Adware.CasinoClient

[Brad]

Behavior
Adware.CasinoClient is an adware program that logs keywords typed in Web-based search engines, such as Google. The adware also creates shortcuts on the desktop and displays advertisements at random intervals.

Symptoms
Unexpected advertisements appear in the Internet Explorer browser windows.

Transmission
This security risk can be installed as part of another program.

technical details
File names: casstub.exe; cassetup.exe; casclient.exe; casmf.dll

When Adware.CasinoClient is executed, it performs the following actions:

   1. Creates the following files:

          * %ProgramFiles%\Cas\Client\86.ico
          * %ProgramFiles%\Cas\Client\casclient.exe
          * %ProgramFiles%\Cas\Client\casmf.dll
          * %ProgramFiles%\Cas\Client\hf.txt
          * %ProgramFiles%\Cas\Client\sf.txt
          * %ProgramFiles%\Cas\Client\Uninstall.exe
          * %ProgramFiles%\CasStub\casstub.exe
          * %UserProfile%\Desktop\Free Plasma TV.lnk
          * %UserProfile%\Local Settings\Temp\cassetup.exe

            Notes:
          * %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
          * %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

   2. Adds the value:

      "CAS Client" = "%ProgramFiles%\Cas\Client\casclient.exe"

      to the registry subkey:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   3. Creates the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Main.DLL
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E0DC5CC4-25A5-4BC7-A3AA-3525733DC796}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8293D547-38DD-4325-B35A-F1817EDFA5FC}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D4C89C18-B4F3-46A9-8800-E9E7A55AFBD9}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Main.MimeFilter
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Main.MimeFilter.1
      HKEY_CURRENT_USER\Software\CAS

   4. Maintains a list of search engines and sends keywords typed into these search engines to a remote Web site.

   5. Creates shortcuts on the desktop.

   6. Displays advertisements in Internet Explorer windows.

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

      Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html and then continue with the removal.

   3. Navigate to the subkey:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "CAS Client" = "%ProgramFiles%\Cas\Client\casclient.exe"

   5. Delete the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Main.DLL
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{E0DC5CC4-25A5-4BC7-A3AA-3525733DC796}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8293D547-38DD-4325-B35A-F1817EDFA5FC}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D4C89C18-B4F3-46A9-8800-E9E7A55AFBD9}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Main.MimeFilter
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Main.MimeFilter.1
      HKEY_CURRENT_USER\Software\CAS

   6. Exit the Registry Editor.