Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Meplex

Adware.Meplex

Updated:
July 28, 2006
Risk Impact:
Medium
Systems Affected:
Windows

Behavior

Adware.Meplex is a program that displays advertisements on a user's computer. It runs its processes in the background and may also modify registry settings on the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version November 22, 2005
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date November 23, 2005
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Adware.Meplex is a program that displays advertisements on a user's computer. It runs its processes in the background and may also modify registry settings on the compromised computer.

The program may also create the following folders:
%System%\dllcache
%System%\inetsrv
%System%\appmgmt
%System%\cba
%System%\icon
%System%\INotes

The program may also create or download some of the following files:
%System%\dllcache\mstunint.dll
%System%\dllcache\mstunmsr.dll
%System%\dllcache\mstunmsk.dll
%System%\inetsrv\inet.exe
%System%\appmgmt\msser.exe
%System%\cba\task.exe
%System%\icon\ebay.ico
%System%\icon\ebay1.ico
%UserProfile%\Desktop\[CHINESE CHARACTERS].lnk
%UserProfile%\Start Menu\[CHINESE CHARACTERS].lnk
%UserProfile%\Start Menu\Programs\[CHINESE CHARACTERS].lnk

Next, the program creates the following registry subkeys and adds a number of entries to these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DE60714F-AC17-427E-861A-FD60CBDF119A}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{DE60714F-AC17-427e-861A-FD60CBDF119A}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DE60714F-AC17-427E-861A-FD60CBDF119A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tunl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\INotes

The Trojan then creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSSER" = "%System%\appmgmt\msser.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"IIS" = "%System%\inetsrv\inet.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"INET" = "%System%\INETSRV\inetsync.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"INET" = "C:\WINDOWS\system32\INETSRV\inetsync.exe"

The program displays advertisements and tries to connect to the following Web site:
http://adfarm.mediaplex.com/ad/ck/4080-23171-9517-193?cn=song;icon;hp&mpro=http://www.ebay.com.cn