ThreatExpert Report: not-a-virus:AdWare.Win32.SaveNow.w, not-a-virus:AdWare.Win32.SaveNow.au..

Submission Summary:

Submission details:

Submission received: 16 April 2008, 16:50:42
Processing time: 3 min 48 sec
Submitted sample:

File MD5: 0x18138595F1ED1316188E5693E1B74F83
File SHA-1: 0x524270401D6D3917AB4FBB690162E41FEA4C700E
Filesize: 541,362 bytes
Alias: not-a-virus:AdWare.Win32.SaveNow.w, not-a-virus:AdWare.Win32.SaveNow.au [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.WhenU_SaveNow	SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.
Adware.Component.WhenU	Common Components shared between WhenU products like ClockSync, SaveNow, SideFinder and WeatherCast.

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars Help.lnk	726 bytes	MD5: 0xBEDB52EEFA3ADC9594671D17CC170961 SHA-1: 0xC6DD85649373D505541A842823CC848AAA000DA6	(not available)
2	%CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars Readme.lnk	749 bytes	MD5: 0xE6A0C8D9D26B3ED2C1CF0BD689AE57A0 SHA-1: 0x0D46E41B3F9A40476D002DC41266011E07094457	(not available)
3	%CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars.lnk	706 bytes	MD5: 0x8DCFEFB9776A1295530D6303A71B525E SHA-1: 0x15346F365B46AF1AD0F59FF4834C87011D5301B9	(not available)
4	%DesktopDir%\Cool Web Scrollbars.lnk	694 bytes	MD5: 0x314C6777517721C30BE7F078B182A4B5 SHA-1: 0xA3D40CE45BB04DCE6048A0AD80C672195FCDC142	(not available)
5	%DesktopDir%\Harmony Hollow on the Web.lnk	1,368 bytes	MD5: 0x9E3FFB319E69BE75AC432C281501F08D SHA-1: 0x9F959E7D0C7D175B13F51E1AFC5EE4EB15916B4C	Adware-s36.XP.lnk [McAfee]
6	%ProgramFiles%\Cool Web Scrollbars\arrow.gif	5,318 bytes	MD5: 0xB209DF3DDD66B18E9B98F8F02224825F SHA-1: 0x380742DA28F7E97E9D3A42FAD831D643C9EAF471	(not available)
7	%ProgramFiles%\Cool Web Scrollbars\cws.cnt	175 bytes	MD5: 0xFA5C239832B7D9E9B38F12401E2968D1 SHA-1: 0xE201A084AA9EED32F909204837153433676C6935	(not available)
8	%ProgramFiles%\Cool Web Scrollbars\cws.exe	253,952 bytes	MD5: 0x120FDA77D6CB79EC908A6B2A48BF8398 SHA-1: 0x2065AB5023F4D14580E506355F8CFB1F56052D4A	(not available)
9	%ProgramFiles%\Cool Web Scrollbars\cws.hlp	137,004 bytes	MD5: 0xF5908958A7C624B78CABE7A42E3A8A9B SHA-1: 0x2CFD927F4F2E91DBD83F0CA5FF89E2DB7EE490B0	(not available)
10	%ProgramFiles%\Cool Web Scrollbars\hh.html	600 bytes	MD5: 0x74D513ECEB5B31C8C32C5745EF6B7646 SHA-1: 0x939524BCAC21A4DE704F2D883743BCF23FE51A29	(not available)
11	%ProgramFiles%\Cool Web Scrollbars\readme.txt	3,696 bytes	MD5: 0x5A1D4471F4FCB6CBAA726A61FAD81A5F SHA-1: 0x8D49BE4A64BE588E7E3FDC23F94BC7A059B4999E	(not available)
12	%ProgramFiles%\Cool Web Scrollbars\unins000.dat	2,250 bytes	MD5: 0xEF517BF7A26F559E8E7B84DEFECCA21C SHA-1: 0x03F4CAF7047FF36A60E127AB2085005E3516CC0A	(not available)
13	%ProgramFiles%\Cool Web Scrollbars\unins000.exe	72,298 bytes	MD5: 0x2330A6FD4B2E02A43F675252DEAC2BE4 SHA-1: 0xF840FE7C4A7B1D7D7490EE875980270A3F947D11	(not available)
14	%ProgramFiles%\SaveNow\ReadMe.txt	4,180 bytes	MD5: 0x158D4EB6403BEFF418666F8DBD051EE7 SHA-1: 0xF8A89CF13E96B06B6ED3075121CD5E1A7AB31C72	(not available)
15	%ProgramFiles%\SaveNow\SaveNow.exe	166,400 bytes	MD5: 0x032E6F160C65B9E90B5C5A1010767B08 SHA-1: 0x1E48DA5A166C0E3B79BEBC242771CFB35E120F4D	Adware.WhenU_SaveNow [PCTools] Adware.Savenow [Symantec] not-a-virus:AdWare.Win32.SaveNow.w [Kaspersky Lab]
16	%ProgramFiles%\SaveNow\savenow.htm	31,588 bytes	MD5: 0xC61CB66B905F859E0EA5EC681E93B7CF SHA-1: 0x1F26E36E864FDAC2689E1BEC41FBB5BDCFCFD78A	(not available)
17	%ProgramFiles%\SaveNow\Uninst.exe	13,368 bytes	MD5: 0x4277410DF62F619F8524837F53492F3F SHA-1: 0x66F8EA0B057ABBAAECF2EF15BCACD97D436CC95E	not-a-virus:AdWare.Win32.SaveNow.au [Kaspersky Lab]
18	%Windir%\hh.ico	2,238 bytes	MD5: 0x675762451E1B3C7CE5BD92415CB15AA9 SHA-1: 0x926F5F5806D91FDF0D1AB5D1B0D93E8F105041BA	(not available)
19	%Windir%\hhs.url	131 bytes	MD5: 0xAF83086D1011CB7790CF64503D86A300 SHA-1: 0x72D1944E35B6C8097ACBFDEE5A7CF606F6F7E96D	Adware-xplus.url [McAfee]
20	[file and pathname of the sample #1]	541,362 bytes	MD5: 0x18138595F1ED1316188E5693E1B74F83 SHA-1: 0x524270401D6D3917AB4FBB690162E41FEA4C700E	not-a-virus:AdWare.Win32.SaveNow.w, not-a-virus:AdWare.Win32.SaveNow.au [Kaspersky Lab]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%CommonPrograms%\Cool Web Scrollbars
%Temp%\is-59DRT.tmp
%ProgramFiles%\Cool Web Scrollbars
%ProgramFiles%\SaveNow

