Adware:W32/Look2Me

Classification

Category :

Spyware

Type :

Adware

Aliases :

Adware.Look2Me, NicTech Networks

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Look2Me is an adware program made by NicTech Networks Inc and may be bundled together with other software, or silently installed by trojans.

The program operates in stealth on machines running Windows 2000, XP and 2003. The name Look2Me references the servers the earlier program versions connected to, though the program nowadays will connect to www.ad-w-a-r-e.com.

The advertisements Look2ME displays are most commonly Internet Explorer pop-up windows, but may also be customized in shape and animation to fit the advertising content.& and displays an excessive amount of pop-up advertisements.& An example of a Look2Me pop-up advertisement is as follows:

Some of the advertisements push the user to install ErrorGuard or WinFixer.

Installation

Look2Me may be silently installed together with other software, or it may be silently installed by a trojan. Look2Me cannot independently replicate itself and must be manually installed onto each system it infects.

The program uses a guardian implementation to prevent removal. It does so by removing Debug privileges from all user accounts, attaching a Notification package to Winlogon and monitoring all user policy rights and system settings. During installation, the Explorer program is restarted and the computer is made to look as though it will shut down. In fact, during this time, the guardian implementation program is being installed on the system.During installation, Look2Me will register itself as a COM component, using a random filename (though it will typically use a DLL extension). The program also creates a randomly named Class ID key (CLSID) to identify itself as a COM component, and a related registry key to approve the CLSID for execution.

Registry Modifications

Creates these keys:

  • HKLM\Software\Windows\CurrentVersion\Shell Extensions\Approved
  • HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify Asynchronous = 0 DllName = Impersonate = 0 Logon = "Winlogon" Logoff= "WinLogoff" Shutdown = "WinShutdown"