Adware.Block-Checker

Using ProcessGuard, I ran this little nasty to test it out. Here is what we see in ADDITION to what should happen with a small program installer. It's suspicious when a program this small has an installer. Soon you can read an interesting article on installers too on the new DiamondCS site.

First, it runs a small program setup_finish.exe which simply runs other programs. Some AV detect it.. good to see!


The first is SYSTEM.EXE which is particularly nasty and is overlooked by some AV. The file drops and registers navshext.dll (50kb, UPX compressed). This has self update functionality and is part of the adware. Why has this file been overlooked? File submitted.. see this link for an image of scan results thanks to Jotti's Online Malware Scan!

Note this file is very old and only just starting to show up because of stealth.

Then, block-checker.exe. No this isnt the good program, this is the problem file. Within the file we can clearly see it has an internal name: "MSN Auto Tell-a-Friend" THIS is the program which sends messages about itself to contacts on your MSN list..

Another one...... CSRSS.EXE well lets guess what it does. This contains the following non edited string in the VB header - the project file location on disk. \.I.M. .A.d.v.e.r.t.i.s.e.r.\.K.e.e.p.R.u.n.n.i.n.g...v.b.p
It checks if block-checker.exe is running in the current task list.

FINALLY.. here we go. I click RUN and it runs the real program. This is the program you downloaded, wouldn't it be nice if they just zipped it up and gave you that ONE FILE? ;)

This program apparently no longer uses adware tactics which is great news. Should I take a look at the behaviour of the latest version? Email me if you think so!