Win32/Cekar [Threat Name] go to Threat

Win32/Cekar.A [Threat Variant Name]

Category adware,worm
Size 1460917 B
Aliases W32.Mumawow.F!inf (Symantec)
  Virus:Win32/Cekar.B (Microsoft)
Short description

Win32/Cekar.A is an adware - an application designed for delivery of unsolicited advertisements.

Installation

When executed, the adware creates the following files:

  • %windir%\­DnsSrv.dll

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­logondll]
    • "DllName" = "DnsSrv.dll"
    • "Asynchronous" = 1
    • "Impersonate" = 0
    • "Startup" = "EventStartup"

This causes the adware to be executed on every system start.


The adware may create the following files:

  • %system%\­Web.ini
  • %system%\­WebNew.ini
  • %system%\­PlugOne.css
  • %system%\­PlugTwo.css
  • %system%\­HtmlPeek.dll

The adware may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­360Safe\­safemon]
    • "ExecAccess" = 0
    • "SiteAccess" = 0
    • "MonAccess" = 0
    • "UDiskAccess" = 0
    • "ARPAccess" = 0
    • "IEProtAccess" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Softy\­LockPage]
    • "LockPageNum" = %number%
    • "NeedLockPage" = %number%
Information stealing

The adware collects the following information:

  • network adapter information
  • computer name
  • volume serial number

The adware can send the information to a remote machine.

Other information

Win32/Cekar.A is an adware - an application designed for delivery of unsolicited advertisements.


The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of (5) URLs.


The HTTP protocol is used in the communication.


The adware launches the following processes:

  • iexplore.exe

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • update itself to a newer version
  • run executable files

Please enable Javascript to ensure correct displaying of this content and refresh this page.