Home / malware Adware:Win32/LoudMo
First posted on 10 May 2010.
Source: SecurityHomeAliases :
Adware:Win32/LoudMo is also known as AdWare.Win32.EZula.daq (Kaspersky), AdWare.Win32.EZula (Ikarus).
Explanation :
Adware:Win32/LoudMo is a program that delivers advertisements, monitors Web browsing habits and prompts advertising popups, while automatically updating itself.
Top
Adware:Win32/LoudMo is a program that delivers advertisements, monitors Web browsing habits and prompts advertising popups, while automatically updating itself. InstallationAdware:Win32/LoudMo's installation method may vary according to the browser being used on the affected computer. Internet Explorer Adware:Win32/LoudMo can install it self as a BHO in Internet Explorer, and may be present in the following file: c:\WINDOWS\system32\ <derived value>.dllFor example, c:\WINDOWS\system32\ gFq-yX2Na6-CcZ-.dll Note: "derived value" is a variable value that is determined by the program using configuration information from the affected computer. Note that this value will change from installation to installation of LoudMo. When executed, the adware installs itself as a Web Browser Helper Object in Internet Explorer and modifies the system registry: Creates subkey: HKLM\SOFTWARE\Classes\CLSID\{5c026fd8-4021-75c5-673f-f6b4d1c16a04} Creates subkey: HKLM\SOFTWARE\Classes\CLSID\<derived value> For example, HKLM\MACHINE\SOFTWARE\Classes\CLSID\{e7db02aa-6bcc-3e8e-d810-102ced007481} Adds value: "(default)" With data: "flvdome" Creates subkey: HKLM\SOFTWARE\Classes\CLSID\<derived value>\InProcServer32 Adds value: "(default)" With data: "C:\\WINDOWS\\system32\\<derived value>.dll"For example, c:\WINDOWS\system32\ gFq-yX2Na6-CcZ-.dll Creates subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<derived value> For example, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7db02aa-6bcc-3e8e-d810-102ced007481} Adds value: "NoExplorer" With data: "\"\"" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<derived value> Creates subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<derived value>For example, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ygwY4-zT4-_ Adds value: "LoudMo Contextual Ad Assistant" With data: "\"\"" Adds value: "NoModify" With data: dword:00000000 Adds value: "NoRepair" With data: dword:00000000 Adds value: "UninstallString" With data: "C:\\WINDOWS\\system32\\<derived value>.exe"For example, c:\WINDOWS\system32\ygwY4-zT4-_.exe To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<derived value> Once installed in Internet Explorer, the adware's presence can be seen in the 'Manage Add-ons' window that can be accessed from the Tools menu. The image below displays a 'Manage Add-ons' window with the adware listed as 'flvdome'. Mozilla Firefox Adware:Win32/LoudMo can install it self as a BHO in Mozilla Firefox. It may create the following directory: c:\Program Files\Mozilla Firefox\extensions\{<derived value>}\ And then create the following files beneath this directory: chrome.manifest install.rdf chrome\ \components\<derived value>.dll Once installed in Mozilla Firefox, the adware's presence can be seen in the 'Manage Add-ons' window that can be accessed from the Tools menu. The image below displays a 'Manage Add-ons' window with the adware listed as 'Loudmo Contextual Assistant'. Once the adware has been installed, it can been seen in the 'Add or Remove Programs' window that can be accessed from the Control Panel. The image below displays an 'Add or Remove Programs' window with the adware listed as the name that was derived from the system directory. Additional information Inserts advertisements The adware may insert advertisements into Web pages that can display as a banner. The adware may insert an advertisement that covers a page, but use the original page's name and branding to make the advertisement appear contextual. The image of the webpage below on the left displays a page that is not affected by Adware:Win32/LoudMo while the image of the webpage on the right shows the same page being viewed by an infected browser. The advertisements display as a pop-up using the name of a page that an affected user has recently visited. This sort of contextual information can lead an infected user to believe that this advertising comes from a visited website, when in fact it may not. Adds entries in order to store data > Modifies registry in order to store data
LoudMo adds the following entry in order to store data for its own use: Creates subkey: HKCU\Software\AppDataLow\<derived value> For example, HKCU\Software\AppDataLow\DaDeQ- The following are examples of registry modifications made during testing in our laboratory. Note: This data may differ from one affected computer to the next. Adds value: "213432141320" With data: " hex(7):00,00" Adds value: "24021301143224" With data: "%cc%90%05%a88%ea%99%07" Adds value: "31114403214242" With data: €œdword:4bd8e79f€
Analysis by Michael JohnsonLast update 10 May 2010
