Installation
Adware:Win32/Lollipop may be installed by third-party software bundlers, like SoftwareBundler:Win32/Lollipox and SoftwareBundler:Win32/Lollipos.
If you decline to let the software bundler to install Adware:Win32/Lollipop, it will not be installed on your PC.
The following are screenshots of some of the software installers we have observed installing Adware:Win32/Lollipop:
Adware:Win32/Lollipop is installed with the name lollipop.exe into the following folder:
%LOCALAPPDATA%\Lollipop
When run, Adware:Win32/Lollipop creates the following files:
The program sets itself to run every time Windows starts in one of three ways, which it chooses depending on your version of Windows and what security software you have installed.
The three ways are:
- By changeing the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: lollipop
With data: "%LOCALAPPDATA%\Lollipop\lollipop.exe" lollipop
- By changeing the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: lollipop
With data: "%LOCALAPPDATA%\Lollipop\lollipop.exe" lollipop
- By dropping a shortcut to itself in the Windows <startup folder> as Lollipop.lnk
Adware:Win32/Lollipop creates an installation entry in the Programs and Features section of the Control Panel, as follows:
Running this uninstaller may remove some or all of the files related to the adware from your PC.
Behavior
Adware:Win32/Lollipop displays pop-up advertisements to you as you browse the Internet. These ads are based on keywords you enter into certain search engines. The ads differ depending on your geographical location and may be pornographic in nature.
The following is an example of the categories of advertisements displayed:
Redirects search engine results
The adware redirects search results from certain search engines, including the following:
- Alot
- AOL
- Ask
- Avg
- Babylon
- Bing
- Chatzum
- claroSearch
- Conduit
- DaleSearch
- Delta
- Ebay
- Facemoods
- Funmoods
- Google
- Incredibar
- MSN
- mysearch
- Mywebsearch
- Softonic
- Sweetim
- Yahoo
The adware redirects results when you use the following browsers:
- AOL
- Firefox
- Google Chrome
- Internet Explorer
- Opera
- Safari
For Firefox, the adware may also add an extension named {773F14E2-D643-4642-905E-1124C9A2170B}.xpi by changing the following registry entry:
In subkey: <HKLM or HKCU>\Software\Mozilla\Extensions
Sets value: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
With data: "{773F14E2-D643-4642-905E-1124C9A2170B}.xpi"
For Google Chrome, the adware may also add an extension named nchpfiddbhbdnagofhkjlaiaejmkdcla.crx by changing the following registry entries:
In subkey: HKLM or HKCU\Software\Google\Chrome\Extensions\nchpfiddbhbdnagofhkjlaiaejmkdcla
Sets value: path
With data: "nchpfiddbhbdnagofhkjlaiaejmkdcla.crx"
In subkey: HKLM or HKCU\Software\Wow6432Node\Google\Chrome\Extensions\nchpfiddbhbdnagofhkjlaiaejmkdcla
Sets value: path
With data: "nchpfiddbhbdnagofhkjlaiaejmkdcla.crx"
Adware:Win32/Lollipop sends the following information about your PC to a remote server:
- The status of any antimalware or antispyware software you have
- The status of your firewall
- The locale or region your PC is located
- Your Internet browsing history
- Information about your browser session, like the websites you have visited
In the wild, we have observed variants of Adware:Win32/Lollipop contact the following servers via HTTP port 80:
- www.lollipop-network.com/<removed>.php
- www.andocomparando.es/<removed>/product_check.php
- www.andocomparando.es/<removed>/script.php
Analysis by Jaime Wong, Geoff McDonald and Michael Johnson