Threat Descriptions

Adware:W32/LinkOptimizer

Classification

Category :

Spyware

Type :

Adware

Platform :

W32

Aliases :

LinkOptimizer

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Removal

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Adware:W32/LinkOptimizer is an adware application with active rootkit technology.&

Installation

This adware& tries to use social engineering to convince the user to download and execute it by imitating one of the following file names:

  • www.google.com
  • www.auto.com
  • www.free.com
  • www.super.com
  • www.pictures.com

The files using the COM extension can actually be executed exactly the same as EXE, CMD, SCR and other Windows executable formats; despite the COM extension, the file is actually the downloader that will download LinkOptimizer adware and its rootkit component.

Once the downloader is executed, it will download and drop the following files:

  • C:\Windows\[5 random characters]1.dll
  • C:\Windows\Temp\[Random name]1.exe

LinkOptimizer adds itself to the registry as a browser helper object (BHO) to maintain control of Internet Explorer instances.

Activity

While the browser is running, LinkOptimizer displays pop-up windows at random intervals.

&It also hijacks the default search page and attempts to connect to various hard-coded sites in order to download and execute files.

Registry

Adware.LinkOptimizer is installed as a BHO by adding the following registry subkey:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[random CLSID]]

Adware is loaded to the following registry subkey:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]& "AppInit_DLLs" = "C:\Windows\[5 random characters]1.dll"

The DLL file and the registry key are hidden by the rookit.

The program also overwrites the default URLSearchHooks onHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks in order to hijack Internet Explorer address bar searches:

  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]& {CFBFAE00-17A6-11D0-99CB-00C04FD64497}=

Stealth

More recently, LinkOptimizer has been bundled with a powerful rootkit named Gromozon. Gromozon's main purpose is to hide its own presence (and the LinkOptimzer component's) using numerous techniques such as:

  • Special user accounts
  • Undocumented NTFS features
  • Blocking anti-rootkit programs
  • Windows API hooking
  • Removing the user's administrator rights

As part of its stealth functionality, the rootkit installs a range of hooks (see above).

Network Connections

Attempts to connect to:

  • https://gcwave.com/fg.php
  • http://www.flashkin.net/bs.php
  • http://www.flashkin.net/wl.php
  • http://www.flashkin.net/sh.php
  • http://www.flashkin.net/wlink.php
  • http://www.flashkin.net/ws.php
  • http://www.flashkin.net/gc.php
  • http://washerner.com
  • http://chongchua.com/
  • http://livingcert.com
  • http://fogcu.com

Stealth Features

Installs these hooks:

  • ws2_32.dll!getaddrinfo
  • advapi32.dll!RegSetValueW
  • advapi32.dll!CreateProcessWithLogonW
  • advapi32.dll!GetFileSecurityA
  • advapi32.dll!SetFileSecurityA
  • advapi32.dll!RegSetValueA
  • kernel32.dll!GetBinaryTypeW
  • kernel32.dll!OpenFile
  • kernel32.dll!MoveFileWithProgressW
  • kernel32.dll!ExitProcess
  • kernel32.dll!FindFirstFileW
  • kernel32.dll!LoadLibraryW
  • kernel32.dll!GetProcAddress
  • ntdll.dll!LdrUnloadDll
  • ntdll.dll!LdrLoadDll
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtVdmControl
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryDirectoryFile
  • advapi32.dll!RegSetValueW
  • advapi32.dll!CreateProcessWithLogonW
  • advapi32.dll!GetFileSecurityA
  • advapi32.dll!SetFileSecurityA
  • advapi32.dll!RegSetValueA
  • kernel32.dll!GetBinaryTypeW
  • kernel32.dll!OpenFile
  • kernel32.dll!MoveFileWithProgressW
  • kernel32.dll!ExitProcess
  • kernel32.dll!FindFirstFileW
  • kernel32.dll!LoadLibraryW
  • kernel32.dll!GetProcAddress
  • ntdll.dll!LdrUnloadDll
  • ntdll.dll!LdrLoadDll
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtVdmControl
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryDirectoryFile