Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.RegiFast

Adware.RegiFast

Updated:
August 09, 2006
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Adware.RegiFast is an adware program that automatically fills in forms on Web pages. When a form is filled in, the program displays advertisements.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version October 02, 2014 revision 022
  • Initial Daily Certified version August 09, 2006
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date August 09, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Adware.RegiFast is an adware program that automatically fills in forms on Web pages. When a form is filled in, the program displays advertisements.

When the risk is first executed, it creates the following files:
%ProgramFiles%\RegiFast\localdb.dat
%ProgramFiles%\RegiFast\msvcr71.dll
%ProgramFiles%\RegiFast\PopUpMgr.plg
%ProgramFiles%\RegiFast\RegiFast.dll
%ProgramFiles%\RegiFast\RFManager.exe
%ProgramFiles%\RegiFast\skin.jpg
%Windir%\Downloaded Program Files\RegiFastSI.ocx
%Temp%\install.exe
%SystemDrive%\RFManager.log
%SystemDrive%\RFSilentInstaller.log
%UserProfile%\Application Data\Microsoft\Address Book\[USERNAME].wab
%UserProfile%\Local Settings\Temp\install.exe

where [USERNAME] is the username of the user currently logged on.

Next, the risk creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RegiFast" = "%ProgramFiles%\RegiFast\RFManager.exe"

The risk then creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{191978C5-F642-4EE6-B8FD-97A95C435E7D}
HKEY_CLASSES_ROOT\CLSID\{C67A62C7-A68D-484C-9617-880C1F70D3F7}
HKEY_CLASSES_ROOT\Interface\{B4B66483-E499-485E-B77B-000D31C1656F}
HKEY_CLASSES_ROOT\Interface\{B7BEE73A-84E0-4B4F-A5ED-0100F2590B05}
HKEY_CLASSES_ROOT\TypeLib\{AF3DB5F5-93AA-4F48-B4AE-0A28BC4270BF}
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}
HKEY_CLASSES_ROOT\RegiFastObj.RegiFastObj
HKEY_CLASSES_ROOT\RegiFastObj.RegiFastObj.1
HKEY_CLASSES_ROOT\RegiFastSI.SilentInstall
HKEY_CLASSES_ROOT\RegiFastSI.SilentInstall.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{191978C5-F642-4EE6-B8FD-97A95C435E7D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C67A62C7-A68D-484C-9617-880C1F70D3F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\%Windir%/Downloaded Program Files/RegiFastSI.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegiFast
HKEY_LOCAL_MACHINE\SOFTWARE\RegiFast
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4

The risk then displays advertisements after it has filled out an online form.