Adware:W32/Look2Me

Look2Me is an adware program made by NicTech Networks Inc and may be bundled together with other software, or silently installed by trojans.

The program operates in stealth on machines running Windows 2000, XP and 2003. The name Look2Me references the servers the earlier program versions connected to, though the program nowadays will connect to www.ad-w-a-r-e.com.

The advertisements Look2ME displays are most commonly Internet Explorer pop-up windows, but may also be customized in shape and animation to fit the advertising content.& and displays an excessive amount of pop-up advertisements.& An example of a Look2Me pop-up advertisement is as follows:

Some of the advertisements push the user to install ErrorGuard or WinFixer.

Installation

Look2Me may be silently installed together with other software, or it may be silently installed by a trojan. Look2Me cannot independently replicate itself and must be manually installed onto each system it infects.

The program uses a guardian implementation to prevent removal. It does so by removing Debug privileges from all user accounts, attaching a Notification package to Winlogon and monitoring all user policy rights and system settings. During installation, the Explorer program is restarted and the computer is made to look as though it will shut down. In fact, during this time, the guardian implementation program is being installed on the system.During installation, Look2Me will register itself as a COM component, using a random filename (though it will typically use a DLL extension). The program also creates a randomly named Class ID key (CLSID) to identify itself as a COM component, and a related registry key to approve the CLSID for execution.

Registry Modifications

Creates these keys:

• HKLM\Software\Windows\CurrentVersion\Shell Extensions\Approved
• HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify Asynchronous = 0 DllName = Impersonate = 0 Logon = "Winlogon" Logoff= "WinLogoff" Shutdown = "WinShutdown"