Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Raxums

Adware.Raxums

Updated:
February 13, 2007
Risk Impact:
Low
File Names:
varies sys.reg
Systems Affected:
Windows

Behavior


Adware.Axum is an adware program that adds entries to the Internet Explorer Favorites folder. The Adware also downloads and executes a file from a predetermined Web site.

Symptoms


Entries reappear in Internet Explorer's Favorites folder even after deletion.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version February 23, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date February 23, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Raxums is executed, it performs the following actions:
  1. Deletes Internet Explorer's cached files.

  2. Adds links to Internet Explorer's Favorites folder.

  3. Attempts to download, decrypt, and execute a file from 81.211.105.36.

  4. Modifies the values:
    • "Start Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "HOMEOldSP"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "Search Bar"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"
    • "Search Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

      in the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  5. Modifies the values:
    • "Start Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "HOMEOldSP"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"
    • "Search Bar"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"
    • "Search Page"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

      in the registry key:

      HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

  6. Modifies the value:

    "SearchAssistant"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

    in the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  7. Modifies the value:

    "SearchAssistant"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=33"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

  8. Modifies the value:

    "PrivacyAdvanced"="1"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

  9. Drops the file, %Windir%\sys.reg.


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  10. Adds the value:

    "sys"="regedit -s sys.reg"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that if the created registry keys are deleted, they are recreated when the computer is restarted.




The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Delete the values that were added to the registry.
  3. Run a full system scan and delete all the files detected as Adware.Raxums.
For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. Deleting the values from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  4. In the right pane, delete the value:

    "HOMEOldSP"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"

  5. Navigate to the key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

  6. In the right pane, delete the value:

    "HOMEOldSP"="http:/ /%62%6A%76%76%68%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=33"


  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  8. In the right pane, delete the value:

    "sys"="regedit -s sys.reg"

  9. Exit the Registry Editor.

  10. Restart the computer.

3. Scanning for and deleting the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Adware.Raxums click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.