F-Secure
Tools
Adware:W32/Midadle
| Name : | Adware:W32/Midadle |
| Detection Names : |
AdWare.Win32.Midadle |
| Aliases : |
Adware.WinFetch (Symantec) |
| Category: | Spyware |
| Type: | Adware |
| Platform: | W32 |
Summary
This program is designed to delivers advertising contents to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Details
File System Changes
Creates these files:
• %temp%\clicks.dll
• %temp%\Updater.exe
• %temp%\ma.dll
• %temp%\ma
• %ProgramFiles%\Common Files\midaddle\clicks.dll
Network Connections
Attempts to download files from:
• http://www.yellow-sticky.com
• http://www.midaddle.com
Additional Details
This advertisement delivery software is distributed by MidADdle (also known as "ADS IN THE MIDDLE"). MidADdle was aquired by InterClick in 2005.
The program can perform the following activities:
Installation
The executable file needs to be executed manually in order to install the program. Upon execution, it will create files and drop a copy of itself at:
It will also create randomly-named file components in the temporary folder, such as:
Registry
During installation, the program creates this registry subkey to run itself run automatically after system restart:
And this key, registering the program as a browser helper object (BHO), in order to monitor the user's browser's activity:
The program also creates these registry subkeys as well:
The program can perform the following activities:
• Display pop-ups advertisements
• Download, install and run adware
• Connect to remote site to download components for upgrading itself
Installation
The executable file needs to be executed manually in order to install the program. Upon execution, it will create files and drop a copy of itself at:
• %temp%\[Random name].exe
It will also create randomly-named file components in the temporary folder, such as:
• %temp%\XzojPHIV.dll
• %temp%\0W9DGM0.dll
• %temp%\tFLIVc.dll
• %temp%\VAfDi.dll
• %temp%\g.dll
Registry
During installation, the program creates this registry subkey to run itself run automatically after system restart:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[Random name]"="%temp%\[Random name].exe"
"[Random name]"="%temp%\[Random name].exe"
And this key, registering the program as a browser helper object (BHO), in order to monitor the user's browser's activity:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}]
"@"="WinPage Affiliate"
"@"="WinPage Affiliate"
The program also creates these registry subkeys as well:
• [HKEY_LOCAL_MACHINE\Software\MidADdle]
• [HKEY_LOCAL_MACHINE\Software\Classes\AppID\WinAffiliateBHO.DLL]
• [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\midADdle]
• [HKEY_LOCAL_MACHINE\Software\Classes\WinAffiliateBHO.WinAffiliateIEExtensi.1]
• [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}]
• [HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{ECB25A48-E6E0-49AF-99AF-07C763E31389}]
• [HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E318D698-27B3-44D5-8998-C35EAFB9C034}]
• [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}]