Active Scan. Scan your PC free
Premium Services
Premium Services

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threatDamageHighDistributionNot widespread


FTLog.A carries out the following actions:

  • It reaches the computer via the social network Fotolog in a link enticing users to watch a video. This information is detailed below in the section Means of transmission.
  • If users follow the malicious link, a website is displayed requiring users to install a certain codec in order to watch the video:

    Web from which the code is downloaded
  • Once the codec is installed, users are redirected to a website for adults from whcih the file called SETUP.EXE is downloaded:

    Site for adults from which another malicious file is downloaded
  • This file belongs to a plugin called MediaPass Plugin which, once downloaded, is installed in the computer:

    Installation process of MediaPass Plugin
  • Once installed, two different websites are displayed:

    - The first of them belong to a website that informs users that they have won a prize and in order to get it they have to enter certain data:

    Site of the prize won by the user

    - The second one is a website that contains videos for adults:

    Site of videos for adults
  • If users click on any of the images belonging to the videos, another file will be downloaded. Once this file is run, it installs a hotbar, which allows to customize and add different applications to the browser.
  • Additionally, it modifies the Start Page and changes it to the following, a search engine that allows to do searches of pages, videos and news, among others:

    Start Page established by FTLog.A
  • When users are browsing through the Internet, it displays different pop-up ads related to the type of websites users visit. This does not allow users to browse through the Internet as usual.

Infection strategy 

FTLog.A creates the following DLLs (Dynamic Link Library) in the Windows system directory:

  • 5SY5WVTUMOKH.DLL. It is injected into Internet Explorer in order to display pop-up ads while users are browsing through the Internet.
  • T-XV0Q7O-_.DLL. It is injected into Firefox in order to display pop-up ads while users are browsing through the Internet.


FTLog.A creates the following entry in the Windows Registry:

  • HKEY_CURRENT_USER\Software\AppDataLow\HavingFunOnline


FTLog.A modifies the following entry from the Windows Registry in order to change the Internet Explorer Start Page:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    Start Page =
    %start page selected by the user%
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    Start Page = http://www3.iam

Means of transmission 

FTLog.A is distributed via the photo-blogging and social networking site called Fotolog. In order to do so, it publishes comments which contain a link to a video, as can be seen in the image below:

Malicious comment added to Fotolog

If users follow the link, the infection process of FTLog.A will start.

Further Details  

FTLog.A is 233,000 bytes in size.