TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
ADW_MOTOR.A
Overview
Solution

QUICK LINKS  

Download the latest scan engine

In the wild: No

Reported detections:

 Low
 

Description:

Threat Type: Adware

Systems Affected: Windows 98, ME, NT, 2000, and XP.

This adware may be downloaded from the internet. It may also be packaged with other software applications. Upon execution, it connects to the following URL where it downloads components:

  • http://bins.media-motor.net/
  • http://bins2.media-motor.net/
  • http://mmm.media-motor.net/
  • http://www.maxmind.com:8010/

The downloaded files are saved in the Windows folder using the following file names:

  • a64sddd.exe
  • affbun.txt
  • imgurla.exe
  • mm63.ocx
  • tempf.txt
  • unstall.exe
  • usta32.ini

This adware creates advertisements and generates popup windows related to Media Motor.

It creates the following registry entry to run at Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run popuppers64="%Windows%\a64sddd.exe"

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following registry keys:

HKEY_CLASSES_ROOT\IObjSafety.DemoCtl

HKEY_CLASSES_ROOT\CLSID\{E0CE16CB-741C-4B24-8D04-A817856E07F4}

HKEY_CLASSES_ROOT\Interface\{3E4BCF50-865B-4EF4-A0BC-BF57229EA525}

HKEY_CLASSES_ROOT\Interface\{64A5BD22-8D8A-4193-9CF8-7DB5212ABB17}

HKEY_CLASSES_ROOT\Interface\{674A6BD5-317A-49CF-9647-1E085E660CE0}

HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\media-motor.net

HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\popuppers.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\media-motor

Solution:

TREND MICRO SOLUTION

  • Minimum scan engine version needed: 7.100
      TMAPTN version needed: 220.02
  • DCE version needed: 3.8
      TMADCE version needed: <not yet available as of this writing>

MANUAL REMOVAL INSTRUCTIONS

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the grayware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    popuppers64="%Windows%\a64sddd.exe"
  4. In the left panel, locate and delete the following:
    • HKEY_CLASSES_ROOT>IObjSafety.DemoCtl
    • HKEY_CLASSES_ROOT>CLSID>{E0CE16CB-741C-4B24-8D04-A817856E07F4}
    • HKEY_CLASSES_ROOT>Interface>{3E4BCF50-865B-4EF4-A0BC-BF57229EA525}
    • HKEY_CLASSES_ROOT>Interface>{64A5BD22-8D8A-4193-9CF8-7DB5212ABB17}
    • HKEY_CLASSES_ROOT>Interface>{674A6BD5-317A-49CF-9647-1E085E660CE0}
    • HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Internet Settings>
    ZoneMap>Domains>media-motor.net
    • HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Internet Settings>
    ZoneMap>Domains>popuppers.com
    • HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Uninstall>media-motor
  5. Close Registry Editor.
NOTE: If you were not able to terminate the grayware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Download and unzip the latest grayware pattern file and scan your system. Then, delete all files detected as ADW_MOTOR.A.

For additional information about this threat, see:
Solution

Description created: Feb 14, 2005




Tell us how we did. Take our quick survey.