HotTVPlayer (and Paris Hilton) made their way up through the advertising business recently (today) thanks to ad.yieldmanager.com aka Yahoo.
Yahoo did already hit the news in the last days with different malicious Flash banners.
Advertisement.
After a click on the banner, you are invited to download a "hot" PH video.
Let's play the game and act just like the "left hand clicker" inside of you.
After the initial download we are presented with an Eula that should ring a bell ... but it won't in most cases.
Tss what's happening... I must experience some hardware trouble because my silly mouse is attracted by the Watch PH movie! button whoops.
Ah well, let's be crazy, follow the silly mouse and have a peek behind the scene. While the install of your PH video is progressing, the installer copies a file to the %userprofile%\Local Settings\Application Data folder and launches the freshly copied file with some command line parameters.
The random named executable writes into the virtual memory of explorer.exe (aka memory pages of explorer.exe).
Once the install completed you will be redirected to a webpage with congrats and some additional options available by call ... in the sample more sexy girls and just below an advert for messenger emoticons ? Huhu ...
In meanwhile the PH video is running ... and so is the rootkit update check.
security-updater.com/SA/cpi.php?browser_language=en-us&guid=[removed]&compid=[removed]&idt=&dbid=&gid=[removed]&tcpc=[removed]Navipromo is adware running in stealth mode from the user by using rootkit techniques. The software reports back visited URLs to the server and displays pop-up and pop-under advertisements. Updates itself about every hour.
updates.advert-network.com/pdata/cnconfig.gz?ct=[removed]&bp=[removed]&vs=&grp=[removed]&tcpc=[removed]
Filename: jdzcql.exe (random file name)
File size: 299008 bytes
MD5: 6ca11a99ef14155ab70e53b9abe7f75d
SHA1: f05462e27984208a0da7d7b2ebb923e4fa443bbf
PEiD: Microsoft Visual C++ 6.0
If you suspect the presence of Navipromo on your PC, seek help on the forums as detection & removal should be left to qualified helpers.QUOTEFile jdzcql.exe received on 04.24.2008 23:38:42 (CET)
AhnLab-V3 2008.4.24.0 2008.04.24 -
AntiVir 7.8.0.8 2008.04.24 -
Authentium 4.93.8 2008.04.24 -
Avast 4.8.1169.0 2008.04.24 -
AVG 7.5.0.516 2008.04.24 -
BitDefender 7.2 2008.04.24 -
CAT-QuickHeal 9.50 2008.04.24 -
ClamAV 0.92.1 2008.04.24 -
DrWeb 4.44.0.09170 2008.04.24 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5731 2008.04.24 -
Ewido 4.0 2008.04.24 -
F-Prot 4.4.2.54 2008.04.24 -
F-Secure 6.70.13260.0 2008.04.24 -
FileAdvisor 1 2008.04.24 -
Fortinet 3.14.0.0 2008.04.24 -
Ikarus T3.1.1.26.0 2008.04.24 -
Kaspersky 7.0.0.125 2008.04.24 -
McAfee 5281 2008.04.24 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3053 2008.04.24 -
Norman 5.80.02 2008.04.24 -
Panda 9.0.0.4 2008.04.24 -
Prevx1 V2 2008.04.24 Heuristic: Suspicious Self Modifying EXE
Rising 20.41.32.00 2008.04.24 -
Sophos 4.28.0 2008.04.24 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.24 -
TheHacker 6.2.92.291 2008.04.24 -
VBA32 3.12.6.5 2008.04.24 -
VirusBuster 4.3.26:9 2008.04.24 -
Webwasher-Gateway 6.6.2 2008.04.24 -