Virus

Adware/eSyndicate

Analysis

Adware/eSyndicate is an Adware Installer for the eSyndicate application.

The installer when executed will create a folder eSyndicate in C:\Program Files  It then extracts the following files:

esyn.dll
uninst.exe

Registry is updated with a new key Esyn.Band into the following path:

HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\

Also, a Browser Helper Object is inserted to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC378B83-9577-44D0-B4F8-0DD965E176FC}]

After installing, the Adware sends an HTTP get to queue.jmnad1.com. This pvoides a notification to that server that another machine has installed this adware.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option