ADW_METER

This adware may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

It acts as a Browser Helper Object (BHO) that monitors a user's Internet-browsing habits.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any downloading capability.

It displays pop-up advertisements.

It connects to certain websites to send and receive information.

Arrival Details

This adware may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This adware drops the following files:

• %User Temp%\scoped_dir{random numbers}_{random numbers}\Cookies
• %User Temp%\scoped_dir{random numbers}_{random numbers}\Cookies-journal
• %User Temp%\scoped_dir{random numbers}_{random numbers}\index
• %User Temp%\scoped_dir{random numbers}_{random numbers}\data_{pseudorandom value}
• %User Temp%\scoped_dir{random numbers}_{random numbers}\f_{6 pseudorandom value}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %User Temp%\scoped_dir{random numbers}_{random numbers}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This adware acts as a Browser Helper Object (BHO) that monitors a user's Internet-browsing habits.

Other System Modifications

This adware adds the following registry keys:

HKEY_CURRENT_USER\Software\PriceMeter

It adds the following registry entries:

HKEY_CURRENT_USER\Software\PriceMeter
activePM = "{value}"

HKEY_CURRENT_USER\Software\PriceMeter
firstdet = "{value}"

HKEY_CURRENT_USER\Software\PriceMeter
firstFlach = "{value}"

HKEY_CURRENT_USER\Software\PriceMeter
firstStart = "{value}"

HKEY_CURRENT_USER\Software\PriceMeter
hbpm__ = "{value}"

HKEY_CURRENT_USER\Software\PriceMeter
pmafterhdnl = "{value}"

HKEY_CURRENT_USER\Software\PriceMeter
quickVer = "9"

Propagation

This adware does not have any propagation routine.

Backdoor Routine

This adware does not have any backdoor routine.

Download Routine

This adware does not have any downloading capability.

Adware Routine

This adware displays pop-up advertisements.

Other Details

This adware connects to the following website to send and receive information:

• http://srv-live.{BLOCKED}a.com.ph
• http://s.{BLOCKED}pm.com/
• http://q.{BLOCKED}pm.com/
• http://o.{BLOCKED}pm.com/
• http://m.{BLOCKED}pm.com/
• http://h.{BLOCKED}pm.com/
• http://ft.{BLOCKED}pmt.com/
• http://f.{BLOCKED}pm.com/
• http://es.{BLOCKED}pm.com/
• http://c.{BLOCKED}pm.com/
• http://{BLOCKED}n.com

NOTES:

This adware requires its components to run properly. It is used to monitor browsing activity and display pop-ups when visiting online selling websites to offer alternative products similar to below:

It does not have rootkit capabilities.

It does not exploit any vulnerability.