Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Roogoo

Adware.Roogoo

Updated:
June 29, 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Adware.Roogoo is adware that installs a Layered Service Provider that monitors network traffic. The risk reports Google search terms back to its controlling domain and may display pop-up advertisements.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version July 20, 2017 revision 019
  • Initial Daily Certified version June 26, 2006 revision 002
  • Latest Daily Certified version July 20, 2017 revision 020
  • Initial Weekly Certified release date June 28, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Adware.Roogoo is adware that installs a Layered Service Provider that monitors network traffic. The risk reports Google search terms back to its controlling domain and may display pop-up advertisements.

When Adware.Roogoo is first installed, it creates one of the following files:
%System%\msplus.dll
%System%\msplus1.dll
%System%\msplus2.dll
%System%\msplus3.dll
%System%\msplus4.dll

The risk then creates and populates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{18F57D30-EF36-4C0E-9343-7BFA6DF79B4A}
HKEY_CLASSES_ROOT\Interface\{2805A558-1E98-48FB-8BA5-49A3AD78B129}
HKEY_CLASSES_ROOT\TypeLib\{57F7A59D-8F7F-41B2-98B8-A095456716E9}
HKEY_CLASSES_ROOT\Adplus.XLink
HKEY_CLASSES_ROOT\Adplus.XLink.1
HKEY_LOCAL_MACHINE\SOFTWARE\Roogoo

The risk also adds the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"FROMID" = "roogoo"

Next, the risk modifies the following registry entry to remove certain restrictions for pop-up windows in Internet Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2102" = "0"

Next, the risk creates a legitimate service with the following characteristics:
Service Name: WS2IFSL
Display Name: Windows Socket 2.0 Non-IFS Service Provider Support Environment
Path to executable: %System%\System32\drivers\ws2ifsl.sys
Startup type: System

The risk then installs an LSP to monitor network traffic originating from the compromised computer, and reports Google search terms to the following domain:
roogoo.com

The risk may display pop-up advertisements.