This application requires Javascript for optimal performance.

W32/Adware_fam.NB - Released Dec 22, 2011 - Last Updated Feb 07, 2012

Alias/es

Win32/Adware.WinPump.AB, Win32/Adware.Softomate.AA, Win32/Adware.CashTitan, Win32/Adware.ToolPlugin

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Presence of unexpected toolbars/BHO or Adware pop ups.

Detailed Analysis

This detection is intended for samples that are known as Adware/Riskware that bundle themselves alongside legitimate applications.
Technical details
  • This detection is intended for samples that are known as Adware/Riskware that bundle themselves alongside legitimate applications.
  • They usually arrived as installers like DivX package, Exe Zip, Rar Exe, Nullsoft (NSIS), and would used an icon of a media file, or any other means of distributable packaging or archive icons.

    • Figure 1: common icons used

  • They contain undesirable riskware toolbars,components, or plugins as side installations along with the main clean legitimate application.

    • Figure 2: bundled application

  • The most common observed places where the components are usually dropped, but not restricted, in the following folders:
    • "%Current User%\Local Settings\Application Data\"
    • "%Current User%\Local Settings\Temp\"
    • "%Program Files%\"
    • "%System32%\"


  • As expected Riskware will apply registry modifications and would usually be located on the following registry paths:
    • HKEY_CLASSES_ROOT\CLSID\%BHO_ClassID%\
    • HKEY_CLASSES_ROOT\CLSID\%BHO_ClassID%\InProcServer32\
    • HKEY_LOCAL_MACHINE\SOFTWARE\%NameOfBHO%
  • It is not uncommon to see a direct installer or a downloader of the BHO/Adware/Riskware itself, but as expected and intentionally they would not flash a prompt or a proper GUI that we usually see in legitimate application installers, thus evading user's notice of what the Riskware just did.
  • Samples that belong to this Riskware/Adware usually doesn't come along with an uninstall program, but if it does, a user may check the common "Settings > Add Remove Programs" of Windows or if there is a "Start Menu" shortcut, that is if an uninstall was made.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 3358037