This application requires Javascript for optimal performance.

Adware/BetterInternet - Released Apr 11, 2005 - Last Updated Mar 13, 2007

Alias/es

Adware/AbetterIntrnt.A, Adware/Abetterintrnt.DLDR, Adware/Abetterintrnt.DR, Hijacker/AbetterInternet

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Compromised systems display popup ads for AbetterInternet.com

Detailed Analysis

This Adware is a utility that downloads files and "upgrades" software. The files are commonly retrieved from these web sites -

www.abetterinternet.com
download.abetterinternet.com

The executable programs initially connect to 'thinstall.abetterinternet.com' to download additional files. The following files are secretly downloaded and detected as follows:

Ceres.cab => Adware/Betterinternet
Csnopol.cab => Adware/Betterinternet
Polau2c.exe => Download/Agent.AY
Farmmext.exe => Download/Stubby.C

After downloading, the Cab files are installed in the system and the exe programs are copied into the System32 directory. These exe files, Farmmext.exe and Ceres.DLL (from Ceres.cab), are hooked up into the registry to execute whenever the system is started.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\Run

Recommended Action

    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

  • Enable the URL blocking feature, and add these URLs to the list -

    www.abetterinternet.com
    download.abetterinternet.com
    thinstall.abetterinternet.com


Reference: ID - 10529