Adware:W32/LinkOptimizer

GO TO: Summary | Removal | Technical Details

Classification

Category:

Spyware

Type:

Adware

Platform:

W32

Aliases:

LinkOptimizer

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Removal

Automatic action

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Adware:W32/LinkOptimizer is an adware application with active rootkit technology.&

Installation

This adware& tries to use social engineering to convince the user to download and execute it by imitating one of the following file names:

  • www.google.com
  • www.auto.com
  • www.free.com
  • www.super.com
  • www.pictures.com

The files using the COM extension can actually be executed exactly the same as EXE, CMD, SCR and other Windows executable formats; despite the COM extension, the file is actually the downloader that will download LinkOptimizer adware and its rootkit component.

Once the downloader is executed, it will download and drop the following files:

  • C:\Windows\[5 random characters]1.dll
  • C:\Windows\Temp\[Random name]1.exe

LinkOptimizer adds itself to the registry as a browser helper object (BHO) to maintain control of Internet Explorer instances.

Activity

While the browser is running, LinkOptimizer displays pop-up windows at random intervals.

&It also hijacks the default search page and attempts to connect to various hard-coded sites in order to download and execute files.

Registry

Adware.LinkOptimizer is installed as a BHO by adding the following registry subkey:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[random CLSID]]

Adware is loaded to the following registry subkey:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]& "AppInit_DLLs" = "C:\Windows\[5 random characters]1.dll"

The DLL file and the registry key are hidden by the rookit.

The program also overwrites the default URLSearchHooks onHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks in order to hijack Internet Explorer address bar searches:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]& {CFBFAE00-17A6-11D0-99CB-00C04FD64497}=

Stealth

More recently, LinkOptimizer has been bundled with a powerful rootkit named Gromozon. Gromozon's main purpose is to hide its own presence (and the LinkOptimzer component's) using numerous techniques such as:

  • Special user accounts
  • Undocumented NTFS features
  • Blocking anti-rootkit programs
  • Windows API hooking
  • Removing the user's administrator rights

As part of its stealth functionality, the rootkit installs a range of hooks (see above).

Network Connections

Attempts to connect to:

  • https://gcwave.com/fg.php
  • http://www.flashkin.net/bs.php
  • http://www.flashkin.net/wl.php
  • http://www.flashkin.net/sh.php
  • http://www.flashkin.net/wlink.php
  • http://www.flashkin.net/ws.php
  • http://www.flashkin.net/gc.php
  • http://washerner.com
  • http://chongchua.com/
  • http://livingcert.com
  • http://fogcu.com

Stealth Features

Installs these hooks:

  • ws2_32.dll!getaddrinfo
  • advapi32.dll!RegSetValueW
  • advapi32.dll!CreateProcessWithLogonW
  • advapi32.dll!GetFileSecurityA
  • advapi32.dll!SetFileSecurityA
  • advapi32.dll!RegSetValueA
  • kernel32.dll!GetBinaryTypeW
  • kernel32.dll!OpenFile
  • kernel32.dll!MoveFileWithProgressW
  • kernel32.dll!ExitProcess
  • kernel32.dll!FindFirstFileW
  • kernel32.dll!LoadLibraryW
  • kernel32.dll!GetProcAddress
  • ntdll.dll!LdrUnloadDll
  • ntdll.dll!LdrLoadDll
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtVdmControl
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryDirectoryFile
  • advapi32.dll!RegSetValueW
  • advapi32.dll!CreateProcessWithLogonW
  • advapi32.dll!GetFileSecurityA
  • advapi32.dll!SetFileSecurityA
  • advapi32.dll!RegSetValueA
  • kernel32.dll!GetBinaryTypeW
  • kernel32.dll!OpenFile
  • kernel32.dll!MoveFileWithProgressW
  • kernel32.dll!ExitProcess
  • kernel32.dll!FindFirstFileW
  • kernel32.dll!LoadLibraryW
  • kernel32.dll!GetProcAddress
  • ntdll.dll!LdrUnloadDll
  • ntdll.dll!LdrLoadDll
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtVdmControl
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryDirectoryFile