ThreatExpert Report: Adware.SaveNow!sd5, not-a-virus:AdWare.Win32.SaveNow.ar, Adware-SaveNow..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 September 2008, 02:39:43
Processing time: 7 min 5 sec
Submitted sample:

File MD5: 0x2BED64D9DEF80D7AB5C52B6D0B1F3A75
File SHA-1: 0xC94BBF4C365DE15373B18536B8D5F2BAB769A954
Filesize: 572,403 bytes
Alias:

Adware.SaveNow!sd5 [PCTools]
not-a-virus:AdWare.Win32.SaveNow.ar [Kaspersky Lab]
Adware-SaveNow [McAfee]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.WhenU_SaveNow	SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.
Adware.Component.WhenU	Common Components shared between WhenU products like ClockSync, SaveNow, SideFinder and WeatherCast.
Adware.SaveNow!sd5	Adware.SaveNow!sd5 is a potentially unwanted adware program that could be used to display various pop-up advertisements.

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars Help.lnk	726 bytes	MD5: 0xBB41B0C33FD0633826836EFB4FB6E076 SHA-1: 0x8DFA9EB1E85C844A90B8C1DFAD66E2B32227BB66	(not available)
2	%CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars Readme.lnk	749 bytes	MD5: 0xAF6E862F154063D6B861838EDCCE1EBA SHA-1: 0x0F3C17CA02A64C06C8D5801D46EB5430E530A606	(not available)
3	%CommonPrograms%\Cool Web Scrollbars\Cool Web Scrollbars.lnk	706 bytes	MD5: 0xE0E61654E84AAD71A236E983AF3451D2 SHA-1: 0x53C6A7D923E36FA1AC5048E533F0063D3CE35A52	(not available)
4	%CommonPrograms%\Cool Web Scrollbars\Harmony Hollow on the Web.lnk	1,558 bytes	MD5: 0x56C76CB0E2C3DBD60FD87F2F96054601 SHA-1: 0xF3B3E9AA0FD4AB35172BE6C8A862458FE1C7AA4D	(not available)
5	%DesktopDir%\Cool Web Scrollbars.lnk	694 bytes	MD5: 0xA32CBD606AEE351530B43ECED8DF37E7 SHA-1: 0x1BE44F5AB94AABC999974875754E2BACFE4BA863	(not available)
6	%Favorites%\Free Software\Harmony Hollow Software.url %ProgramFiles%\Cool Web Scrollbars\hhs.url	131 bytes	MD5: 0xAF83086D1011CB7790CF64503D86A300 SHA-1: 0x72D1944E35B6C8097ACBFDEE5A7CF606F6F7E96D	Adware-xplus.url [McAfee]
7	%ProgramFiles%\Cool Web Scrollbars\arrow.gif	3,650 bytes	MD5: 0xC8BB0F53AF16959F6816CF7A17562DD6 SHA-1: 0x2E3FB6EA1248CE2D618168104E05771D158E8020	(not available)
8	%ProgramFiles%\Cool Web Scrollbars\cws.cnt	175 bytes	MD5: 0xFA5C239832B7D9E9B38F12401E2968D1 SHA-1: 0xE201A084AA9EED32F909204837153433676C6935	(not available)
9	%ProgramFiles%\Cool Web Scrollbars\cws.exe	286,720 bytes	MD5: 0xFA6C804B0171CBE9D37AEF959F416666 SHA-1: 0x98A9E55CA074FD3FF1071F3A0C10C738929084C9	(not available)
10	%ProgramFiles%\Cool Web Scrollbars\cws.hlp	136,982 bytes	MD5: 0xD6E06AAADC86E4C3985C6213CB66D7CE SHA-1: 0xB7497DA218348E98116D080CDE1E0A5C4CED1B33	(not available)
11	%ProgramFiles%\Cool Web Scrollbars\hh.ico	2,238 bytes	MD5: 0x675762451E1B3C7CE5BD92415CB15AA9 SHA-1: 0x926F5F5806D91FDF0D1AB5D1B0D93E8F105041BA	(not available)
12	%ProgramFiles%\Cool Web Scrollbars\readme.txt	3,696 bytes	MD5: 0x592FA919685ACEC525E7134277FD625D SHA-1: 0xFE60D8A7FB53B9025F1C8ABEE9E0EA07F48DBF32	(not available)
13	%ProgramFiles%\Cool Web Scrollbars\unins000.dat	2,292 bytes	MD5: 0x7876B20645B3121D214A7DDEF3060C01 SHA-1: 0xB5172A15CF0FAE780EBE044D324B0052FE7A54A7	(not available)
14	%ProgramFiles%\Cool Web Scrollbars\unins000.exe	72,298 bytes	MD5: 0x2330A6FD4B2E02A43F675252DEAC2BE4 SHA-1: 0xF840FE7C4A7B1D7D7490EE875980270A3F947D11	(not available)
15	%ProgramFiles%\SaveNow\ReadMe.txt	4,180 bytes	MD5: 0x158D4EB6403BEFF418666F8DBD051EE7 SHA-1: 0xF8A89CF13E96B06B6ED3075121CD5E1A7AB31C72	(not available)
16	%ProgramFiles%\SaveNow\SaveNow.exe	194,048 bytes	MD5: 0x0F4A3D9EAD65A803B13B3A28F0973C11 SHA-1: 0x908B1AB6B3869C43CFF632BC5A9CB264BF6CE9D4	Adware.WhenU_SaveNow [PCTools] Adware.Savenow [Symantec] not-a-virus:AdWare.Win32.SaveNow.ar [Kaspersky Lab] Adware-xplus [McAfee] Adware:Win32/WhenU.A [Microsoft]
17	%ProgramFiles%\SaveNow\savenow.htm	42,215 bytes	MD5: 0x7E83A2EB529608624A436A84C18A9330 SHA-1: 0x97A5A5F608BBEBA22AE82469A8884FDB4F212862	(not available)
18	%ProgramFiles%\SaveNow\Uninst.exe	15,416 bytes	MD5: 0xC2B4DACA9B874CA0B4011F54B8D72959 SHA-1: 0xFA7F75DFAE274FBF02A4883A85F7C771C0270BF0	Adware.WhenU_SaveNow [PCTools] Adware-xplus [McAfee] SoftwareBundler:Win32/KaZaA [Microsoft]
19	[file and pathname of the sample #1]	572,403 bytes	MD5: 0x2BED64D9DEF80D7AB5C52B6D0B1F3A75 SHA-1: 0xC94BBF4C365DE15373B18536B8D5F2BAB769A954	Adware.SaveNow!sd5 [PCTools] not-a-virus:AdWare.Win32.SaveNow.ar [Kaspersky Lab] Adware-SaveNow [McAfee]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Favorites% is a variable that refers to the file system directory that serves as a common repository for the user's favorite items. A typical path is C:\Documents and Settings\[UserName]\Favorites.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%CommonPrograms%\Cool Web Scrollbars
%Favorites%\Free Software
%Temp%\is-KE34D.tmp
%ProgramFiles%\Cool Web Scrollbars
%ProgramFiles%\SaveNow

