Adware/Cometsys
Analysis
[Adware/Cometsys]
The details for the Cometsys installer are:
File Name: sinstaller.exe
File Size: 117,320 bytes
Digital Signature: Screensavers.com
The details for the Cometsys executables are:
File Name: siuninst.exe
File Size: 32,980 bytes
File Name: swpstart.exe
File Size: 142,336 bytes
Version: 2.0.11.1
Description: swpstart
Company Name: Comet Systems
The details for the Cometsys libraries are:
File Name: ScreensaversInst.DLL
File Size: 166,400 bytes
Version: 1.0.0.1
Description: ScreensaversInstaller Module
Product Version: 1, 0, 0, 1
Description of Adware:
Cometsys is downloaded from www.screensavers.com upon retrieving a screensaver or wallpaper from the website.   Cometsys also owns Starware (see Adware/Starware.) Starware can however be installed separately. Cometsys appears to serve as a stub for Starware and other adware. Cometsys will also retrieve updates periodically from the screensavers.com network without user authorization or notification. Installing Cometsys will also install America Online and Netscape Network software, and place icons on the desktop. The AOL and Netscape Network software was not referenced in the executable details for this Adware, as the the file integrity of the files seemed to be intact, and not part of Cometsys.
System alterations upon installation:
This description makes the assumption that the user has unchecked the optional Starware Toolbar install. A page similar to the one shown below is displayed:
The installer will retrieve additional files from www.screensavers.com in order to install.
The following files are installed:
C:\Program Files\AOD\aol.ini
C:\Program Files\AOD\AolAod.exe
C:\Program Files\AOD\netscape
C:\Program Files\AOD\timedata.ini
C:\Program Files\AOD\TRAINER.PPK
C:\Program Files\AOD\netscape\ns_yell.ico
C:\Program Files\AOD\aol\aod_bb_1_73.ico
C:\Program Files\AOD\aol\aod_modem_1.ico
C:\Program Files\Screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\Screensavers.com\Installer\temp\dm5B.tmp
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll
C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe
The following are some of the registry keys added:
HKLM\SOFTWARE\Gtek\AOD
HKLM\SOFTWARE\Gtek\AOD\InstallPath
HKLM\SOFTWARE\Gtek\AOD\ExecuteName
HKLM\SOFTWARE\Gtek\AOD\Version
HKLM\SOFTWARE\Gtek\AOD\VersionOnAir
HKLM\SOFTWARE\Screensavers.com
HKLM\SOFTWARE\Screensavers.com\Installer
HKLM\SOFTWARE\Screensavers.com\Installer\Tokens
HKLM\SOFTWARE\Screensavers.com\Installer\Tokens\COMET
HKLM\SOFTWARE\Screensavers.com\Installer\Tokens\WINDOWS
HKLM\SOFTWARE\Screensavers.com\Installer\Settings
HKLM\SOFTWARE\Screensavers.com\Installer\Settings\rangeSize
HKLM\SOFTWARE\Screensavers.com\Installer\Settings\secNextRangeInterval
HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tValidHistoryPeriod
HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tActiveJobPurgePeriod
HKLM\SOFTWARE\Screensavers.com\Installer\Settings\tTempFilePurgePeriod
HKLM\SOFTWARE\Screensavers.com\Installer\Settings\prMaxLoad
HKLM\SOFTWARE\Screensavers.com\Installer\Data
HKLM\SOFTWARE\Screensavers.com\Installer\Data\ICON
HKLM\SOFTWARE\Screensavers.com\Installer\Data\ICON\AOL
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller\DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller\UninstallString
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1\CLSID
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1\CLSIDThe installer with then execute the swpstart.exe file, which will open the host's display options.
Adware behavior:
Cometsys may install other Spyware or Adware including the Starware toolbar without user interaction.
Cometsys may compromise host security by communicating retrieving files from unauthorized networks.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |