Adware.BlockChecker

[TJ]

Adware.BlockChecker is an adware program that sends its advertisements to contacts of instant messenger.

Symptoms
Unexpected advertisements are sent to contacts of instant messenger.

Transmission
This security risk is manually installed as a component of Block Checker.

technical details
File names: block-checker.exe

When Adware.BlockChecker is executed, it performs the following actions:

   1. Adds the value:

      "BlockChecker" = "path of itself"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   2. Creates the following registry subkeys:

      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL

   3. Sends one of the following messages to the contacts of Microsoft Messenger, Yahoo Instant Messenger and AOL Instant Messenger:

          * Find out who's blocking you on MSN, Download it free from [http://]www.block-checker[REMOVED].com
          * Did you know you can find out who blocked you on MSN? Check it out, it's free [http://]www.block-checker[REMOVED].com
          * I know who's blocking me on MSN because I use [http://]www.block-checker[REMOVED].com
          * Did they block you too? Download a free MSN Block Checker [http://]www.block-checker[REMOVED].com
          * Hey you can see who's blocking you on MSN! Download it now [http://]www.block-checker[REMOVED].com
          * Find out who's blocking you on Yahoo, Download it free from [http://]www.block-checker[REMOVED].com
          * Did you know you can find out who blocked you on Yahoo? Check it out, it's free [http://]www.block-checker[REMOVED].com
          * I know who's blocking me on Yahoo because I use [http://]www.block-checker[REMOVED].com
          * Did they block you too? Download a free Yahoo Block Checker [http://]www.block-checker[REMOVED].com
          * I know who's blocking me on AIM because I use [http://]www.block-checker[REMOVED].com
          * Find out who's blocking you on AIM, Download it free from [http://]www.block-checker[REMOVED].com
          * Did you know you can find out who blocked you on AIM? Check it out, it's free [http://]www.block-checker[REMOVED].com
          * Did they block you too? Download a free AIM Block Checker [http://]www.block-checker[REMOVED].com
          * Hey you can see who's blocking you on AIM! Download it now [http://]www.block-checker[REMOVED].com


REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/adware.blockchecker.html


To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.
   3. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "BlockChecker" = "path of the Adware"

   5. Navigate and deletes the following keys:

      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
      HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL

   6. Exit the Registry Editor.