Home / malwarePDF  

Adware:Win32/Putalol


First posted on 14 October 2015.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/Putalol.

Explanation :

Threat behavior

Installation
Lolliscan32.dll gets loaded into Internet Explorer through Appinit_Dlls and displays ads. Some ads are attributed to "LolliScan" but others are attributed to "ads2". This threat can create files on your PC, including:

  • \7c0535b143fc4671b6ebd202fbffe066\d183c6664cc54b4d81a433777e2128a8
  • \LolliScan\install.log
  • \LolliScan\LolliScan32.dll
  • \LolliScan\LolliScan64.dll
  • \LolliScan\LolliScan64.exe
  • \LolliScan\NSISHelper.dll
  • \LolliScan\SoftConfigTest.exe
  • \Service7609\Service7609.dll - we detect as TrojanDownloader:Win32/Putabmow
  • \Service7609\Service7609.exe - we detect as TrojanDownloader:Win32/Putabmow


The threat creates two scheduled tasks in order to automatically launch two executable files, for example::



Name



Image Path



PVBIRNJSOKMCXCOO



\Service7609\Service7609.exe



YHPZNF1



\lolliscan\lolliscan.exe



These tasks are scheduled to run at log on of any user, and may also be scheduled to trigger regularly throughout the day, every day.

It also creates the following registry entries, which cause one of its DLLs to be loaded by most applications, including web browsers:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: Appinit_Dlls
With data: "\LolliScan\LolliScan64.dll"

In subkey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: Appinit_Dlls
With data: "\LolliScan\LolliScan32.dll"

Payload

Displays ads that you can't control

This program can show you extra ads. These ads can appear:

  • In your web browser: such as search helpers, hover links, and banner ads.
  • Outside of your web browser: such as pop ups, balloon ads, and toast notifications.


These advertisements would not be shown if this program wasn't installed on your PC. For example:









Analysis by: Hamish O'Dea Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • \7c0535b143fc4671b6ebd202fbffe066\d183c6664cc54b4d81a433777e2128a8
    • \LolliScan\install.log
    • \LolliScan\LolliScan32.dll
    • \LolliScan\LolliScan64.dll
    • \LolliScan\LolliScan64.exe
    • \LolliScan\NSISHelper.dll
    • \LolliScan\SoftConfigTest.exe
    • \Service7609\Service7609.dll - we detect as TrojanDownloader:Win32/Putabmow
    • \Service7609\Service7609.exe - we detect as TrojanDownloader:Win32/Putabmow


  • You see the following registry entries:
    • In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
      Sets value: Appinit_Dlls
      With data: "\LolliScan\LolliScan64.dll"

    • In subkey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
      Sets value: Appinit_Dlls
      With data: "\LolliScan\LolliScan32.dll"

Last update 14 October 2015

 

TOP

Malware :