Home / malwarePDF  

Adware:Win32/Enumerate


First posted on 29 November 2012.
Source: Microsoft

Aliases :

Adware:Win32/Enumerate is also known as Adware/Enumerate.A.27 (Avira), Win32/Adware.Kraddare.FU application (ESET), AdWare.Win32.Enumerate (Ikarus).

Explanation :



Adware:Win32/Enumerate is adware that registers itself as a Browser Helper Object (BHO), and may use your search queries to display advertistments.



Installation

When executed, the installer for Adware:Win32/Enumerate adds the following files in the %ProgramFiles%\enumerate\gtfolder:

  • enumerate_gt.dll - detected as Adware:Win32/Enumerate
  • enumerate_gtu.exe - detected as Adware:Win32/Enumerate
  • enumst.exe - detected as Adware:Win32/Enumerate
  • uninstall.exe - uninstaller component


It then creates the following registry entry to make sure that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Enumerate_gt"
With data: ""%ProgramFiles%\enumerate\gt\enumerate_gtu.exe" Runcmd"

It creates the following entries to register itself as a BHO:

In subkey: HKCR\CLSID\<random CLSID>
Sets value: "@"
With data: "Enumerate Top Search - GT"

In subkey: HKCR\CLSID\{Random CLSID}\InprocServer32
Sets value: "@"
With data: "%ProgramFiles%\enumerate\gt\enumerate_gt.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<random CLSID>
Sets value: "@"
With data: "Enumerate Top Search - GT"
Sets value: "NoExplorer"
With data: "dword:00000001"

It also creates the following registry entries as a part of its installation routine:

Subkeys:
HKCR\AppID\enumerate_gt_goalplay.DLL
HKCR\AppID\enumerate_gt_search02.DLL
HKCR\AppID\onetaps.DLL
HKCR\enumerate_gt_goalplay.enumerate_gt_goal
HKCR\enumerate_gt_search02.enumerate_gt_sear
HKCR\onetaps.onetapsSO
HKCU\Software\enumerate_gt
HKLM\SOFTWARE\Classes\AppID\enumerate_gt_goalplay.DLL
HKLM\SOFTWARE\Classes\enumerate_gt_goalplay.enumerate_gt_goal
HKLM\SOFTWARE\Classes\enumerate_gt_search02.enumerate_gt_sear

It also creates an uninstall entry under in Control Panel > Add/Remove Programs or Control Panel > Uninstall a program as "Enumerate Top Search - gt".

Adware:Win32/Enumerate creates a mutex named This adware creates the mutex named "enumerate_gtu", "enumst", or "enumwin".

Behavior

Displays ads

Adware:Win32/Enumerate monitors what websites you visit. Depending on what searches you make or websites you visit, it may display advertisements or open other websites. It displays ads from the following websites:

  • adclk.enumerate.co.kr
  • enumstate.co.kr
  • topsearch.enumerate.co.kr


Updates itself

It can also update itself by connecting to "down.enumstate.co.kr/download/".



Analysis by Ricardo Robielos

Last update 29 November 2012

 

TOP

Malware :