Adware In Legitimate Application’s Disguise Tricks Users
A piece of adware pretending to be a legitimate program for playing online games is circulating on the Internet. The application tricks users into downloading the Navipromo adware, according to PandaLabs that detected the adware. It is circulating by the name 'InternetGameBox', a legal program for certain online games.
As soon as Adware.Navipromo.M is executed it runs explorer.exe and injects itself into explorer.exe process. With this it deletes the original file from the system. Then it replicates in system directory under the name mstmpreg32.dll. It also changes registry keys, so that it can run every time the system starts up. When the Internet connection is on, the adware may download contents from different websites.
An advanced adware, Navipromo runs silently on the user's system. It sends back URLs after the user has visited them. It receives links to sites that display related advertisement. These flash as pop-up or pop-under windows on the user's screen. The file names msclock32.dll and msplock32.dll are used to identify Navipromo. A rootkit technique helps to hide these files.
According to Luis Corrons, technical director of PandaLabs, the malware creator has used an elaborated social engineering tactic. He tricks the users by inserting a malicious file that resembles an innocuous file in the system. The effectiveness of the technique increases by selecting an application that helps access online games, which interest users, according to Corrons. Net-security published this as news on May 17, 2007.
As the user opens the malware-laden file, an error message appears. After this a dialog box is displayed asking users to select 'Yes' or 'No'. However, by the system is already infected by this time and it becomes immaterial what the user selects. But if the user continues further to find out the application's name, he/she will see an authentic online gaming page. Although this appears reassuring but it ignores the infection in the computer, Corrons explains. Home.nestor.minsk published this in news on May 18, 2007.
PandaLabs had already detected the Navipromo adware in the past. Lately its activity had reduced significantly. But, now it seems that the malware author is reactivating it using a new technique of propagation.
Related article: Adware And Spyware On A Rapid Increase
» SPAMfighter News - 24-05-2007