virus logo Virus

Adware/Cometsys

description-logoAnalysis

[Adware/Cometsys]


The details for the Cometsys installer are:
File Name: sinstaller.exe
File Size: 117,320 bytes
Digital Signature: Screensavers.com


The details for the Cometsys executables are:
File Name: siuninst.exe
File Size: 32,980 bytes
File Name: swpstart.exe
File Size: 142,336 bytes
Version: 2.0.11.1
Description: swpstart
Company Name: Comet Systems


The details for the Cometsys libraries are:
File Name: ScreensaversInst.DLL
File Size: 166,400 bytes
Version: 1.0.0.1
Description: ScreensaversInstaller Module
Product Version: 1, 0, 0, 1


Description of Adware:

Cometsys is downloaded from www.screensavers.com upon retrieving a screensaver or wallpaper from the website.   Cometsys also owns Starware (see Adware/Starware.)  Starware can however be installed separately.   Cometsys appears to serve as a stub for Starware and other adware.   Cometsys will also retrieve updates periodically from the screensavers.com network without user authorization or notification.   Installing Cometsys will also install America Online and Netscape Network software, and place icons on the desktop.   The AOL and Netscape Network software was not referenced in the executable details for this Adware, as the the file integrity of the files seemed to be intact, and not part of Cometsys.


System alterations upon installation:

  • This description makes the assumption that the user has unchecked  the optional Starware Toolbar install.   A page similar to the one shown below is displayed:
    cometsys install

  • The installer will retrieve additional files from www.screensavers.com in order to install.

  • The following files are installed:
    C:\Program Files\AOD\aol.ini
    C:\Program Files\AOD\AolAod.exe
    C:\Program Files\AOD\netscape
    C:\Program Files\AOD\timedata.ini
    C:\Program Files\AOD\TRAINER.PPK
    C:\Program Files\AOD\netscape\ns_yell.ico
    C:\Program Files\AOD\aol\aod_bb_1_73.ico
    C:\Program Files\AOD\aol\aod_modem_1.ico
    C:\Program Files\Screensavers.com\Wallpaper\swpstart.exe
    C:\Program Files\Screensavers.com\Installer\temp\dm5B.tmp
    C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll
    C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe

  • The following are some of the registry keys added:
    HKLM\SOFTWARE\Gtek\AOD
    HKLM\SOFTWARE\Gtek\AOD\InstallPath
    HKLM\SOFTWARE\Gtek\AOD\ExecuteName
    HKLM\SOFTWARE\Gtek\AOD\Version
    HKLM\SOFTWARE\Gtek\AOD\VersionOnAir
    HKLM\SOFTWARE\Screensavers.com
    HKLM\SOFTWARE\Screensavers.com\Installer
    HKLM\SOFTWARE\Screensavers.com\Installer\Tokens
    HKLM\SOFTWARE\Screensavers.com\Installer\Tokens\COMET
    HKLM\SOFTWARE\Screensavers.com\Installer\Tokens\WINDOWS
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\rangeSize
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\secNextRangeInterval
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tValidHistoryPeriod
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tActiveJobPurgePeriod
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tTempFilePurgePeriod
    HKLM\SOFTWARE\Screensavers.com\Installer\Settings\prMaxLoad
    HKLM\SOFTWARE\Screensavers.com\Installer\Data
    HKLM\SOFTWARE\Screensavers.com\Installer\Data\ICON
    HKLM\SOFTWARE\Screensavers.com\Installer\Data\ICON\AOL
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller\DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller\UninstallString
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1\CLSID
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1
    HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1\CLSID

  • The installer with then execute the swpstart.exe file, which will open the host's display options.


Adware behavior:

  • Cometsys may install other Spyware or Adware including the Starware toolbar without user interaction.

  • Cometsys may compromise host security by communicating retrieving files from unauthorized networks.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-04-04 92.03072
2024-03-27 92.02831
2024-03-04 92.02137
2024-02-12 92.01512
2024-02-09 92.01426
2024-02-07 92.01370
2024-01-24 92.00942
2024-01-13 92.00616
2024-01-08 92.00462
2024-01-03 92.00311
ID 41606
Released Sep 19, 2005
Description
Updated		 Mar 13, 2007
Platform Profile Adware typically display advertising content to the user. This advertising content may take many forms, but is typically in the form of web browser pop-up advertisements. In most circumstances, the user is not aware of the Adware component being installed on the local machine.