ThreatExpert Report: Adware.Cydoor!sd5, not-a-virus:AdWare.Win32.Cydoor, Generic Adware.dr..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 12 April 2009, 10:45:44
Processing time: 6 min 25 sec
Submitted sample:

File MD5: 0xAF518B7D064BE4C6D330662876EFE784
File SHA-1: 0x9DE13636539B0723BD591127255DBD4C5D1364CD
Filesize: 1,822,888 bytes
Alias:

Adware.Cydoor!sd5 [PCTools]
not-a-virus:AdWare.Win32.Cydoor [Kaspersky Lab]
Generic Adware.dr [McAfee]

Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.Cydoor	As at April 2005, Cydoor files are no longer downloaded to a client PC. Applications such as iMesh retrieve ads from the Cydoor server so Cydoor software no longer directly displays ads. Prior to version 3.2.0.9, Cydoor is a Browser Helper Object that can redirect your Browser to an Adware site. Spyware Doctor is only detecting the previous version of Cydoor which is still malicious.
Adware.Cydoor!sd5	Adware.Cydoor!sd5 is a potentially unwanted adware program that could be used to display various pop-up advertisements.

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\FlashGet.lnk	672 bytes	MD5: 0x8110195A7CC144A3A67C24E222C67363 SHA-1: 0xA3EA39C5303E647B39C7034EDAAF57AAB9450677	(not available)
2	%Temp%\29a01704\B_149300.gif	11,575 bytes	MD5: 0x89B3FAEDB8B85D3A3EE7054B036A399B SHA-1: 0x77E59EB79B22A1AAB2EED308926DDA39EBA8F220	(not available)
3	%Temp%\29a01704\B_149301.gif	12,694 bytes	MD5: 0x0968261A971F1EA1319717AF52939E27 SHA-1: 0x1231DA9F8178A4F5C227BE54FCCFF82A1592E643	(not available)
4	%Temp%\29a01704\B_151700.gif	5,429 bytes	MD5: 0x988A5ECD1ADC3C29B5C7A6E2FFA5016F SHA-1: 0x44AB9737D4E897E37BE139CAE3DA3D20C6F644D4	(not available)
5	%Temp%\29a01704\B_151701.gif	7,854 bytes	MD5: 0xB8AF4C7DAAC95E9670D79912FC5CDC3B SHA-1: 0xAFC82653FF6AB3770D76C3596AD8B5283F20E0D2	(not available)
6	%Temp%\29a01704\cd_clint.dll	154,624 bytes	MD5: 0x8CA847EBA88F8F6505956B0069983811 SHA-1: 0x50A70061340F7ECABFC522C68FBA74FF6CC622B7	Adware.Cydoor [PCTools] Adware.Cydoor [Symantec] not-a-virus:AdWare.Win32.Cydoor [Kaspersky Lab] Adware-CyDoor [McAfee] Adware:Win32/Cydoor [Microsoft] AdWare.Cydoor [Ikarus] packed with PECompact [Kaspersky Lab]
7	%Temp%\29a01704\RUNDLL32.EXE	24,576 bytes	MD5: 0x3857D93AA630ABBD63467DB4AEFFCE2C SHA-1: 0xCA0279F9CBB3887224C6011AA99D7B2DD32D9F94	(not available)
8	%Temp%\29a01704\Start.cdi	499 bytes	MD5: 0x8162D5165FA877CC75BF414DF2A8E20C SHA-1: 0x4BB0ED1A1E50CFB1E40DD3FE68ABABC51AA14293	(not available)
9	%Temp%\29a01704\_ad9D.adx	10,404 bytes	MD5: 0x73FC60C0781DC9507C78257B24A5FA30 SHA-1: 0xA005504FBE17F1C60F127529E9CD60799A0D9EEC	not-a-virus:AdWare.Win32.Cydoor [Ikarus]
10	%Temp%\29a01704\_ad9D.rtp	398 bytes	MD5: 0x71EB60DB1DCFBDF633417D353DD9B635 SHA-1: 0x8A9774176CC5BC4C7371310153F57DEC80BB6DF0	(not available)
11	%Temp%\GLC1.tmp	159,232 bytes	MD5: 0xC9B68C644E8F0467205CEF4518D0F969 SHA-1: 0x0338BE23971B16940A17306A911FC1E9CD187B0B	(not available)
12	%Temp%\GLF6.tmp	8,704 bytes	MD5: 0xEE137AA648F5A30F5522A48C176BF13C SHA-1: 0x965505B48BEAACBC4CDC6EF3442EC3A9BB1F1835	(not available)
13	%Temp%\GLF7.tmp %ProgramFiles%\FlashGet\License.txt	4,384 bytes	MD5: 0xA32F7969C6DD2C0E6140340304D9343E SHA-1: 0x24637D0355C5E5654EAF8997AFAD57701719A9FD	(not available)
14	%Temp%\GLG5.tmp	2,926 bytes	MD5: 0xAD5E471B547A519527330194A1F93CDA SHA-1: 0x34C6F1D0C726145F877B5C18CBDCD75684F44A09	(not available)
15	%Temp%\GLJ2.tmp	2,560 bytes	MD5: 0x6F608D264503796BEBD7CD66B687BE92 SHA-1: 0xBB82145E86516859DAE6D4B3BFFB08C727B13C65	(not available)
16	%Temp%\GLK3.tmp	30,720 bytes	MD5: 0x80AF8DD09484FD57EE8C1B6C5C6267BD SHA-1: 0xCD84FB24B823CF113E53A6B31B6CEC6AEA01745F	(not available)
17	%Temp%\_ad9D.dll	77,312 bytes	MD5: 0xCFF8271DE6BD1F9B5A328D42040F9BD7 SHA-1: 0xBE2C7DCD213DEE6BCCAF8C1F4822B6B50A64646E	(not available)
18	%Programs%\FlashGet\Documentation.lnk	642 bytes	MD5: 0xB8A536B655B5245415FCAF95193CF972 SHA-1: 0x332EC5D3905FA6575E5518EF0470A94EF9D1A354	(not available)
19	%Programs%\FlashGet\FlashGet.lnk	684 bytes	MD5: 0x09CD150D1D3F9C8C7DF4FFFC2150AEA2 SHA-1: 0x137B24222847DA6BA043617167BB17864D26675B	(not available)
20	%Programs%\FlashGet\License.lnk	635 bytes	MD5: 0x5BAC79F2D384E38DCE15390D2883D36E SHA-1: 0x7739FEA3A107895E68A60AC0EEBADC2F16E31EFD	(not available)
21	%Programs%\FlashGet\Uninstall FlashGet.lnk	630 bytes	MD5: 0xB073964A2C12B65CAE2C5383BE559828 SHA-1: 0xA6D1B75D91F07797670068920566514C8FCB2826	(not available)
22	%Programs%\FlashGet\What's New.lnk	642 bytes	MD5: 0xA091DB435C013EAE7D19C3871665E16E SHA-1: 0xE51F29647E7AC9A327D4256D0C6980529A4B1AB4	(not available)
23	%ProgramFiles%\FlashGet\assist4.exe	365,056 bytes	MD5: 0x9E3C1B94B95E53E033523F6BE597F956 SHA-1: 0xEF84CFF2B363F62EDEC9CBC90B0AD2CE9CFA5603	Spyware.Win32.CnsMin [Ikarus] packed with WiseSFXDropper [Kaspersky Lab]
24	%ProgramFiles%\FlashGet\cd_install277.exe	286,208 bytes	MD5: 0xCDAF9F1E48F6CCD8BE6BB07C000361A2 SHA-1: 0x8E7C25C01DCDA2E9CEC6D250BC739B54645D08B4	not-a-virus:AdWare.Win32.Cydoor [Kaspersky Lab] Adware-CyDoor [McAfee]
25	%ProgramFiles%\FlashGet\default1.gif	1,874 bytes	MD5: 0xB21EB19A09E234378C0CDCAAB6F34A8F SHA-1: 0x6666A5B8A76C181DDBC293C0482283C7AFFEAF3B	(not available)
26	%ProgramFiles%\FlashGet\fgiebar.dll	86,016 bytes	MD5: 0x94D01CBA4FBB4EB408F02F549CA5D815 SHA-1: 0x99821B3F41B9E9CEC6C65350C049B50181C5A475	Adware-FlashGet [McAfee]
27	%ProgramFiles%\FlashGet\flashget.chm	236,967 bytes	MD5: 0x2955333DE82FAC521EB267933D585CA3 SHA-1: 0x904E96329BBC4D7AED3ED0722E6202A9B30CE65D	(not available)
28	%ProgramFiles%\FlashGet\flashget.exe	1,302,528 bytes	MD5: 0x9403E81F0FB4855CF7F1E4E37B74DB38 SHA-1: 0x25C6F404410DE9CC12406AF879BAAF558FDD18B0	(not available)
29	%ProgramFiles%\FlashGet\flashget.exe.manifest	546 bytes	MD5: 0xD93D8B10C82BE90F833FE71C2EAB1042 SHA-1: 0x5DD4F7E710298C81653546992ECAC5B517E5229E	(not available)
30	%ProgramFiles%\FlashGet\Jccatch.dll	65,536 bytes	MD5: 0xF2FAFE3CB6412C89F43D88CCEBE308F3 SHA-1: 0xF161FBC3B782359692148FB4368DBB1B94435E73	Adware-FlashGet [McAfee]
31	%ProgramFiles%\FlashGet\jc_all.htm	575 bytes	MD5: 0x4F5140BEADB0A78CE30E9F0F4B591B8F SHA-1: 0x8F6C819C4677BB014B01C6AA88E51EB6BD6060AA	(not available)
32	%ProgramFiles%\FlashGet\jc_link.htm	1,898 bytes	MD5: 0x208F30C68E12274B625E3EDF9186680C SHA-1: 0x5F00F3647ACD936AD9B7B2FBAD178AF6975F9B27	(not available)
33	%ProgramFiles%\FlashGet\language\jcchs.ini	22,748 bytes	MD5: 0xEC4F8CF15FAB32A569E276936D6AD42A SHA-1: 0x5E0CFE94E391602EE82D073E24772A24344FA562	(not available)
34	%ProgramFiles%\FlashGet\language\jccht.ini	23,757 bytes	MD5: 0x471CC7C3879E4D248FD92C89482BC00C SHA-1: 0x3D166DF63C490A5EC29BC5A1D2E24AE3BB5B0423	(not available)
35	%ProgramFiles%\FlashGet\language\jceng.ini	29,588 bytes	MD5: 0x83E7A032B04B8B864C84B74BAD9272B1 SHA-1: 0xB64E9843895AFF4F048111C61AB7DF0B27804056	(not available)
36	%ProgramFiles%\FlashGet\mirrors.lst	38,584 bytes	MD5: 0x56DE5B587A41D621C91DC8D5CB4C597E SHA-1: 0x02C4C2981F6B6A532DA8F87AAEFE0A2DC19700C4	(not available)
37	%ProgramFiles%\FlashGet\mymirror.lst	1,211 bytes	MD5: 0x06F8525EE5C00491FDC9D86F35230233 SHA-1: 0xC8D46B57C51DDA79FBA112EC1F5FFC43EE5E358E	(not available)
38	%ProgramFiles%\FlashGet\Normal.jcs	465 bytes	MD5: 0x451B3C23ACB1C525FC7BF7145C4C2DA4 SHA-1: 0x1E70E0C50F9025C900C6D68D61A5EBF5BA6A4C78	(not available)
39	%ProgramFiles%\FlashGet\Readme.txt	1,590 bytes	MD5: 0x590440B2D9F199391189AC16941CD391 SHA-1: 0x8CAC82BFF15CE2D2155516BF39710CB34643A3F6	(not available)
40	%ProgramFiles%\FlashGet\Skin\ImageBk.ini	393 bytes	MD5: 0x6EF09A0AF06776915CE50E4FA62976C8 SHA-1: 0xF50D17C73B2B706BE6AB4C2C7AD44AC351D80DF0	(not available)
41	%ProgramFiles%\FlashGet\Skin\Leftback.jpg	1,310 bytes	MD5: 0x73A301887CC14399C8C15944374F3AE4 SHA-1: 0x651AE7AAB2BEF4BBEAA83FF412F0F7F620BC5954	(not available)
42	%ProgramFiles%\FlashGet\Skin\logo_bg.gif	1,743 bytes	MD5: 0xB07D08D36A7E7498B08894D81FF671E5 SHA-1: 0xBDC95E9CA6148FA8E17BBB698F05BD4AC638485C	(not available)
43	%ProgramFiles%\FlashGet\Skin\Normal.ini	535 bytes	MD5: 0x99B86843398484AC3DF863E4DC478254 SHA-1: 0x712FB73DE26839FC7FEC64FE8C3712851F044817	(not available)
44	%ProgramFiles%\FlashGet\Skin\Sky(Gradient).ini	449 bytes	MD5: 0x1591DFBDB61B098133808D9FB039636E SHA-1: 0xCF91DFDC887CD9EB928A07D3D47A2E0910B17186	(not available)
45	%ProgramFiles%\FlashGet\Skin\TestBk.jpg	54,663 bytes	MD5: 0x7CA0C87C1B076420A1AF74783290D905 SHA-1: 0x44001A806ED3E0DA35D65AE49F23E8629D726C01	(not available)
46	%ProgramFiles%\FlashGet\Skin\XP_Luna(Gradient).ini	431 bytes	MD5: 0xFB68FA99400379E7AC9D728E523C4A1C SHA-1: 0xAFF9612B27FCE5BB0FBF0B0338391EA872D25E29	(not available)
47	%ProgramFiles%\FlashGet\Skin\XP_Luna.ini	405 bytes	MD5: 0x486BB1F87FE5AD238B7E7A6A8CB7431A SHA-1: 0xB564662E34B3F413FBC0CEBC9361BB3AD236DE9B	(not available)
48	%ProgramFiles%\FlashGet\sounds\added.wav	25,866 bytes	MD5: 0xBC308F4B6FD5E0443D1F258C9EF138D9 SHA-1: 0x29CF128C02B333DDAAB41362363458925C12C915	(not available)
49	%ProgramFiles%\FlashGet\sounds\all_done.wav	20,970 bytes	MD5: 0xA171750575B9BD0E63AE7189672F5450 SHA-1: 0x1C78AA6A223CCC8A6F3D5EC57FF9F58FD7E0BB37	(not available)
50	%ProgramFiles%\FlashGet\sounds\done.wav	25,220 bytes	MD5: 0xDDE6E18AD61AF757744F0AB0BA1BDD66 SHA-1: 0xDE28F7135CC8FD13DF2CCAC712284E7A5B589C12	(not available)
51	%ProgramFiles%\FlashGet\sounds\error.wav	15,456 bytes	MD5: 0xB089F2658B5DEA4C6151FDD42B30E3F9 SHA-1: 0x87C8C4B2C88076452062C8D220DE39D8EFB0BF8C	(not available)
52	%ProgramFiles%\FlashGet\Table.jcs	599 bytes	MD5: 0x656A004892C6B6F2082C76495547242A SHA-1: 0xE88807734A58119771AC933F50693EED7D26C7F6	(not available)
53	%ProgramFiles%\FlashGet\unreg.inf	1,269 bytes	MD5: 0x2233614BB5BE7A3FDBD5CB9AA0DBA003 SHA-1: 0xB48E148621D45DFCCDC887DB28305588B7C64B2D	(not available)
54	%ProgramFiles%\FlashGet\UNWISE.EXE	148,480 bytes	MD5: 0xE565D24683FE6B3071D919759A0AE170 SHA-1: 0xBBE55BBCFCE47AA17A0DB6F4B0637EA7368D1968	(not available)
55	%ProgramFiles%\FlashGet\whatsnew.txt	10,231 bytes	MD5: 0xA0829503A4CEFFB495091105BD9054CC SHA-1: 0xF5534BF30FC3E5578838691D04D55409D40F817F	(not available)
56	[file and pathname of the sample #1]	1,822,888 bytes	MD5: 0xAF518B7D064BE4C6D330662876EFE784 SHA-1: 0x9DE13636539B0723BD591127255DBD4C5D1364CD	Adware.Cydoor!sd5 [PCTools] not-a-virus:AdWare.Win32.Cydoor [Kaspersky Lab] Generic Adware.dr [McAfee]

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

The following directories were created:

%Temp%\29a01704
%Programs%\FlashGet
%ProgramFiles%\FlashGet
%Temp%\29a01704\adverck
%ProgramFiles%\FlashGet\language
%ProgramFiles%\FlashGet\Skin
%ProgramFiles%\FlashGet\sounds

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	24,576 bytes
CD_INS~1.EXE	%ProgramFiles%\flashget\cd_install277.exe	344,064 bytes
[generic host process]	[generic host process filename]	24,576 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FlashGet(JetCar)

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FlashGet(JetCar)]

DisplayName = "FlashGet(JetCar)"
UninstallString = "C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	Israel
	China

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.