virus logo Virus

Adware/ShopAtHomeSelect

description-logoAnalysis

Adware/ShopAtHomeSelect is an Adware Agent downloaded from www.ShopAtHomeSelect.com. This agent is installed when the user registers from the site. By selecting the option "to download Golden Retriever software" and accepting the certificate from the site, the agent will be installed into the computer.
While installing, it downloads a compressed file from the site and extract into the following files:
 
C:/WINNT/Downloaded Program Files/aj8sml3fo_.exe
C:/WINNT/Downloaded Program Files/h63v2629j_.exe
C:/WINNT/Downloaded Program Files/lcp4q80t9_.dll
C:/WINNT/Downloaded Program Files/uu1en13ec_.exe
C:/WINNT/Downloaded Program Files/WEBInstaller.dll

Then, it modifies the registry to include the files extracted:
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}\Contains\Files
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls

This agent also updates the Security Setting of Internet Explorer allowing the affected machine to download and execute unsigned ActiveX Controls.
When the visiting the site, the data are cache into the following cookies:
 
cookies for
ehg-shopathome.hitbox
hitbox.txt
www.shopathomeselect.txt

recommended-action-logoRecommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-08-08 91.05844
2023-07-25 91.05424
2023-05-29 91.03695
2023-04-11 91.02260
2022-10-25 90.07227
2022-09-05 90.05716
2022-07-05 90.03884
2022-05-25 90.02622
2022-05-03 90.01974
2022-01-11 89.08603
ID 5410
Released Jul 18, 2005
Description
Updated		 Mar 13, 2007
Aliases Adware-SAHAgent [McAfee], Adware.Shopathome [ClamAV], Adware/SAHAgent, Adware/SAHAgent.150F, Adware/SAHAgent.A, Adware/Sahat.F, Adware/ShopAtHome.A, Adware/ShopAtHome.B, Adware/ShopAtHomeSelect
Platform Profile Adware typically display advertising content to the user. This advertising content may take many forms, but is typically in the form of web browser pop-up advertisements. In most circumstances, the user is not aware of the Adware component being installed on the local machine.