ADW_CYDOOR.GA

Infection Channel: Downloaded from the Internet, Dropped by other malware

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

It does not have any propagation routine.

It does not have any backdoor routine.

File Size: 3,893,248 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 20 Aug 2015

Payload: Displays pop up ads, Compromises system security

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This adware drops the following files:

%System%\cd_clint.dll - detected as ADWARE_CYDOOR
%System%\cd_htm.dll - detected as ADWARE_CYDOOR
%System%\CD_Load.exe - detected as Adware_Cydoor
%System%\AdCache\b_149300.GIF
%System%\AdCache\b_149301.GIF
%System%\AdCache\b_151700.GIF
%System%\AdCache\b_151701.GIF
%User Temp%\_ad149.dll - detected as ADWARE_CYDOOR
%User Temp%\{random folder name}\CD_Load.exe - detected as Adware_Cydoor
%User Temp%\{random folder name}\cd_clint.dll - detected as ADWARE_CYDOOR
%User Temp%\{random folder name}\cd_htm.dll - detected as ADWARE_CYDOOR
%User Temp%\{random folder name}\ftetris.exe
%User Temp%\{random folder name}\RUNDLL32.EXE
%User Temp%\{random folder name}\Start.cdi
%User Temp%\{random folder name}\_ad149.rtp
%User Temp%\{random folder name}\_ad149.adx
%User Temp%\{random folder name}\Privacy.gif
%User Temp%\{random folder name}\B_149300.gif
%User Temp%\{random folder name}\B_149301.gif
%User Temp%\{random folder name}\adverck\B_149300.gif
%User Temp%\{random folder name}\adverck\B_149301.gif
%User Temp%\{random folder name}\adverck\cd_clint.dll - detected as ADWARE_CYDOOR
%User Temp%\{random folder name}\adverck\cd_htm.dll - detected as ADWARE_CYDOOR
%User Temp%\{random folder name}\adverck\CD_Load.exe - detected as Adware_Cydoor
%User Temp%\{random folder name}\adverck\ftetris.exe
%User Temp%\{random folder name}\adverck\Privacy.gif
%User Temp%\{random folder name}\adverck\Start.cdi

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

%System%\AdCache
%User Temp%\{random folder name}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This adware adds the following registry keys:

HKEY_CURRENT_USER\Software\Cydoor

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}

HKEY_CURRENT_USER\Software\Cydoor Services

HKEY_CURRENT_USER\Software\Cydoor Services\
Status

HKEY_CURRENT_USER\Software\Cydoor Services\
Queue

HKEY_LOCAL_MACHINE\SOFTWARE\Cydoor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
AdSupport_{numbers}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Cydoor
HIS_1 = ""

HKEY_CURRENT_USER\Software\Cydoor
RHIS_1 = ""

HKEY_CURRENT_USER\Software\Cydoor
DHIS_1 = ""

HKEY_CURRENT_USER\Software\Cydoor
Vers = "{value}"

HKEY_CURRENT_USER\Software\Cydoor
Desc2 = "{data}"

HKEY_CURRENT_USER\Software\Cydoor
UserCode = "0"

HKEY_CURRENT_USER\Software\Cydoor
ShowChange = "1"

HKEY_CURRENT_USER\Software\Cydoor
Errors = "{value}"

HKEY_CURRENT_USER\Software\Cydoor
PrxyEnable = "{value}"

HKEY_CURRENT_USER\Software\Cydoor
PrxyUrl = "{value}"

HKEY_CURRENT_USER\Software\Cydoor
ConnType = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Cydoor
AdwrCnt = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Cydoor
%Program Files%\2VG\FTetris\tetris.exe = "{numbers}"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}
ExistFile = "%PROGRAMFILES%\2VG\FTetris\tetris.exe"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}
LoctNum = "1"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}
DistCode = "0"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}
ShowChange = "1"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}
Uninstall = ""

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}
SeqnList = "{hex values}"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}
SeqnNum = "2"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}
MinCycle = "0"

HKEY_CURRENT_USER\Software\Cydoor Services\
Status
IdleState = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
AdSupport_{numbers}
UninstallString = "RunDll32 %SystemRoot%\system32\cd_clint.dll,ServiceRunDll u_{numbers}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FreeTetris_is1
Cydoor = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FreeTetris_is1
UninstallString = ="RunDll32 %SystemRoot%\system32\cd_clint.dll,ServiceRunDll u_{numbers} "FreeTetris_is1""

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
ShowBann = "1"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
PrCode = "{value}"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
ExpsNum = "1"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
ExpsCnt = "0"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
ExpsLast = "0"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
BannNum = "2"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
BannCnt = "0"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
FileTerm = "GIF"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
Url = "http://www.cydoor.com/Games"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
Url = "http://www.cydoor.com/music"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
ConfStr = "{data}"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
Type = "1"

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_{numbers}\Loct_{number}\Level_{number}\
Seqn_{numbers}
CycleInter = "2"

Propagation

This adware does not have any propagation routine.

Backdoor Routine

This adware does not have any backdoor routine.

NOTES:

It connects to the following websites for displaying pop up advertisements:

http://ww15.{BLOCKED}or.com/Games
http://www.c{BLOCKED}or.com/Games
http://www.c{BLOCKED}or.com/music
http://{BLOCKED}d.ok{BLOCKED}65.com/?dm=cydoor.com&acc={value}&ref=http://ww15.cydoor.com/Games
http://www.b{BLOCKED}s2.net/{path 1}/{path 2}?{data}
http://www.b{BLOCKED}s1.net/{path 1}/{path 2}?{data}
http://www.r{BLOCKED}s2.net/{path 1}/{path 2}?{data}
http://www.r{BLOCKED}s1.net/{path 1}/{path 2}?{data}
http://www.c{BLOCKED}s2.net/{path 1}/{path 2}?{data}
http://www.c{BLOCKED}s1.net/{path 1}/{path 2}?{data}

{path 1} can be any of the following:

scripts/brs/
scripts/rgs/
scripts/cms/

{path 2} can be any of the following:

Cms{number}.ASP
Rgs{number}.ASP
RgsInit.ASP
CmsInit.ASP
RgsInit{number}.ASP
CmsInit{number}.ASP

It may perform the following routines:

Allow the program that installed it to launch it
Display pop up advertisements
Produce message box
Enable or Disable proxy usage
Check for Internet connection
Sleep

Minimum Scan Engine: 9.300

SSAPI PATTERN File: 1.652.17

SSAPI PATTERN Date: 22 Aug 2015

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software
- Cydoor
In HKEY_CURRENT_USER\Software
- Cydoor Services
In HKEY_LOCAL_MACHINE\SOFTWARE
- Cydoor
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- AdSupport_{numbers}

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeTetris_is1
- Cydoor = "1"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeTetris_is1
- UninstallString = ="RunDll32 %SystemRoot%\system32\cd_clint.dll,ServiceRunDll u_{numbers} "FreeTetris_is1""

Step 6

Search and delete this file

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%System%\cd_clint.dll
%System%\cd_htm.dll
%System%\CD_Load.exe
%User Temp%\_ad149.dll

Step 7

Search and delete these folders

[ Learn More ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

%System%\AdCache
%User Temp%\{random folder name}

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as ADW_CYDOOR.GA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 9

Scan your computer with your Trend Micro product to delete files detected as ADW_CYDOOR.GA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

ADW_CYDOOR.GA

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific