ThreatExpert Report: not-a-virus:AdWare.Win32.SaveNow.e, not-a-virus:AdWare.Win32.SaveNow.bl..

Submission Summary:

Submission details:

Submission received: 23 June 2008, 01:23:45
Processing time: 4 min 26 sec
Submitted sample:

File MD5: 0xC47A927F342EC56B9B4677FCEAAFBF97
File SHA-1: 0x27B0D2B8ECCAC4DD60A4F6D9C7411F77B248470D
Filesize: 1,293,306 bytes
Alias: not-a-virus:AdWare.Win32.SaveNow.e, not-a-virus:AdWare.Win32.SaveNow.bl, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.NewDotNet [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.WhenU_SaveNow	SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.
Spyware.Radlight	Radlight is a Divx multimedia player that installs WhenU.SaveNow, which is an adware that produces pop-up advertisements. Radlight has also been found to intentionally delete the Anti-Spyware program Ad-Aware.
Adware.NewdotNet	Newdotnet is a potentially unwanted software which comes bundled with other malicious programs. Some versions of Newdotnet install without user consent, we recommend that you remove Newdotnet if it was not installed intentionally.
Adware.WhenU_WeatherCast	Weathercast displays weather forecasts in real time. It also bundles WhenUSearch with it and displays text-based advertisements within the WeatherCast program.
Adware.Component.WhenU	Common Components shared between WhenU products like ClockSync, SaveNow, SideFinder and WeatherCast.

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A spyware program that represents security risk for a local system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\RadLight\RadLight [ R5 ]\Help\RadLight.lnk	817 bytes	MD5: 0x55B48D3C0272F7E0926A5725186261D8 SHA-1: 0xCBC1533D17F153737CFE4F747D914B66D48DD37A	(not available)
2	%CommonPrograms%\RadLight\RadLight [ R5 ]\RadLight 3.03 [ R5.2 ].lnk	744 bytes	MD5: 0x53DF25A116EC08C830651C1F21459CE9 SHA-1: 0x5158E56F100F79ADDBE2712844695C0CAD2E19E4	(not available)
3	%DesktopDir%\RadLight 3.03 [ R5.2 ].lnk	726 bytes	MD5: 0xF3369D9C30166F748875CC3615256CCF SHA-1: 0xBE713142364CC768FACBE949B9E6D3B99B798540	(not available)
4	%Temp%\is-3UQEE.tmp\BSaveInstWm.exe	206,296 bytes	MD5: 0xDCAA28C010E64E1407AE65B45D77D62C SHA-1: 0x4CF74035858868FEFBC8F44E4235E1476EE28DB1	Adware.WhenU_SaveNow [PCTools] not-a-virus:AdWare.Win32.SaveNow.e, not-a-virus:AdWare.Win32.SaveNow.bl, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.SaveNow.m [Kaspersky Lab] Adware-SaveNow [McAfee]
5	%Programs%\WeatherCast\WeatherCast.lnk	1,504 bytes	MD5: 0xA3D0C2ADE2B2D0C7865F96AFD8BC2CB3 SHA-1: 0x4B92FC54015537D70558549E3295F4E0CFA21C94	(not available)
6	%ProgramFiles%\RadLight\RadLight3\Bitmaps\playlist.pbm	8,075 bytes	MD5: 0x2AE43B2BEA20C7CA63062BDF4BC87F6C SHA-1: 0x2B10C641A93C1BD3F1AD775C7F0A589F8CFB486C	(not available)
7	%ProgramFiles%\RadLight\RadLight3\Help\RadLight.chm	56,820 bytes	MD5: 0xAC876BB33E5DFB68A69F3408002BC00F SHA-1: 0xC391786600C63AD2984B9A46CDA1644F5A46BFFA	(not available)
8	%ProgramFiles%\RadLight\RadLight3\Languages\Bulgarian.lng	5,525 bytes	MD5: 0xB14F271E2C53597E83249C1D6D79D406 SHA-1: 0x631991159BC4DB0FF6AAFE0E548F484104F1AFBF	(not available)
9	%ProgramFiles%\RadLight\RadLight3\Languages\Catala.lng	5,054 bytes	MD5: 0x5CC14292C35103139624CCF7C14E427D SHA-1: 0xCCDD197E0D7099F038A0E69ECC4BE9AEB24A9D3F	(not available)
10	%ProgramFiles%\RadLight\RadLight3\Languages\Charset.txt	1,317 bytes	MD5: 0x569E99D8BA56AE2EEFC67D69AE993CB9 SHA-1: 0x6F235570D1F3D5DA7F129633577DF0274417888F	(not available)
11	%ProgramFiles%\RadLight\RadLight3\Languages\Chinese(BG).lng	3,997 bytes	MD5: 0x93579E2A0B6F28C06F3DFE6A11C6E655 SHA-1: 0xD070372DAEE60A15A4149CF22D76A364E0B226DC	(not available)
12	%ProgramFiles%\RadLight\RadLight3\Languages\Chinese(BIG5).lng	3,997 bytes	MD5: 0x24ACD97DF37F873FF5BCA425BC4447CD SHA-1: 0xD86778127CE8AD0395863DE89F5431A3A0412221	(not available)
13	%ProgramFiles%\RadLight\RadLight3\Languages\Croatian.lng	5,224 bytes	MD5: 0x4535B4022A6B1C169401A98F55058C37 SHA-1: 0x2277093DFAA90ABE8EECF8E8C9AA4184D17F831A	(not available)
14	%ProgramFiles%\RadLight\RadLight3\Languages\Czech.lng	5,323 bytes	MD5: 0xEC09541C4255E3258541EE62C2B4E597 SHA-1: 0xE492F03B95C37286B2C70B7B659E625B2784DE04	(not available)
15	%ProgramFiles%\RadLight\RadLight3\Languages\Deutsch.lng	5,288 bytes	MD5: 0xB3C85FBA49E45FC6F97EB988F86B5CA4 SHA-1: 0x8745FCE55924E3DA34BAA6363A9FF5A47C147EDF	(not available)
16	%ProgramFiles%\RadLight\RadLight3\Languages\Dutch.lng	5,033 bytes	MD5: 0xA5D43766901E72A5625F53F12E14E3F0 SHA-1: 0x5040915731E046D9065A431DB56BEEF8724BA617	(not available)
17	%ProgramFiles%\RadLight\RadLight3\Languages\English.lng	4,537 bytes	MD5: 0xFA0851A7FC0CD062A75DE3E831173110 SHA-1: 0xE727BAFBC3555A311CEA55F2F572F27FDE2940D0	(not available)
18	%ProgramFiles%\RadLight\RadLight3\Languages\Espanol.lng	5,277 bytes	MD5: 0xF5B42228FB8639F219407C2CC8FF58CB SHA-1: 0x2B5DB357710985FEC7D71334DADF71346EFB6558	(not available)
19	%ProgramFiles%\RadLight\RadLight3\Languages\Francais.lng	5,075 bytes	MD5: 0x27D5831E849DCF99FF6F7D27983C3BAC SHA-1: 0x732F07470EBEE93FE3857A133678DF2530077900	(not available)
20	%ProgramFiles%\RadLight\RadLight3\Languages\Hebrew.lng	4,288 bytes	MD5: 0x88D0DD616E4C49C9A49621EAD75DC47B SHA-1: 0x553D148EF5240DFFAED7F5FC67616EF2FE13F993	(not available)
21	%ProgramFiles%\RadLight\RadLight3\Languages\Italiano.lng	5,345 bytes	MD5: 0x6A1500FE27F3BCE8D2D0284AA54295DD SHA-1: 0x08752B5B47240A94C50AE704D129C30FD2E7AB3F	(not available)
22	%ProgramFiles%\RadLight\RadLight3\Languages\Lithuanian.lng	5,394 bytes	MD5: 0xB84391BF2582907DFD744307B31189C2 SHA-1: 0x0FAB51C27862F230842F563714741E5A75934892	(not available)
23	%ProgramFiles%\RadLight\RadLight3\Languages\Macedonian.lng	5,061 bytes	MD5: 0x91F67274E61FA08D39D05128A64B14A2 SHA-1: 0xF4E4961C2EC1F98C00C66067D2DC9BBFD9EBBCF3	(not available)
24	%ProgramFiles%\RadLight\RadLight3\Languages\Magyar.lng	5,233 bytes	MD5: 0x1AB14C92755BEDFE5DF7627726DA7780 SHA-1: 0x3468E295AC7CF1B54855DF4DF513786D9E4CABF9	(not available)
25	%ProgramFiles%\RadLight\RadLight3\Languages\Norwegian.lng	4,941 bytes	MD5: 0x6E0C1820BDFAAA40C6D119307C1FFE8F SHA-1: 0x42BB998C8D541CFDCFA3B99A75766235E64013BB	(not available)
26	%ProgramFiles%\RadLight\RadLight3\Languages\Polish.lng	5,179 bytes	MD5: 0x083AD6295D3F30725EFE674F46C70D60 SHA-1: 0xBA136E04B87C24366364EDC139A53E6683877B98	(not available)
27	%ProgramFiles%\RadLight\RadLight3\Languages\Portuguese(BR).lng	5,081 bytes	MD5: 0x7FC6AAD918AEA55AD557710F0D523E16 SHA-1: 0xF4F66049B1E2D53B5415E79C25963A126BABE828	(not available)
28	%ProgramFiles%\RadLight\RadLight3\Languages\Romanian.lng	5,097 bytes	MD5: 0xEBCAB7585F11092A6EC17E36909467F4 SHA-1: 0xDE209C9F07FB977E644ACF1BCFAE9D10A8D45B27	(not available)
29	%ProgramFiles%\RadLight\RadLight3\Languages\Russian.lng	5,313 bytes	MD5: 0x7CFF39291B6988ABBA34A906B6C0AD63 SHA-1: 0x220A2CD6FD7F8AA6FD1A58A9511388A8C4A1523F	(not available)
30	%ProgramFiles%\RadLight\RadLight3\Languages\Serbian.lng	5,026 bytes	MD5: 0x29475407993CE751B5B916B9750244FA SHA-1: 0xFBE1006275C5D8DFDC8E37CE0140A81C7E666919	(not available)
31	%ProgramFiles%\RadLight\RadLight3\Languages\Slovak.lng	5,413 bytes	MD5: 0xC49E1535D853555C1352F09D9E374BA5 SHA-1: 0x95D1F75CD46A57F20C694E049FA1D55DD625F9D4	(not available)
32	%ProgramFiles%\RadLight\RadLight3\Languages\Slovenian.lng	5,259 bytes	MD5: 0x2833AC0335FDB180A56EAF84EABC0092 SHA-1: 0x9D2D438C2495F479D458B1B0161E1DE7AD49D71A	(not available)
33	%ProgramFiles%\RadLight\RadLight3\Languages\Spanish(Argentina).lng	5,146 bytes	MD5: 0xCCE76DEC8C892AAABB94CE71E68C8911 SHA-1: 0x4004C47755E8559F3D3CE0AC992282AD17DF0E80	(not available)
34	%ProgramFiles%\RadLight\RadLight3\Languages\Svenska.lng	4,962 bytes	MD5: 0x2DE1377C3F813911BDC9EA2963091C2D SHA-1: 0x2703AAEC9DD432E0D311B545F13083979F58747F	(not available)
35	%ProgramFiles%\RadLight\RadLight3\Modules\Subtitle1.dll	33,280 bytes	MD5: 0x8CFFCC3D19737FEE45C54E88CBC0F6E5 SHA-1: 0xCAF4DD9F697B068A710B988381C770846A18B364	Spyware.Radlight [PCTools] Adware-RadLight [McAfee]
36	%ProgramFiles%\RadLight\RadLight3\Modules\Subtitle2.dll	30,720 bytes	MD5: 0x59132EF887FC81F01D7CAE65387B5B44 SHA-1: 0xFB8EBA90BADF609C31C7BE2088D1E8844957C80A	Spyware.Radlight [PCTools] Adware-RadLight [McAfee]
37	%ProgramFiles%\RadLight\RadLight3\RadLight.exe	314,368 bytes	MD5: 0x356DFD10FC3F7A84904CAB5BF3498E3F SHA-1: 0xDE575AA54BC08E57602CCE956AC419BF5A6EA5C3	(not available)
38	%ProgramFiles%\RadLight\RadLight3\RadLight.url	91 bytes	MD5: 0xBE5431CB5BD30A3829F64FF729A8D51B SHA-1: 0x74099CD91F54FA932A0EBB427288490889B11682	(not available)
39	%ProgramFiles%\RadLight\RadLight3\RadLight.vdp	2 bytes	MD5: 0x81051BCC2CF1BEDF378224B0A93E2877 SHA-1: 0xBA8AB5A0280B953AA97435FF8946CBCBB2755A27	(not available)
40	%ProgramFiles%\RadLight\RadLight3\RPKi\RPK.exe	210,944 bytes	MD5: 0x01ACEDEED7E6748D28CD36FC7997DDC2 SHA-1: 0x1F8CE4B2221C4E4E542FEBA91E9888F82BFDA356	Adware-RadLight [McAfee]
41	%ProgramFiles%\RadLight\RadLight3\Settings.ini	1,089 bytes	MD5: 0x24C0051BBF02BDC374E32788239C063D SHA-1: 0x6E3B0C5E69A79AC8ECE1C301447C37FA78965F25	(not available)
42	%ProgramFiles%\RadLight\RadLight3\Skins\Default.rls	65,006 bytes	MD5: 0xFDAD85591C4948DC8AB9B6A4EC8D191A SHA-1: 0x13ACF0BD4CF7C6C5247041913FD9981213150A4F	(not available)
43	%ProgramFiles%\RadLight\RadLight3\unins000.dat	4,603 bytes	MD5: 0x1F63D395E4C138B4F90C6029C86621C8 SHA-1: 0xE7A051AFF116C1410491FE0313409ECB007B3C4B	(not available)
44	%ProgramFiles%\RadLight\RadLight3\unins000.exe	71,583 bytes	MD5: 0x2AF787B208A58B08AE6178FE5DF09FF1 SHA-1: 0x416458A8DB511AC1A1803F1380CCC1DB26EC9F4F	(not available)
45	%ProgramFiles%\Save\ReadMe.txt	3,472 bytes	MD5: 0x308698A03FB807FBD6934CF896E5692B SHA-1: 0x3398AE0255054B1E62E37F18C9A5643258F2EA9E	Adware-SaveNow [McAfee]
46	%ProgramFiles%\Save\Save.exe	221,696 bytes	MD5: 0x50A11755E92197E35EC33296F5D1B76C SHA-1: 0xCD02C4CA6E77AC0A462BB34379FAA38CB74296EA	Adware.WhenU_SaveNow [PCTools] not-a-virus:AdWare.Win32.SaveNow.e [Kaspersky Lab] Adware-SaveNow [McAfee]
47	%ProgramFiles%\Save\save.htm	44,008 bytes	MD5: 0x9D76A7251D0389CC1FFC074F56DC1545 SHA-1: 0x50D775286C032393A2459BE5FF9BDA64E696711C	(not available)
48	%ProgramFiles%\Save\SaveUninst.exe	20,542 bytes	MD5: 0xF53525F5CDF4F567AC045C248335F2C1 SHA-1: 0x7B5CAC16F80618316AA72B7E2C6700B02F2630FD	Adware.WhenU_SaveNow [PCTools] not-a-virus:AdWare.Win32.SaveNow.bl [Kaspersky Lab] Adware-RadLight [McAfee]
49	%ProgramFiles%\WeatherCast\Uninst.exe	17,463 bytes	MD5: 0x5108A30A1C898F35E9D3CFC55BE0E4BE SHA-1: 0x092B6161BDF3EBADCC9EE09CF07C1DD47A00C1A9	Adware.WhenU_SaveNow [PCTools] not-a-virus:AdWare.Win32.SaveNow.m [Kaspersky Lab]
50	%ProgramFiles%\WeatherCast\Weather.exe	84,480 bytes	MD5: 0x7BB63764D238DB355642F133B1559C25 SHA-1: 0x2E7A8D8EFD5FE69E8FA713FB7777D0B786FEF957	not-a-virus:AdWare.Win32.SaveNow.m [Kaspersky Lab] Adware-RadLight [McAfee]
51	%Windir%\newdotnet3_36.dll	118,784 bytes	MD5: 0x4B998828DC480801FC66E7741D5BE69B SHA-1: 0xAD6326B7BE834845668A28E2657B854BD4B169E0	Adware.NewdotNet [PCTools] not-a-virus:AdWare.Win32.NewDotNet [Kaspersky Lab] NDotNet [McAfee]
52	[file and pathname of the sample #1]	1,293,306 bytes	MD5: 0xC47A927F342EC56B9B4677FCEAAFBF97 SHA-1: 0x27B0D2B8ECCAC4DD60A4F6D9C7411F77B248470D	not-a-virus:AdWare.Win32.SaveNow.e, not-a-virus:AdWare.Win32.SaveNow.bl, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.NewDotNet [Kaspersky Lab]
53	%System%\sporder.dll	8,464 bytes	MD5: 0xF12E514AEA35CD28BA6C080E707550F9 SHA-1: 0xE68E328F2278783FFFF2E304A9ED17004B1A8E8A	Adware.NewdotNet [PCTools]

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%CommonPrograms%\RadLight
%CommonPrograms%\RadLight\RadLight [ R5 ]
%CommonPrograms%\RadLight\RadLight [ R5 ]\Help
%Temp%\is-3UQEE.tmp
%Programs%\WeatherCast
%ProgramFiles%\RadLight
%ProgramFiles%\RadLight\RadLight3
%ProgramFiles%\RadLight\RadLight3\Bitmaps
%ProgramFiles%\RadLight\RadLight3\Help
%ProgramFiles%\RadLight\RadLight3\Languages
%ProgramFiles%\RadLight\RadLight3\Modules
%ProgramFiles%\RadLight\RadLight3\RPKi
%ProgramFiles%\RadLight\RadLight3\Skins
%ProgramFiles%\Save
%ProgramFiles%\WeatherCast

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
radlight_336.exe	%Temp%\is-3UQEE.tmp\radlight_336.exe	159,744 bytes
Save.exe	%ProgramFiles%\Save\Save.exe	237,568 bytes
Weather.exe	%ProgramFiles%\WeatherCast\Weather.exe	94,208 bytes
bsaveinstwm.exe	%Temp%\is-3uqee.tmp\bsaveinstwm.exe	221,184 bytes
saveuninst.exe	%ProgramFiles%\save\saveuninst.exe	28,672 bytes
rpk.exe	%ProgramFiles%\radlight\radlight3\rpki\rpk.exe	581,632 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	94,208 bytes
INS1.tmp	%Temp%\INS1.tmp	438,272 bytes

There were new memory pages created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
Save.exe	%ProgramFiles%\save\save.exe	1,351,680 bytes
Save.exe	%ProgramFiles%\save\save.exe	1,351,680 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
newdotnet3_36.dll	%Windir%\newdotnet3_36.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x15D0000 - 0x15ED000

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.divx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ogm
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rpk
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.viv
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile\Shell\Play
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile\Shell\Play\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile\Shell\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile\Shell\Install\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WUSN.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RadLight_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast
HKEY_LOCAL_MACHINE\SOFTWARE\New.net
HKEY_LOCAL_MACHINE\SOFTWARE\RadLight Team
HKEY_LOCAL_MACHINE\SOFTWARE\RadLight Team\RadLight
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default WaveOut Device
HKEY_CURRENT_USER\Software\WhenU
HKEY_CURRENT_USER\Software\WhenU\Weather

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rpk]

(Default) = "RPKFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile\Shell\Play\Command]

(Default) = ""%ProgramFiles%\radlight\radlight3\radlight.exe" Video{"%1"}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile\Shell\Play]

(Default) = "&Play with RadLight"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RadLightFile\DefaultIcon]

(Default) = "%ProgramFiles%\radlight\radlight3\radlight.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile\Shell\Install\Command]

(Default) = ""%ProgramFiles%\RadLight\RadLight3\RPKi\RPK.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile\Shell\Install]

(Default) = "&Install Package"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RPKFile\DefaultIcon]

(Default) = ""%ProgramFiles%\RadLight\RadLight3\RPKi\RPK.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WUSN.1]

WUSN_Id = 38 E0 38 18 70 A8 23 4A AA A6 20 F8 B5 40 D6 BC

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

New.net Startup = "rundll32 %Windir%\NEWDOT~1.DLL,NewDotNetStartup"
WhenUSave = "C:\PROGRA~1\Save\Save.exe"

so that Save.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net]

DisplayName = "New.net Application"
UninstallString = "rundll32 %Windir%\NEWDOT~1.DLL,NewDotNetUninstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RadLight_is1]

Inno Setup: Setup Version = "3.0.3-beta"
Inno Setup: App Path = "%ProgramFiles%\RadLight\RadLight3"
Inno Setup: Icon Group = "RadLight\RadLight [ R5 ]"
Inno Setup: User = "%UserName%"
Inno Setup: Setup Type = "full"
Inno Setup: Selected Components = "main,help,savenow,newnet"
Inno Setup: Deselected Components = ""
Inno Setup: Selected Tasks = "desktopicon"
Inno Setup: Deselected Tasks = "quicklaunchicon"
DisplayName = "RadLight 3.03 [ Release 5.2 ]"
UninstallString = ""%ProgramFiles%\RadLight\RadLight3\unins000.exe""
Publisher = "RadLight, Inc."
URLInfoAbout = "http://www.radlight.net"
HelpLink = "http://www.radlight.net/support.htm"
URLUpdateInfo = "http://www.radlight.net/download.htm"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow]

DisplayIcon = "C:\PROGRA~1\Save\Save.exe,1"
DisplayName = "SaveNow"
DisplayVersion = "1.61"
HelpLink = "www.whenu.com"
Publisher = "WhenU.com, Inc."
UninstallString = "C:\PROGRA~1\Save\SaveUninst.exe /rWUSV /kSaveNow /dSaveNow"
UrlInfoAbout = "www.whenu.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast]

DisplayIcon = "%ProgramFiles%\WeatherCast\Weather.exe,-0"
DisplayName = "WeatherCast"
DisplayVersion = "1.0"
HelpLink = "www.whenu.com/about_weather.html"
Publisher = "WhenU.com, Inc."
UninstallString = "C:\PROGRA~1\WEATHE~1\Uninst.exe"
UrlInfoAbout = "http://www.whenu.com/about_weather.html"

[HKEY_LOCAL_MACHINE\SOFTWARE\New.net]

Source = "radlight_336"
InstalledVersion = 0x00030024
InstalledPath = "%Windir%\newdotnet3_36.dll"
Tag = ""
DiscardTag = ""
FirstTime = "1"
NextUpgradeHi = 0x00000000
NextUpgradeLo = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\RadLight Team\RadLight]

AppPath = "%ProgramFiles%\radlight\radlight3"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV]

Partner = "WUSV0602"
InstallTime = "20080107151536"
PartnerDesc = "SaveNow"
PartnerParam = "dt=Save Now!,q=,i=1"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\CAST]

Partner = "CAST0702"
InstallTime = "20080107151537"
PartnerDesc = "WeatherCast"
PartnerFile = "C:\PROGRA~1\WEATHE~1\Weather.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave]

db_local_update = "0"
db_script_update = "1001500019"
InstallDir = "C:\PROGRA~1\Save"
pats_url = "http://a1964.g.akamai.net/f/1964/2730/1h/app.whenu.com/OffersData"
pat_chunks_url = "http://a1964.g.akamai.net/f/1964/2730/15d/app.whenu.com/DataChunks"
script_url = "http://a1964.g.akamai.net/f/1964/2730/1h/web.whenu.com/offscript2.html"
update_url = "http://a1964.g.akamai.net/f/1964/2730/1d/web.whenu.com/saveupdate.exe"
ver_url = "http://www.whenu.com/versions.html"
Version = "1.61"
InstallTime = "20080107151536"
SetupCmdLine = "http://app.whenu.com/Offers?url=WUSV0602"
Partner = "WUSV0602"
PartnerDesc = "SaveNow"
PartnerParam = "dt=Save Now!,q=,i=1"
zip = "10001"
SetupCount = "2"
HeartbeatTime = "1199747740828"

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default WaveOut Device]

FriendlyName = "Default WaveOut Device"
CLSID = "{E30629D1-27E5-11CE-875D-00608CB78066}"
FilterData = 02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 38 00 00 00 48 00 00 00 61 75 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71 00 00 00 00 00 00 00 00 00 00 00 0
WaveOutId = 0xFFFFFFFF

[HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]

FriendlyName = "Default DirectSound Device"
CLSID = "{79376820-07D0-11CF-A24D-0020AFD79767}"
FilterData = 02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00 30 70 69 33 02 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 A8 00 00 00 B8 00 00 00 31 74 79 33 00 00 00 00 A8 00 00 00 C8 00 00 00 32 74 79 33 00 00 00 00 A8 00 00 0
DSGuid = "{00000000-0000-0000-0000-000000000000}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

WeatherCast = "C:\PROGRA~1\WEATHE~1\Weather.exe /q"

so that Weather.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\WhenU\Weather]

InstallDir = "C:\PROGRA~1\WEATHE~1"
Version = "1.0"
about_url = "http://spweb.whenu.com/about_weather.html"
checkver_url = "http://spapp.whenu.com/WeatherDB"
update_url = "http://spweb.whenu.com/weatherupdate.exe"
Partner = "RDLT0102"
zip = "10001"
timeHeartbeat = "20080107231506"

Other details

To mark the presence in the system, the following Mutex objects were created:

WhenU_WeatherCast_SharedMutex
WhenU_WhenUSave_SharedMutex
DDrawWindowListMutex
__DDrawExclMode__
DirectSound DllMain mutex (0x0000074C)
DDrawDriverObjectListMutex
AMResourceMutex2
VideoRenderer

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.radlight.net	80	(null)	(null)
spapp.whenu.com	80	(null)	(null)
app.whenu.com	80	(null)	(null)
a1964.g.akamai.net	80	(null)	(null)
web.whenu.com	80	(null)	(null)

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.