Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Conspy

Adware.Conspy

Updated:
February 13, 2007
Risk Impact:
Medium
File Names:
waol.exe; editpad.exe
Systems Affected:
Windows

Behavior


Adware.Conspy modifies Internet Explorer settings and accesses the Internet to update itself.


Note: Definitions dated February 10th, 2004 or earlier may detect this adware as Trojan.Conspy.

Symptoms


The files are detected as Adware.Conspy.
  • The bookmarks are added to Internet Explorer favorites.
  • The Internet Explorer Search page is modified.

Behavior


This adware program must be manually installed. However, some programs may have Adware.Conspy within them and install it when the program is installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version February 01, 2015 revision 020
  • Initial Daily Certified version February 11, 2004
  • Latest Daily Certified version January 26, 2015 revision 023
  • Initial Weekly Certified release date February 11, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Conspy is executed, it performs the following actions:
  1. Copies itself to %Windir%.


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Attempts to add the values:
    • "Quicken"="%Windir%\Waol.exe"
    • "Editpad"="%Windir%\Editpad.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  3. Attempts to contact the server, conf.conspy.com, to download the updates and configuration files.
    The URLs it accesses include:
    • http:/ /conf.conspy.com/quicken_update.php
    • http:/ /conf.conspy.com/winrar_update.php
    • http:/ /conf.conspy.com/popset.php
    • http:/ /conf.conspy.com/waol.exe
    • http:/ /conf.conspy.com/editpad.exe
    • http:/ /conf.conspy.com/editpad.rsf.php
    • http:/ /conf.conspy.com/resource_update.php

  4. If it fails to contact the server, it will wait 60 seconds and then try again.

  5. Takes a URL from a decryption of editpad.rsf.php.

  6. Adds links to Internet Explorer's "Favorites." These URLs are taken from the decryption of editpad.rsf.php.

  7. Adds the value:

    "Search Page" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

  8. Adds the value:

    "Search Bar" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

  9. Adds the value:

    "Start Page" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Main\

  10. Adds the value:

    "SearchURL" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\

  11. Adds the value:

    "SearchAssistant" = "<URL decrypted from editpad.rsf.php>"

    to the registry key:

    HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\Search\



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Run a full system scan and delete all the files detected as Adware.IEDriver.
  3. Delete the values that were added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Scanning for and deleting the files
  1. Start your Symantec antivirus program and run a full system scan.
  2. If any files are detected as Adware.IEDriver, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

3. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run

  4. In the right pane, delete the value:

    "IEDriver"="%System%\IEdriver\Iedriver.exe"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall

  6. Delete the subkey:

    {BC3BBF86-E4EC-4412-9676-8355468B3B05}

  7. Navigate to the key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

  8. In the right pane, restore the correct value of the key:

    "Search Bar"

    or, if you are not sure, delete the value.

  9. Exit the Registry Editor.