This is a brief outline of the Winlogon adware as found by Fortego Security on June 24th 2004. It was submitted to Symantec on June 24th and to Lavasoft (makers of Ad-Aware) on June 26th. On June 27th we received Symantec's response. This was classified as a new variant of the Trojan Bookmaker.D. New virus definitions can be found below.
The program is binary "encrypted" or rather compressed with UPX. It was found in the All Users\Startup folder on the infected computer. When it is being run, it changes the following Windows registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page "http://find4u.net/index.htm"
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst "no"
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page "http://find4u.net/index.htm"
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar "http://find4u.net/sp.htm"
HKCU\Software\Microsoft\Internet Explorer\SearchURL\(Default) "http://find4u.net/index.htm"
HKCU\Software\Microsoft\Internet Explorer\SearchURL\provider "gog"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant "http://find4u.net/sp.htm"
It does also add a internet bookmark to the "Free Hidden Cams World" web site.
We have not found that this program will attempt to download anything off the internet, nor to replicate itself to other computers in any other way. Even if this program was found in the Startup folder, we did not find that it contatins any functionality to place itself there.
You can download and analyse this adware program on this link: winlogon-adware.exe.zip The archive is protected with the password "infected".
The rapid-release virus definitions we received from Symantec can be downloaded here rapid_updat32.exe.