Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

 

Possible Security Risk

Security RiskDescription
Adware.WhenU_SaveNow SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.
Spyware.Radlight Radlight is a Divx multimedia player that installs WhenU.SaveNow, which is an adware that produces pop-up advertisements. Radlight has also been found to intentionally delete the Anti-Spyware program Ad-Aware.
Adware.NewdotNet Newdotnet is a potentially unwanted software which comes bundled with other malicious programs. Some versions of Newdotnet install without user consent, we recommend that you remove Newdotnet if it was not installed intentionally.
Adware.WhenU_WeatherCast Weathercast displays weather forecasts in real time. It also bundles WhenUSearch with it and displays text-based advertisements within the WeatherCast program.
Adware.Component.WhenU Common Components shared between WhenU products like ClockSync, SaveNow, SideFinder and WeatherCast.

Threat CategoryDescription
A potentially unwanted adware program designed to deliver various advertisements to the users' systems
A spyware program that represents security risk for a local system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\RadLight\RadLight [ R5 ]\Help\RadLight.lnk 817 bytes MD5: 0x55B48D3C0272F7E0926A5725186261D8
SHA-1: 0xCBC1533D17F153737CFE4F747D914B66D48DD37A
(not available)
2 %CommonPrograms%\RadLight\RadLight [ R5 ]\RadLight 3.03 [ R5.2 ].lnk 744 bytes MD5: 0x53DF25A116EC08C830651C1F21459CE9
SHA-1: 0x5158E56F100F79ADDBE2712844695C0CAD2E19E4
(not available)
3 %DesktopDir%\RadLight 3.03 [ R5.2 ].lnk 726 bytes MD5: 0xF3369D9C30166F748875CC3615256CCF
SHA-1: 0xBE713142364CC768FACBE949B9E6D3B99B798540
(not available)
4 %Temp%\is-3UQEE.tmp\BSaveInstWm.exe 206,296 bytes MD5: 0xDCAA28C010E64E1407AE65B45D77D62C
SHA-1: 0x4CF74035858868FEFBC8F44E4235E1476EE28DB1
Adware.WhenU_SaveNow [PCTools]
not-a-virus:AdWare.Win32.SaveNow.e, not-a-virus:AdWare.Win32.SaveNow.bl, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.SaveNow.m [Kaspersky Lab]
Adware-SaveNow [McAfee]
5 %Programs%\WeatherCast\WeatherCast.lnk 1,504 bytes MD5: 0xA3D0C2ADE2B2D0C7865F96AFD8BC2CB3
SHA-1: 0x4B92FC54015537D70558549E3295F4E0CFA21C94
(not available)
6 %ProgramFiles%\RadLight\RadLight3\Bitmaps\playlist.pbm 8,075 bytes MD5: 0x2AE43B2BEA20C7CA63062BDF4BC87F6C
SHA-1: 0x2B10C641A93C1BD3F1AD775C7F0A589F8CFB486C
(not available)
7 %ProgramFiles%\RadLight\RadLight3\Help\RadLight.chm 56,820 bytes MD5: 0xAC876BB33E5DFB68A69F3408002BC00F
SHA-1: 0xC391786600C63AD2984B9A46CDA1644F5A46BFFA
(not available)
8 %ProgramFiles%\RadLight\RadLight3\Languages\Bulgarian.lng 5,525 bytes MD5: 0xB14F271E2C53597E83249C1D6D79D406
SHA-1: 0x631991159BC4DB0FF6AAFE0E548F484104F1AFBF
(not available)
9 %ProgramFiles%\RadLight\RadLight3\Languages\Catala.lng 5,054 bytes MD5: 0x5CC14292C35103139624CCF7C14E427D
SHA-1: 0xCCDD197E0D7099F038A0E69ECC4BE9AEB24A9D3F
(not available)
10 %ProgramFiles%\RadLight\RadLight3\Languages\Charset.txt 1,317 bytes MD5: 0x569E99D8BA56AE2EEFC67D69AE993CB9
SHA-1: 0x6F235570D1F3D5DA7F129633577DF0274417888F
(not available)
11 %ProgramFiles%\RadLight\RadLight3\Languages\Chinese(BG).lng 3,997 bytes MD5: 0x93579E2A0B6F28C06F3DFE6A11C6E655
SHA-1: 0xD070372DAEE60A15A4149CF22D76A364E0B226DC
(not available)
12 %ProgramFiles%\RadLight\RadLight3\Languages\Chinese(BIG5).lng 3,997 bytes MD5: 0x24ACD97DF37F873FF5BCA425BC4447CD
SHA-1: 0xD86778127CE8AD0395863DE89F5431A3A0412221
(not available)
13 %ProgramFiles%\RadLight\RadLight3\Languages\Croatian.lng 5,224 bytes MD5: 0x4535B4022A6B1C169401A98F55058C37
SHA-1: 0x2277093DFAA90ABE8EECF8E8C9AA4184D17F831A
(not available)
14 %ProgramFiles%\RadLight\RadLight3\Languages\Czech.lng 5,323 bytes MD5: 0xEC09541C4255E3258541EE62C2B4E597
SHA-1: 0xE492F03B95C37286B2C70B7B659E625B2784DE04
(not available)
15 %ProgramFiles%\RadLight\RadLight3\Languages\Deutsch.lng 5,288 bytes MD5: 0xB3C85FBA49E45FC6F97EB988F86B5CA4
SHA-1: 0x8745FCE55924E3DA34BAA6363A9FF5A47C147EDF
(not available)
16 %ProgramFiles%\RadLight\RadLight3\Languages\Dutch.lng 5,033 bytes MD5: 0xA5D43766901E72A5625F53F12E14E3F0
SHA-1: 0x5040915731E046D9065A431DB56BEEF8724BA617
(not available)
17 %ProgramFiles%\RadLight\RadLight3\Languages\English.lng 4,537 bytes MD5: 0xFA0851A7FC0CD062A75DE3E831173110
SHA-1: 0xE727BAFBC3555A311CEA55F2F572F27FDE2940D0
(not available)
18 %ProgramFiles%\RadLight\RadLight3\Languages\Espanol.lng 5,277 bytes MD5: 0xF5B42228FB8639F219407C2CC8FF58CB
SHA-1: 0x2B5DB357710985FEC7D71334DADF71346EFB6558
(not available)
19 %ProgramFiles%\RadLight\RadLight3\Languages\Francais.lng 5,075 bytes MD5: 0x27D5831E849DCF99FF6F7D27983C3BAC
SHA-1: 0x732F07470EBEE93FE3857A133678DF2530077900
(not available)
20 %ProgramFiles%\RadLight\RadLight3\Languages\Hebrew.lng 4,288 bytes MD5: 0x88D0DD616E4C49C9A49621EAD75DC47B
SHA-1: 0x553D148EF5240DFFAED7F5FC67616EF2FE13F993
(not available)
21 %ProgramFiles%\RadLight\RadLight3\Languages\Italiano.lng 5,345 bytes MD5: 0x6A1500FE27F3BCE8D2D0284AA54295DD
SHA-1: 0x08752B5B47240A94C50AE704D129C30FD2E7AB3F
(not available)
22 %ProgramFiles%\RadLight\RadLight3\Languages\Lithuanian.lng 5,394 bytes MD5: 0xB84391BF2582907DFD744307B31189C2
SHA-1: 0x0FAB51C27862F230842F563714741E5A75934892
(not available)
23 %ProgramFiles%\RadLight\RadLight3\Languages\Macedonian.lng 5,061 bytes MD5: 0x91F67274E61FA08D39D05128A64B14A2
SHA-1: 0xF4E4961C2EC1F98C00C66067D2DC9BBFD9EBBCF3
(not available)
24 %ProgramFiles%\RadLight\RadLight3\Languages\Magyar.lng 5,233 bytes MD5: 0x1AB14C92755BEDFE5DF7627726DA7780
SHA-1: 0x3468E295AC7CF1B54855DF4DF513786D9E4CABF9
(not available)
25 %ProgramFiles%\RadLight\RadLight3\Languages\Norwegian.lng 4,941 bytes MD5: 0x6E0C1820BDFAAA40C6D119307C1FFE8F
SHA-1: 0x42BB998C8D541CFDCFA3B99A75766235E64013BB
(not available)
26 %ProgramFiles%\RadLight\RadLight3\Languages\Polish.lng 5,179 bytes MD5: 0x083AD6295D3F30725EFE674F46C70D60
SHA-1: 0xBA136E04B87C24366364EDC139A53E6683877B98
(not available)
27 %ProgramFiles%\RadLight\RadLight3\Languages\Portuguese(BR).lng 5,081 bytes MD5: 0x7FC6AAD918AEA55AD557710F0D523E16
SHA-1: 0xF4F66049B1E2D53B5415E79C25963A126BABE828
(not available)
28 %ProgramFiles%\RadLight\RadLight3\Languages\Romanian.lng 5,097 bytes MD5: 0xEBCAB7585F11092A6EC17E36909467F4
SHA-1: 0xDE209C9F07FB977E644ACF1BCFAE9D10A8D45B27
(not available)
29 %ProgramFiles%\RadLight\RadLight3\Languages\Russian.lng 5,313 bytes MD5: 0x7CFF39291B6988ABBA34A906B6C0AD63
SHA-1: 0x220A2CD6FD7F8AA6FD1A58A9511388A8C4A1523F
(not available)
30 %ProgramFiles%\RadLight\RadLight3\Languages\Serbian.lng 5,026 bytes MD5: 0x29475407993CE751B5B916B9750244FA
SHA-1: 0xFBE1006275C5D8DFDC8E37CE0140A81C7E666919
(not available)
31 %ProgramFiles%\RadLight\RadLight3\Languages\Slovak.lng 5,413 bytes MD5: 0xC49E1535D853555C1352F09D9E374BA5
SHA-1: 0x95D1F75CD46A57F20C694E049FA1D55DD625F9D4
(not available)
32 %ProgramFiles%\RadLight\RadLight3\Languages\Slovenian.lng 5,259 bytes MD5: 0x2833AC0335FDB180A56EAF84EABC0092
SHA-1: 0x9D2D438C2495F479D458B1B0161E1DE7AD49D71A
(not available)
33 %ProgramFiles%\RadLight\RadLight3\Languages\Spanish(Argentina).lng 5,146 bytes MD5: 0xCCE76DEC8C892AAABB94CE71E68C8911
SHA-1: 0x4004C47755E8559F3D3CE0AC992282AD17DF0E80
(not available)
34 %ProgramFiles%\RadLight\RadLight3\Languages\Svenska.lng 4,962 bytes MD5: 0x2DE1377C3F813911BDC9EA2963091C2D
SHA-1: 0x2703AAEC9DD432E0D311B545F13083979F58747F
(not available)
35 %ProgramFiles%\RadLight\RadLight3\Modules\Subtitle1.dll 33,280 bytes MD5: 0x8CFFCC3D19737FEE45C54E88CBC0F6E5
SHA-1: 0xCAF4DD9F697B068A710B988381C770846A18B364
Spyware.Radlight [PCTools]
Adware-RadLight [McAfee]
36 %ProgramFiles%\RadLight\RadLight3\Modules\Subtitle2.dll 30,720 bytes MD5: 0x59132EF887FC81F01D7CAE65387B5B44
SHA-1: 0xFB8EBA90BADF609C31C7BE2088D1E8844957C80A
Spyware.Radlight [PCTools]
Adware-RadLight [McAfee]
37 %ProgramFiles%\RadLight\RadLight3\RadLight.exe 314,368 bytes MD5: 0x356DFD10FC3F7A84904CAB5BF3498E3F
SHA-1: 0xDE575AA54BC08E57602CCE956AC419BF5A6EA5C3
(not available)
38 %ProgramFiles%\RadLight\RadLight3\RadLight.url 91 bytes MD5: 0xBE5431CB5BD30A3829F64FF729A8D51B
SHA-1: 0x74099CD91F54FA932A0EBB427288490889B11682
(not available)
39 %ProgramFiles%\RadLight\RadLight3\RadLight.vdp 2 bytes MD5: 0x81051BCC2CF1BEDF378224B0A93E2877
SHA-1: 0xBA8AB5A0280B953AA97435FF8946CBCBB2755A27
(not available)
40 %ProgramFiles%\RadLight\RadLight3\RPKi\RPK.exe 210,944 bytes MD5: 0x01ACEDEED7E6748D28CD36FC7997DDC2
SHA-1: 0x1F8CE4B2221C4E4E542FEBA91E9888F82BFDA356
Adware-RadLight [McAfee]
41 %ProgramFiles%\RadLight\RadLight3\Settings.ini 1,089 bytes MD5: 0x24C0051BBF02BDC374E32788239C063D
SHA-1: 0x6E3B0C5E69A79AC8ECE1C301447C37FA78965F25
(not available)
42 %ProgramFiles%\RadLight\RadLight3\Skins\Default.rls 65,006 bytes MD5: 0xFDAD85591C4948DC8AB9B6A4EC8D191A
SHA-1: 0x13ACF0BD4CF7C6C5247041913FD9981213150A4F
(not available)
43 %ProgramFiles%\RadLight\RadLight3\unins000.dat 4,603 bytes MD5: 0x1F63D395E4C138B4F90C6029C86621C8
SHA-1: 0xE7A051AFF116C1410491FE0313409ECB007B3C4B
(not available)
44 %ProgramFiles%\RadLight\RadLight3\unins000.exe 71,583 bytes MD5: 0x2AF787B208A58B08AE6178FE5DF09FF1
SHA-1: 0x416458A8DB511AC1A1803F1380CCC1DB26EC9F4F
(not available)
45 %ProgramFiles%\Save\ReadMe.txt 3,472 bytes MD5: 0x308698A03FB807FBD6934CF896E5692B
SHA-1: 0x3398AE0255054B1E62E37F18C9A5643258F2EA9E
Adware-SaveNow [McAfee]
46 %ProgramFiles%\Save\Save.exe 221,696 bytes MD5: 0x50A11755E92197E35EC33296F5D1B76C
SHA-1: 0xCD02C4CA6E77AC0A462BB34379FAA38CB74296EA
Adware.WhenU_SaveNow [PCTools]
not-a-virus:AdWare.Win32.SaveNow.e [Kaspersky Lab]
Adware-SaveNow [McAfee]
47 %ProgramFiles%\Save\save.htm 44,008 bytes MD5: 0x9D76A7251D0389CC1FFC074F56DC1545
SHA-1: 0x50D775286C032393A2459BE5FF9BDA64E696711C
(not available)
48 %ProgramFiles%\Save\SaveUninst.exe 20,542 bytes MD5: 0xF53525F5CDF4F567AC045C248335F2C1
SHA-1: 0x7B5CAC16F80618316AA72B7E2C6700B02F2630FD
Adware.WhenU_SaveNow [PCTools]
not-a-virus:AdWare.Win32.SaveNow.bl [Kaspersky Lab]
Adware-RadLight [McAfee]
49 %ProgramFiles%\WeatherCast\Uninst.exe 17,463 bytes MD5: 0x5108A30A1C898F35E9D3CFC55BE0E4BE
SHA-1: 0x092B6161BDF3EBADCC9EE09CF07C1DD47A00C1A9
Adware.WhenU_SaveNow [PCTools]
not-a-virus:AdWare.Win32.SaveNow.m [Kaspersky Lab]
50 %ProgramFiles%\WeatherCast\Weather.exe 84,480 bytes MD5: 0x7BB63764D238DB355642F133B1559C25
SHA-1: 0x2E7A8D8EFD5FE69E8FA713FB7777D0B786FEF957
not-a-virus:AdWare.Win32.SaveNow.m [Kaspersky Lab]
Adware-RadLight [McAfee]
51 %Windir%\newdotnet3_36.dll 118,784 bytes MD5: 0x4B998828DC480801FC66E7741D5BE69B
SHA-1: 0xAD6326B7BE834845668A28E2657B854BD4B169E0
Adware.NewdotNet [PCTools]
not-a-virus:AdWare.Win32.NewDotNet [Kaspersky Lab]
NDotNet [McAfee]
52 [file and pathname of the sample #1] 1,293,306 bytes MD5: 0xC47A927F342EC56B9B4677FCEAAFBF97
SHA-1: 0x27B0D2B8ECCAC4DD60A4F6D9C7411F77B248470D
not-a-virus:AdWare.Win32.SaveNow.e, not-a-virus:AdWare.Win32.SaveNow.bl, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.SaveNow.m, not-a-virus:AdWare.Win32.NewDotNet [Kaspersky Lab]
53 %System%\sporder.dll 8,464 bytes MD5: 0xF12E514AEA35CD28BA6C080E707550F9
SHA-1: 0xE68E328F2278783FFFF2E304A9ED17004B1A8E8A
Adware.NewdotNet [PCTools]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
radlight_336.exe%Temp%\is-3UQEE.tmp\radlight_336.exe159,744 bytes
Save.exe%ProgramFiles%\Save\Save.exe237,568 bytes
Weather.exe%ProgramFiles%\WeatherCast\Weather.exe94,208 bytes
bsaveinstwm.exe%Temp%\is-3uqee.tmp\bsaveinstwm.exe221,184 bytes
saveuninst.exe%ProgramFiles%\save\saveuninst.exe28,672 bytes
rpk.exe%ProgramFiles%\radlight\radlight3\rpki\rpk.exe581,632 bytes
[filename of the sample #1][file and pathname of the sample #1]94,208 bytes
INS1.tmp%Temp%\INS1.tmp438,272 bytes

Process NameProcess FilenameAllocated Size
Save.exe%ProgramFiles%\save\save.exe1,351,680 bytes
Save.exe%ProgramFiles%\save\save.exe1,351,680 bytes

Module NameModule FilenameAddress Space Details
newdotnet3_36.dll%Windir%\newdotnet3_36.dllProcess name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0x15D0000 - 0x15ED000

 

Registry Modifications

 

Other details

Server NameServer PortConnect as UserConnection Password
www.radlight.net80(null)(null)
spapp.whenu.com80(null)(null)
app.whenu.com80(null)(null)
a1964.g.akamai.net80(null)(null)
web.whenu.com80(null)(null)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.