinstallfolder%extensions%variable1%install.rdf
A string with variable content is used instead of %variable1-2%.

Information stealing

The adware collects information related to the following applications:
  • Internet Explorer
  • Mozilla Firefox
The following information is collected:
  • a list of recently visited URLs
  • network adapter information
  • CPU information
  • list of disk devices and their type
The adware can send the information to a remote machine.

Other information

The adware acquires data and commands from a remote computer or the Internet.

The adware contains a list of (8) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
The adware program is designed to deliver various advertisements to the user's systems.

The user may be redirected to one of the following Internet web sites:
  • mypendingresults.com
screen1.jpg