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
SaveNow.exe	%ProgramFiles%\savenow\savenow.exe	180,224 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	94,208 bytes
INS1.tmp	%Temp%\INS1.tmp	565,248 bytes
SaveNowInst.exe	%Temp%\is-59DRT.tmp\SaveNowInst.exe	126,976 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cool Web Scrollbars_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\WhenU
HKEY_LOCAL_MACHINE\SOFTWARE\WhenU\SaveNow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Free Software

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SaveNow = "%ProgramFiles%\SaveNow\SaveNow.exe"

so that SaveNow.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cool Web Scrollbars_is1]

Inno Setup: Setup Version = "2.0.11 with ISX 2.0.11"
Inno Setup: App Path = "%ProgramFiles%\Cool Web Scrollbars"
Inno Setup: Icon Group = "Cool Web Scrollbars"
Inno Setup: User = "%UserName%"
DisplayName = "Cool Web Scrollbars 2.0"
UninstallString = ""%ProgramFiles%\Cool Web Scrollbars\unins000.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow]

DisplayIcon = "%ProgramFiles%\SaveNow\SaveNow.exe,-0"
DisplayName = "SaveNow"
DisplayVersion = "1.49"
HelpLink = "www.whenu.com"
Publisher = "WhenU.com, Inc."
UninstallString = "%ProgramFiles%\SaveNow\Uninst.exe"
UrlInfoAbout = "www.whenu.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenU\SaveNow]

db_local_update = "0"
db_script_update = "1001400015"
InstallDir = "%ProgramFiles%\SaveNow"
pats_url = "http://a1964.g.akamai.net/f/1964/2730/1h/app.whenu.com/OffersData"
pat_chunks_url = "http://a1964.g.akamai.net/f/1964/2730/15d/app.whenu.com/DataChunks"
script_url = "http://a1964.g.akamai.net/f/1964/2730/1h/web.whenu.com/offscript2.html"
update_url = "http://a1964.g.akamai.net/f/1964/2730/1d/web.whenu.com/savenowupdate.exe"
ver_url = "http://www.whenu.com/versions.html"
Version = "1.49"
InstallTime = "20080415235059"
SetupCmdLine = "http://app.whenu.com/Offers?url=HHLW1101"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Free Software]

(Default) = "%ProgramFiles%\Cool Web Scrollbars\hh.html"

Other details

To mark the presence in the system, the following Mutex object was created:

WhenUSaveNowSharedMutex

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.