Threat Encyclopedia

Adware/Cometsys

description-logoAnalysis

[Adware/Cometsys]


The details for the Cometsys installer are:
File Name: sinstaller.exe
File Size: 117,320 bytes
Digital Signature: Screensavers.com


The details for the Cometsys executables are:
File Name: siuninst.exe
File Size: 32,980 bytes
File Name: swpstart.exe
File Size: 142,336 bytes
Version: 2.0.11.1
Description: swpstart
Company Name: Comet Systems


The details for the Cometsys libraries are:
File Name: ScreensaversInst.DLL
File Size: 166,400 bytes
Version: 1.0.0.1
Description: ScreensaversInstaller Module
Product Version: 1, 0, 0, 1


Description of Adware:

Cometsys is downloaded from www.screensavers.com upon retrieving a screensaver or wallpaper from the website.   Cometsys also owns Starware (see Adware/Starware.)  Starware can however be installed separately.   Cometsys appears to serve as a stub for Starware and other adware.   Cometsys will also retrieve updates periodically from the screensavers.com network without user authorization or notification.   Installing Cometsys will also install America Online and Netscape Network software, and place icons on the desktop.   The AOL and Netscape Network software was not referenced in the executable details for this Adware, as the the file integrity of the files seemed to be intact, and not part of Cometsys.


System alterations upon installation:

  • This description makes the assumption that the user has unchecked  the optional Starware Toolbar install.   A page similar to the one shown below is displayed:
    cometsys install

  • The installer will retrieve additional files from www.screensavers.com in order to install.

  • The following files are installed:
    C:\Program Files\AOD\aol.ini
    C:\Program Files\AOD\AolAod.exe
    C:\Program Files\AOD\netscape
    C:\Program Files\AOD\timedata.ini
    C:\Program Files\AOD\TRAINER.PPK
    C:\Program Files\AOD\netscape\ns_yell.ico
    C:\Program Files\AOD\aol\aod_bb_1_73.ico
    C:\Program Files\AOD\aol\aod_modem_1.ico
    C:\Program Files\Screensavers.com\Wallpaper\swpstart.exe
    C:\Program Files\Screensavers.com\Installer\temp\dm5B.tmp
    C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll
    C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe

  • The following are some of the registry keys added:
    HKLM\SOFTWARE\Gtek\AOD
    HKLM\SOFTWARE\Gtek\AOD\InstallPath
    HKLM\SOFTWARE\Gtek\AOD\ExecuteName
    HKLM\SOFTWARE\Gtek\AOD\Version
    HKLM\SOFTWARE\Gtek\AOD\VersionOnAir
    HKLM\SOFTWARE\Screensavers.com
    HKLM\SOFTWARE\Screensavers.com\Installer
    HKLM\SOFTWARE\Screensavers.com\Installer\Tokens
    HKLM\SOFTWARE\Screensavers.com\Installer\Tokens\COMET
    HKLM\SOFTWARE\Screensavers.com\Installer\Tokens\WINDOWS
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\rangeSize
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\secNextRangeInterval
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tValidHistoryPeriod
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tActiveJobPurgePeriod
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tTempFilePurgePeriod
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\prMaxLoad
    HKLM\SOFTWARE\Screensavers.com\Installer\Data
    HKLM\SOFTWARE\Screensavers.com\Installer\Data\ICON
    HKLM\SOFTWARE\Screensavers.com\Installer\Data\ICON\AOL
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller\DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller\UninstallString
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1\CLSID
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1\CLSID

  • The installer with then execute the swpstart.exe file, which will open the host's display options.


Adware behavior:

  • Cometsys may install other Spyware or Adware including the Starware toolbar without user interaction.

  • Cometsys may compromise host security by communicating retrieving files from unauthorized networks.

Telemetry logoTelemetry