This application requires Javascript for optimal performance.

Adware/Vapsup - Released Oct 08, 2007 - Last Updated May 02, 2008

Alias/es

not-a-virus:AdWare.Win32.Vapsup.it, AdClicker-FC trojan, Trojan.NetAdware.Gen.1, Trj/Downloader.MDW, BDS/Agent.ggd

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following file exists under the Windows folder:
    • rs.txt

    Detailed Analysis

  • This adware arrives as an executable file (EXE).

  • When executed, it drops a DLL file with a random filename. This file is then registered as a Browser Helper Object (BHO).

  • If Internet Explorer  is opened, it connects to the URL nam{REMOVED}irect.com.

  • It downloads the file rs.txt  which contains a list of domains. The file contains the following:
    • redirect-settings
    version: 4
    save-dt: 1075864684
    domain:adult{REMOVED}world.com
    domain:clickher{REMOVED}core.com
    domain:sinful{REMOVED}sex.us
    domain:www.cele{REMOVED}sfree.com
    ...
  • The list of domains are used to redirect the entered URLs or selected links.

  • While browsing the internet, fake security alerts pop up periodically and ask if the user would like to download fake security software products. These software products give the user counterfeit warnings and induce the user to purchase their license to protect their system.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 393017