Adbehavior displays pop-up advertisements on the desktop. The advertisements generally contain an attribution to the sponsor, and are targeted based on search terms that the user enters at altavista.com, google.com, and yahoo.com. The software may install a browser helper object (BHO) to monitor the user's Web search terms.
Adbehavior may drop files such as the following (some file names may vary depending on the Adbehavior version):
Copies of its main executable file:
C:\Documents and Settings\<user name>\Local Settings\Temp\f240301955.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nrpc.exe
Data store: C:\Windows\jmhvv.dll
Delivery of advertisements from Webnexus server: C:\Windows\System32\rnoccor.dll
Retrieval of host computer system information: C:\Windows\System32\bdrqqrb.exe
Thread management (to ensure that Adbehavior process is running): C:\Windows\System32\uiqvv.dll
Adbehavior software updates: C:\Windows\System32\supdate.dll
Other dropped files:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\didn.exe
Adbehavior may add the value "KavSvc" to the following registry subkey in order to run automatically each time Windows starts:
Adbehavior may also create registry subkeys such as the following:
Adbehavior retrieves advertisements and configuration information from servers that are part of the Webnexus network. The configuration information may specify that Adbehavior is not to display advertisements when the user's Web browser is connected to certain URLs, or when the browser is directed at addresses or paths that end in certain strings. This may include strings such as .bmp, .css, .doc, .pdf, .zip and many others.
Adbehavior may terminate the anti-spyware process gcasserv.exe if it is running. The Adbehavior software may also download and install software without notifying the user.