ADW_NCASE.A

This adware may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This adware may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware drops the following files:

• {adware path}:\{random name}.log
• %User Temp%\18065.mht

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This adware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random name} = "{adware location}"

Other System Modifications

This adware adds the following registry keys:

HKEY_CURRENT_USER\Software\{random name}

HKEY_LOCAL_MACHINE\SOFTWARE\{random name}

Other Details

This adware connects to the following possibly malicious URL:

• {BLOCKED}s.180solutions.com
• http://{BLOCKED}g.180solutions.com

NOTES:

Where {random name} can be the following:

• zanu
• zango
• msbb
• sac
• 180sa
• 180adsolution
• searchassistant
• 180ax
• saap
• sais
• samds
• sain
• saie
• salm
• saip
• sahra
• sahrb
• sahrc
• sahrd
• bmrg
• sau