Threat Descriptions

AdwareDropper

Classification

Category :

Spyware

Type :

Adware

Platform :

W32

Aliases :

Adolff, AdwareDropper, AdwareDroper-A, Adware Dropper, Valentines Day E-Card, W32/Adware.Valentine

Summary

On 12th of Februaru 2003 we received a report from a customer that he had got a suspicious message. The message looked like that: 

YOU HAVE RECEIVED A VALENTINES DAY E-CARD!
 Greetings,
 Someone has sent you a Valentines Day E-Card ::: a virtual postcard from
 Valentines-ecard.com.
 To view your card please click the link below :
 
 ----------------------------------------------------------------------------------
 This card was provided by Valentines-ecard.com. Copyright 2003 All Rights Reserved

The link pointed to the page that provided the CARD.EXE file for download. The file contained an animated Valentines Day greeting card that looked like that:

Removal

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The animated greeting card was installed on a hard drive and the uninstallation program for it was provided. But at the same time, the CARD.EXE file hiddenly dropped 3 adware/spyware files in Windows System folder: 

HMEPGE.DLL
 HOTLINK.DLL
 IEBRW.DLL

These files are not malicious, they are adware/spyware components that help its makers to collect information about computer user's habits and provide him with appropriate advertisment. No personal information about a user is collected.

As these adware components were hiddenly dropped to computers without a user seeing and accepting a licence agreement, we consider the CARD.EXE file to be malicious. We added detection for this file into our anti-virus databases.

If you got the message mentioned above, please do not follow the link, do not download and run the CARD.EXE file.