Threat behavior
Adware:Win32/WebRebates.C may add the following registry keys:
HKCU\Software\Microsoft\Internet Explorer\MenuExt
HKCU\Software\Microsoft\Internet Explorer\MenuExt\Web Rebates
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\untopr1150
Adware:Win32/WebRebates.C may create the following folders:
c:\Program Files\Web_Rebates
c:\Program Files\Web_Rebates\Ap1150
c:\Program Files\Web_Rebates\Da1150
c:\Program Files\Web_Rebates\Da1150\Alan Tracey
c:\Program Files\Web_Rebates\Sy1150
c:\Program Files\Web_Rebates\Sy1150\Html
c:\Program Files\Web_Rebates\Sy1150\Images
c:\Program Files\Web_Rebates\Sy1150\Sy1150
c:\Program Files\Web_Rebates\Sy1150\Tp1150
Adware:Win32/WebRebates.C may add the following files:
%TEMP%\djtopr1150.exe
%TEMP%\jkill.exe
c:\Program Files\Web_Rebates\disp1150.exe
c:\Program Files\Web_Rebates\README.txt
c:\Program Files\Web_Rebates\WebRebates0.exe
c:\Program Files\Web_Rebates\WebRebates1.exe
c:\Program Files\Web_Rebates\Ap1150\psid1187.dat
c:\Program Files\Web_Rebates\Ap1150\topr1150.dat
c:\Program Files\Web_Rebates\Da1150\1150sh.dat
c:\Program Files\Web_Rebates\Da1150\425effcb73d0.dat
c:\Program Files\Web_Rebates\Da1150\Alan Tracey\425effd46bc.dat
c:\Program Files\Web_Rebates\Sy1150\Html\f_popo1150c_rb.htm
c:\Program Files\Web_Rebates\Sy1150\Html\f_popo1150c_ub.htm
c:\Program Files\Web_Rebates\Sy1150\Html\f_spec1150c_rb.htm
c:\Program Files\Web_Rebates\Sy1150\Html\f_spec1150c_ub.htm
c:\Program Files\Web_Rebates\Sy1150\Html\foot1150c_rb.htm
c:\Program Files\Web_Rebates\Sy1150\Html\foot1150c_ub.htm
c:\Program Files\Web_Rebates\Sy1150\Html\popo1150c.htm
c:\Program Files\Web_Rebates\Sy1150\Html\pref1150c.htm
c:\Program Files\Web_Rebates\Sy1150\Html\remv1150c.htm
c:\Program Files\Web_Rebates\Sy1150\Html\scri1150a.htm
c:\Program Files\Web_Rebates\Sy1150\Html\spec1150c.htm
c:\Program Files\Web_Rebates\Sy1150\Images\p.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_envelope.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_footer.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_autotrack_remove.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_settings.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_settings_toprebates.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_pop_circles.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_pop_circles_bg2.gif
c:\Program Files\Web_Rebates\Sy1150\Images\topr_c_warning.gif
c:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_0.dat
c:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_1.dat
c:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_2.dat
c:\Program Files\Web_Rebates\Sy1150\Tp1150\f_popo1150c_rb.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\f_popo1150c_ub.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\f_spec1150c_rb.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\f_spec1150c_ub.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\foot1150c_rb.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\foot1150c_ub.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\log.txt
c:\Program Files\Web_Rebates\Sy1150\Tp1150\popo1150c.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\pref1150c.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\remv1150c.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
c:\Program Files\Web_Rebates\Sy1150\Tp1150\spec1150c.htm
Note: %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp.
Prevention
