Adware.Zhong

Adware.Zhong

Updated:
May 24, 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Adware.Zhong is a program that displays Chinese langauge Internet advertisements on a compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version January 15, 2018 revision 020
  • Initial Daily Certified version May 23, 2006
  • Latest Daily Certified version January 15, 2018 revision 024
  • Initial Weekly Certified release date May 24, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Once executed, the program creates the following files:
%System%\explorer.exe
%System%\sysreal32.dll
%ProgramFiles%\weather\config.ini
%ProgramFiles%\weather\unins000.dat
%ProgramFiles%\weather\unins000.exe
%ProgramFiles%\weather\Weather.exe
%ProgramFiles%\weather\weather.lnk

Next, the program creates the following registry entry so that it runs when Windows runs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"rundll32" = "%System%\explorer.exe"

Note: This file is a hidden process and cannot be seen running using the Windows Task Manager.

The risk creates the following registry subkeys:
HKEY_CLASSES_ROOT\Chajian.ChajianHelper
HKEY_CLASSES_ROOT\Chajian.ChajianHelper.1
HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\weather_is1

Then the risk creates the following folders:
%UserProfile%\all users\start menu\programs\weather
%ProgramFiles%\weather

The risk then opens Web sites, including the following URL:
http://www.zinanjing.com/
Writeup By: David Curran
`