Win32/AdWare.ConvertAd [Threat Name] go to Threat

Win32/Adware.ConvertAd.FG [Threat Variant Name]

Category adware
Size 488985 B
Detection created Apr 13, 2015
Detection database version 11466
Short description

Win32/Adware.ConvertAd.FG is a adware used for delivery of unsolicited advertisements. The adware is usually a part of other malware.

Installation

When executed, the adware creates the following files:

  • %localappdata%\­%variable1%\­uninstall.exe (80130 B)
  • %localappdata%\­%variable1%\­%variable2%.tmp (274155 B, Win32/Adware.ConvertAd.FG)
  • %localappdata%\­%variable1%\­%variable3%.exe (242688 B, Win32/Adware.ConvertAd.FG)

The adware executes the following files:

  • %localappdata%\­%variable1%\­%variable2%.tmp /ch=%variable4% /fd=%appdata%\­%uuid%
  • %localappdata%\­%variable1%\­%variable3%.exe /ch=%variable4%

A string with variable content is used instead of %variable1-4% .


In order to be executed on every system start, the adware sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WinCheck" = "%localappdata%\­%variable1%\­%variable3%.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­wincheck]
    • "DisplayName" = "Jammed Paper Tray"
    • "UninstallString" = "%localappdata%\­%variable1%\­uninstall.exe"
    • "Publisher" = "Jammed Paper Tray"
    • "DisplayVersion" = "1.0.0.0"
    • "Channel" = "%variable4%"
    • "DisplayIcon" = "%localappdata%\­%variable1%\­%variable3%.exe"
Information stealing

The adware collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

The adware attempts to send gathered information to a remote machine.

Other information

The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of (4) URLs. The HTTP protocol is used.


The adware displays dialogs within the Internet browser with various advertisements.

Please enable Javascript to ensure correct displaying of this content and refresh this page.