F-Secure
Tools
Adware:W32/Look2Me
| Name : | Adware:W32/Look2Me |
| Detection Names : |
Adware.Win32.Look2Me.ab Adware.Look2me |
| Aliases : |
Adware.Look2Me (Symantec) Adware:W32/Look2Me (Microsoft) |
| Category: | Spyware |
| Type: | Adware |
| Platform: | W32 |
| Author: | NicTech Networks Inc. |
| Website: | http://nictechnetworks.com/ |
Summary
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Disinfection
Use F-Look2Me to remove Look2Me.
F-Look2Me loads itself as a service to gain system privileges. The service renames infected files and patches the adware in memory. It also restores Debug Privileges for group Administrators. F-Look2Me requires administrator rights to run.
• Unzip f-look2me.zip
• Run f-look2me.exe
• Reboot the machine
F-Look2Me loads itself as a service to gain system privileges. The service renames infected files and patches the adware in memory. It also restores Debug Privileges for group Administrators. F-Look2Me requires administrator rights to run.
Details
Registry Modifications
Creates these keys:
• HKLM\Software\Windows\CurrentVersion\Shell Extensions\Approved
• HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify
Asynchronous = 0
DllName =
Impersonate = 0
Logon = "Winlogon"
Logoff= "WinLogoff"
Shutdown = "WinShutdown"
Asynchronous = 0
DllName =
Impersonate = 0
Logon = "Winlogon"
Logoff= "WinLogoff"
Shutdown = "WinShutdown"
Additional Details
Look2Me is an adware program made by NicTech Networks Inc and may be bundled together with other software, or silently installed by trojans.
The program operates in stealth on machines running Windows 2000, XP and 2003. The name Look2Me references the servers the earlier program versions connected to, though the program nowadays will connect to www.ad-w-a-r-e.com.
The advertisements Look2ME displays are most commonly Internet Explorer pop-up windows, but may also be customized in shape and animation to fit the advertising content. and displays an excessive amount of pop-up advertisements. An example of a Look2Me pop-up advertisement is as follows:
Some of the advertisements push the user to install ErrorGuard or WinFixer.
Installation
Look2Me may be silently installed together with other software, or it may be silently installed by a trojan. Look2Me cannot independently replicate itself and must be manually installed onto each system it infects.
The program uses a guardian implementation to prevent removal. It does so by removing Debug privileges from all user accounts, attaching a Notification package to Winlogon and monitoring all user policy rights and system settings. During installation, the Explorer program is restarted and the computer is made to look as though it will shut down. In fact, during this time, the guardian implementation program is being installed on the system.
During installation, Look2Me will register itself as a COM component, using a random filename (though it will typically use a DLL extension). The program also creates a randomly named Class ID key (CLSID) to identify itself as a COM component, and a related registry key to approve the CLSID for execution.
Disinfection
Look2Me does not implement any rootkit techniques and will therefore not be detected by BlackLight.
Look2Me requires a special removal tool to disinfect.
The program operates in stealth on machines running Windows 2000, XP and 2003. The name Look2Me references the servers the earlier program versions connected to, though the program nowadays will connect to www.ad-w-a-r-e.com.
The advertisements Look2ME displays are most commonly Internet Explorer pop-up windows, but may also be customized in shape and animation to fit the advertising content. and displays an excessive amount of pop-up advertisements. An example of a Look2Me pop-up advertisement is as follows:
Some of the advertisements push the user to install ErrorGuard or WinFixer.
Installation
Look2Me may be silently installed together with other software, or it may be silently installed by a trojan. Look2Me cannot independently replicate itself and must be manually installed onto each system it infects.
The program uses a guardian implementation to prevent removal. It does so by removing Debug privileges from all user accounts, attaching a Notification package to Winlogon and monitoring all user policy rights and system settings. During installation, the Explorer program is restarted and the computer is made to look as though it will shut down. In fact, during this time, the guardian implementation program is being installed on the system.
During installation, Look2Me will register itself as a COM component, using a random filename (though it will typically use a DLL extension). The program also creates a randomly named Class ID key (CLSID) to identify itself as a COM component, and a related registry key to approve the CLSID for execution.
Disinfection
Look2Me does not implement any rootkit techniques and will therefore not be detected by BlackLight.
Look2Me requires a special removal tool to disinfect.