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
SaveNow.exe	%ProgramFiles%\savenow\savenow.exe	208,896 bytes
INS1.tmp	%Temp%\INS1.tmp	565,248 bytes
SaveNowInst.exe	%Temp%\is-KE34D.tmp\SaveNowInst.exe	151,552 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	94,208 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cool Web Scrollbars_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\WhenU
HKEY_LOCAL_MACHINE\SOFTWARE\WhenU\SaveNow

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SaveNow = "%ProgramFiles%\SaveNow\SaveNow.exe"

so that SaveNow.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cool Web Scrollbars_is1]

Inno Setup: Setup Version = "2.0.11 with ISX 2.0.11"
Inno Setup: App Path = "%ProgramFiles%\Cool Web Scrollbars"
Inno Setup: Icon Group = "Cool Web Scrollbars"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon,addfav"
Inno Setup: Deselected Tasks = ""
DisplayName = "Cool Web Scrollbars 2.2"
UninstallString = ""%ProgramFiles%\Cool Web Scrollbars\unins000.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow]

DisplayIcon = "%ProgramFiles%\SaveNow\SaveNow.exe,-0"
DisplayName = "SaveNow"
DisplayVersion = "1.60"
HelpLink = "www.whenu.com"
Publisher = "WhenU.com, Inc."
UninstallString = "%ProgramFiles%\SaveNow\Uninst.exe"
UrlInfoAbout = "www.whenu.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenU\SaveNow]

db_local_update = "0"
db_script_update = "1001500014"
InstallDir = "%ProgramFiles%\SaveNow"
pats_url = "http://a1964.g.akamai.net/f/1964/2730/1h/app.whenu.com/OffersData"
pat_chunks_url = "http://a1964.g.akamai.net/f/1964/2730/15d/app.whenu.com/DataChunks"
script_url = "http://a1964.g.akamai.net/f/1964/2730/1h/web.whenu.com/offscript2.html"
update_url = "http://a1964.g.akamai.net/f/1964/2730/1d/web.whenu.com/savenowupdate.exe"
ver_url = "http://www.whenu.com/versions.html"
Version = "1.60"
InstallTime = "20080918004000"
SetupCmdLine = "http://app.whenu.com/Offers?url=HHLW1101"
Partner = "HHLW1101"

Other details

To mark the presence in the system, the following Mutex object was created:

WhenUSaveNowSharedMutex

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.