Home / malwarePDF  

Adware:MSIL/SanctionedMedia


First posted on 05 January 2012.
Source: Microsoft

Aliases :

Adware:MSIL/SanctionedMedia is also known as W32/SanctionedMedia.B (Norman), Adware Generic4.CHVO (AVG), MSIL/Adware.SanctionedMedia.A (ESET), TROJ_SPNR.29LB11 (Trend Micro).

Explanation :

Adware:MSIL/SanctionedMedia is a program that delivers pop-up advertisements on a number of different web browsers.


Top

Adware:MSIL/SanctionedMedia is a program that delivers pop-up advertisements on a number of different web browsers.



Installation

Adware:MSIL/SanctionedMedia is distributed bundled with screensavers.

The below image shows the initial installation message displayed by one of the screensavers, that mentions the affiliation with SanctionedMedia:



The screensavers are distributed by sexy-screen-savers.com.

The following files, if found in the '%Local Settings%\Application Data\SanctionedMedia\Smad' directory, may indicate the presence of this malware:

  • Smad.exe
  • version.XML
  • Updater.exe
  • Update.exe
  • Up.exe
  • budent.exe
  • smUninstall.exe


where %Local Settings% refers to C:\Documents and Settings\<username>\Local Settings.

Adware:MSIL/SanctionedMedia may make the following changes to the registry:

Adds the following subkeys:
HKCU\Software\SanctionedMedia\Smad
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Smad

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Smad"

In subkey: HKCU\Software\SanctionedMedia\Smad
Sets value: "Pid"
Sets value: "Uid"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Smad
Sets value: "DisplayVersion"
Sets value: "Version"

Execution

Displays advertisements

Adware:MSIL/SanctionedMedia displays contextual advertising pop-ups, depending on the users browsing habits.

It reads URLs typed into the following web browsers:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera
  • Netscape


Connects to servers

Adware:MSIL/SanctionedMedia sends the following information:

  • URL entered into the web browser
  • User ID -- a 16 digit random number to identify the user
  • Personal identification information
  • Adware version details
  • Operating system details


to the following server:

sanctionedmedia.com

Updates itself

Once an hour, Adware:MSIL/SanctionedMedia checks if it needs to be updated.



Analysis by Michael Johnson

Last update 05 January 2012

 

TOP

Malware :