Threat behavior
Adware:Win32/AdRotator delivers advertisements, and as the name suggests, "rotates" advertisements among sponsors. AdRotator contacts remote Web sites in order to deliver updated content. This application also displays fake error messages that encourage users to download and install additional applications.
Installation
AdRotator is installed into the Windows system folder as a Web browser helper object (BHO), usually with a file name such as "adrotate.dll" or similar.
This application may make a number of registry changes to the affected machine, and has been observed to make the following modifications:
HKEY_CLASSES_ROOT\CLSID\{34ef5b1c-52cb-400b-8b7c-f787018b3826}
HKEY_CLASSES_ROOT\CLSID\{3e7145b1-ea07-42ce-9299-11df39ff54bd}
HKEY_CLASSES_ROOT\CLSID\{582FDCF0-A82E-4fc1-A6F6-0D2F36881F63}
HKEY_CLASSES_ROOT\Interface\{e9d8697e-bea9-4170-84f3-509ad2a11951}
HKEY_CLASSES_ROOT\Typelib\{3cd9d85e-1ff2-4bf7-a113-6669b8d1e676}
HKEY_CLASSES_ROOT\Adrotator.application
HKEY_CLASSES_ROOT\Adspipe.ADBot2
HKEY_CLASSES_ROOT\Adspipe.ADBot2.1
HKEY_CLASSES_ROOT\Urllauncher.urllaunchercontrol
HKEY_CLASSES_ROOT\Urllauncher.urllaunchercontrol.1
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{49C96360-9DA5-4E3A-8FF4-FAD8E79DABF2}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5074851C-F67A-488E-A9C9-C244573F4068}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{582FDCF0-A82E-4fc1-A6F6-0D2F36881F63}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{BCBCEE7B-2001-4971-B991-EB6E81C96CC5}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D117A61F-92C3-4450-A0C8-F425B14D4127}
HKEY_LOCAL_MACHINE\Software\Classes\AdRotator.Application
HKEY_LOCAL_MACHINE\Software\Classes\Adspipe.ADBot
HKEY_LOCAL_MACHINE\Software\Classes\Adspipe.ADBot.1
HKEY_LOCAL_MACHINE\Software\Classes\BannerRotator.Rotator
HKEY_LOCAL_MACHINE\Software\Classes\BannerRotator.Rotator.1
HKEY_LOCAL_MACHINE\Software\Classes\ExtRotator.Rotator
HKEY_LOCAL_MACHINE\Software\Classes\ExtRotator.Rotator.1
HKEY_LOCAL_MACHINE\Software\Classes\URLLauncher.URLLauncherControl
HKEY_LOCAL_MACHINE\Software\Classes\URLLauncher.URLLauncherControl.1
HKEY_LOCAL_MACHINE\Software\Classes\URLSearch.URLSearch
HKEY_LOCAL_MACHINE\Software\Classes\URLSearch.URLSearch.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{49C96360-9DA5-4E3A-8FF4-FAD8E79DABF2}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5074851C-F67A-488E-A9C9-C244573F4068}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{582FDCF0-A82E-4fc1-A6F6-0D2F36881F63}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BCBCEE7B-2001-4971-B991-EB6E81C96CC5}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D117A61F-92C3-4450-A0C8-F425B14D4127}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run AdRotator.Application
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run adstart
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Mwsvm
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run slmss
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\adspipe
HKEY_LOCAL_MACHINE\Software\mwsvm
HKEY_LOCAL_MACHINE\Software\slmss
Payload
Displays Advertisements
AdRotator downloads advertisements and displays them as pop-ups on the affected system.
Downloads Arbitrary Files
AdRotator downloads updates of itself from hard-coded Internet addresses that it carries in its code. In the wild, this application has been observed to contact the trafficsolution.com and clickfast.biz domains.
Prevention