Home / malwarePDF  

Adware:Win32/Vidsaver


First posted on 18 January 2013.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/Vidsaver.

Explanation :



Adware:Win32/Vidsaver may be installed from the program's website:





Installation

When run, the installer for Adware:Win32/Vidsaver creates a folder named "Vidsaver" in %ProgramFiles% and installs the following files there:

  • buttonutil.dll
  • vid-saver.dll
  • vid-saver.exe
  • vid-saver.ico
  • vid-saver.ini
  • vid-saver-bg.exe


Note: %ProgramFiles% refers to a variable location that is determined by the software by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".

The icon for Adware:Win32/Vidsaver appears as follows:



Adware:Win32/Vidsaver installs itself as a BHO (browser helper object), which can be seen in Internet Explorer's Manage Add-ons window, as in the following screenshot:



Adware:Win32/Vidsaver also installs itself as a Google Chrome extension by placing the following files in the Administrator's %LOCALAPPDATA% folder:

  • %LOCALAPPDATA%\Google\Chrome\user data\Default\databases\databases.db
  • %LOCALAPPDATA%\Google\Chrome\user data\Default\databases\databases.db-journal
  • %LOCALAPPDATA%\Google\Chrome\user data\Default\databases\chrome-extension_pgmfkblbflahhponhjmkcnpjinenhlnc_0\3


Note: %LOCALAPPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Local Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Local Settings\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Local". For the folder used by your account, replace <user> with your username or, for the computer's administrator account, replace <user> with "Administrator".

Adware:Win32/Vidsaver creates an installation entry in the Programs and Features section of the Control Panel. Running this uninstaller may remove Adware:Win32/Vidsaver from your computer.

Execution

Once installed, Adware:Win32/Vidsaver displays offers to you as you browse the Internet, as in the following examples:





Adware:Win32/Vidsaver also replaces certain keywords on websites with a hyperlink. The destination of the hyperlink depends on the keyword.

For example, the keyword "Watch" has been replaced on the program's website with a hyperlink, as seen in this screenshot:





Analysis by Zhitao Zhou

Last update 18 January 2013

 

TOP

Malware :