Home / malwarePDF  

Adware:Win32/HitLink


First posted on 21 November 2012.
Source: Microsoft

Aliases :

Adware:Win32/HitLink is also known as Win32/Adware.Kraddare.AW (ESET).

Explanation :



Adware:Win32/HitLink is a program that displays advertisements that are out of context. It redirects your Internet browser to websites and displays advertisements.



Installation

When first run, Adware:Win32/HitLink creates the following folder on your computer:

%ProgramFiles%\hitlink

Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".

It adds the following files to the newly created folder:

  • %ProgramFiles%\hitlink\hitlink.exe
  • %ProgramFiles%\hitlink\uninstall_hitlink.exe


Adware:Win32/HitLink adds the following registry subkeys:

  • HKCU\Software\hitlink
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\uninstall_hitlink.exe


Adware:Win32/HitLink modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "hitlink.exe"
With data: "%ProgramFiles%\hitlink\hitlink.exe"

It also modifies the registry to create an option in the Programs and Features control panel menu that will uninstall the program.

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\uninstall_hitlink.exe
Sets value: "DisplayName"
With data: "Windows hitlink ad-System [hitlink]"

Sets value: "UninstallString"
With data: "%ProgramFiles%\hitlink\uninstall_hitlink.exe delete"

Additional information

Adware:Win32/HitLink checks if you visit any sites that contain the following strings in their URLs:

  • afreeca.com
  • e-himart.co.kr
  • emartmall.com
  • google.co.kr
  • halfclub.com
  • lotteimall.com
  • naver.com
  • njoyny.com
  • ogage.co.kr
  • search.daum.net
  • ucnovel.com
  • yahoo.com
  • youtube.com


Any text you put into the site's search box is sent to a server, via the following URL:

hxxp:/222.237.78.96/c/p3.php?q=:query&d=:domain

The server will then instruct your browser to display pop-up advertisements.

Adware:Win32/HitLink attempts to check for and install updated versions of itself by connecting to the server at "222.237.78.97" via HTTP port 80.



Analysis by Alden Pornasdoro

Last update 21 November 2012

 

TOP

Malware :