Threat behavior
Adware:Win32/InfoAtoms may be installed from the program's website by offers in third-party software installers. It may also be installed alongside Adware:Win32/AddLyrics.
Installation
When run, the installer for Adware:Win32/InfoAtoms creates a folder named "InfoAtoms" in %ProgramFiles% and installs the following files there:
-
3rd Party Licenses\buildcrx-license.txt
-
3rd Party Licenses\Info-ZIP-license.txt
-
3rd Party Licenses\nsJSON-license.txt
-
3rd Party Licenses\UAC-license.txt
-
terms-of-service.rtf
-
Uninstall.exe
Adware:Win32/InfoAtoms installs itself as a BHO (browser helper object), which can be seen in Internet Explorer's Manage Add-ons window, as in the following screenshot:
It installs the following files as part of its installation as an Internet Explorer add-on, Chrome extension and Firefox plug-in:
- For the Chrome extension, it installs the following:
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\background.html
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\background.js
(detected as Adware:Win32/InfoAtoms)
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\icon-128.png
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\icon-16.png
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\icon-48.png
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\manifest.json
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\options.css
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\options.html
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\options.js
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\vitruvian.bootstrap.js
-
%APPDATA%
\Google\Chrome\User Data\Default\Extensions\hhbgpoakplhahbklhkcfbpicgjcaoglk\1.6.0.0_0\vitruvian.plugin-api.js
-
%ProgramFiles%
\InfoAtoms.crx
- For the Internet Explorer add-on, it installs the following:
-
%ProgramFiles%
\
InfoAtoms\IE32\InfoAtomsClientIE.dll
(detected as Adware:Win32/InfoAtoms)
- For the Firefox plug-in, it installs the following:
-
%ProgramFiles%
\InfoAtoms\FireFox\infoatoms@infoatoms.com.xpi
-
%ProgramFiles%
\Mozilla Firefox\defaults\preferences\!InfoAtoms.js
-
%ProgramFiles%
\Mozilla Firefox\extensions\infoatoms@infoatoms.com\chrome.manifest
-
%ProgramFiles%
\Mozilla Firefox\extensions\infoatoms@infoatoms.com\install.rdf
-
%ProgramFiles%
\Mozilla Firefox\extensions\infoatoms@infoatoms.com\chrome\content\browser.xul
-
%ProgramFiles%
\Mozilla Firefox\extensions\infoatoms@infoatoms.com\chrome\content\icon-48.png
-
%ProgramFiles%
\Mozilla Firefox\extensions\infoatoms@infoatoms.com\chrome\content\icon-64.png
-
%ProgramFiles%
\Mozilla Firefox\extensions\infoatoms@infoatoms.com\chrome\content\vitruvian.bootstrap.js
-
%ProgramFiles%
\Mozilla Firefox\extensions\infoatoms@infoatoms.com\chrome\content\vitruvian.plugin-api.js
(detected as Adware:Win32/InfoAtoms)
-
%ProgramFiles%
\Mozilla Firefox\InfoAtoms.cfg
It also creates an installation entry called "InfoAtoms" in the Programs and Features section of the Control Panel. Running this uninstaller removes Adware:Win32/InfoAtoms from your computer.
Execution
Once installed, Adware:Win32/InfoAtoms displays advertisements to your as you browse the Internet, as in the following examples:
Analysis by Chris Stubbs
Prevention