ThreatExpert Report: Adware.WhenU_SaveNow, not-a-virus:AdTool.Win32.WhenU.t..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 9 April 2008, 05:39:19
Processing time: 3 min 43 sec
Submitted sample:

File MD5: 0xCAE0475C0D428C7C0E530EBC6C00FA22
File SHA-1: 0xA345C8F173A611307199F155813E41B2F7B24C24
Filesize: 1,050,584 bytes
Alias:

Adware.WhenU_SaveNow [PCTools]
not-a-virus:AdTool.Win32.WhenU.t, not-a-virus:AdTool.Win32.WhenU.r [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.WhenU_SaveNow	SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\AdVantage\AdVantage.exe	884,176 bytes	MD5: 0x7E857342986176D6864171E5643DB953 SHA-1: 0xED1570C83EE39FC61F87EF21BA9E3D7CCB007AF0	not-a-virus:AdTool.Win32.WhenU.t [Kaspersky Lab]
2	%ProgramFiles%\AdVantage\AdVantage.htm	140,849 bytes	MD5: 0x4F431DA2840DCA976748D0C48630F982 SHA-1: 0x7EDAD9B2CC90CC58DC55D2EEA499699091FCA4D8	(not available)
3	%ProgramFiles%\AdVantage\AdVUninst.exe	454,096 bytes	MD5: 0xB00E59202BF6F8FF8A8AFAB41926DF77 SHA-1: 0x6833E7F388BAAD5312B4A851F2495029D5F36F94	(not available)
4	%ProgramFiles%\AdVantage\ffext.mod	17,625 bytes	MD5: 0x9F6818C62151C4F3634959D20E8C44A4 SHA-1: 0x23062BB72A27D283F2CE57EFD35C16EAC2575461	(not available)
5	%ProgramFiles%\AdVantage\TR.dll	517,856 bytes	MD5: 0xC3D98DAC60F6F8A6AE60BAFA9E6745E6 SHA-1: 0xCA366F3D14E1B6DC9658EC5FE8A34899E59D6F4F	not-a-virus:AdTool.Win32.WhenU.r [Kaspersky Lab] MeMedia [McAfee]
6	[file and pathname of the sample #1]	1,050,584 bytes	MD5: 0xCAE0475C0D428C7C0E530EBC6C00FA22 SHA-1: 0xA345C8F173A611307199F155813E41B2F7B24C24	Adware.WhenU_SaveNow [PCTools] not-a-virus:AdTool.Win32.WhenU.t, not-a-virus:AdTool.Win32.WhenU.r [Kaspersky Lab]

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\AdVantage

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
AdVantage.exe	%ProgramFiles%\AdVantage\AdVantage.exe	901,120 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	1,064,960 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\TR.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{69E0089F-28BC-4BB5-862B-E2B07C3B83C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory.1\CLSID
HKEY_CURRENT_USER\Software\AdVantage
HKEY_CURRENT_USER\Software\AdVantage\Partners
HKEY_CURRENT_USER\Software\AdVantage\Partners\MEAD

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\TR.DLL]

AppID = "{69E0089F-28BC-4BB5-862B-E2B07C3B83C6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{69E0089F-28BC-4BB5-862B-E2B07C3B83C6}]

(Default) = "TR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\VersionIndependentProgID]

(Default) = "TR.TRFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\TypeLib]

(Default) = "{602D9049-B4AC-4A25-BF75-A9B54D747CBA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\ProgID]

(Default) = "TR.TRFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\InprocServer32]

(Default) = "%ProgramFiles%\AdVantage\TR.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}]

(Default) = "TRFactory Class"
AppID = "{69E0089F-28BC-4BB5-862B-E2B07C3B83C6}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\TypeLib]

(Default) = "{DABF362D-D442-4402-9208-CA9ED70DD01E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}]

(Default) = "IFetchData"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}\TypeLib]

(Default) = "{DABF362D-D442-4402-9208-CA9ED70DD01E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}]

(Default) = "ITRFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\TypeLib]

(Default) = "{DABF362D-D442-4402-9208-CA9ED70DD01E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}]

(Default) = "IFetchExtractor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\0\win32]

(Default) = "%ProgramFiles%\AdVantage\TR.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\AdVantage\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0]

(Default) = "MeMedia True Relevance 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory\CurVer]

(Default) = "TR.TRFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory\CLSID]

(Default) = "{602D9049-B4AC-4A25-BF75-A9B54D747CBA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory]

(Default) = "TRFactory Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory.1\CLSID]

(Default) = "{602D9049-B4AC-4A25-BF75-A9B54D747CBA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TR.TRFactory.1]

(Default) = "TRFactory Class"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

AdVantage = ""%ProgramFiles%\AdVantage\AdVantage.exe""

so that AdVantage.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\AdVantage\Partners\MEAD]

Partner = "MEAD0602"
InstallTime = "20080408123928"
PartnerDesc = "AdVantage"
PartnerParam = "dt=AdVantage;q=;i=1"

[HKEY_CURRENT_USER\Software\AdVantage]

db_script_update = "1002700895"
InstallDir = "%ProgramFiles%\AdVantage"
pats_url = "http://akapp.memedia.com/OffersDataGZ"
pat_chunks_url = "http://akapp.memedia.com/DataChunksGZ"
script_url = "http://akweb.memedia.com/offscpt.html"
update_url = "http://akdwl.memedia.com/advupdate.exe"
ver_url = "http://www.memedia.com/advantage/versions.html"
Version = "1.01"
timedDBUpdate_rs = "Y"
SystemParam_rs = "dt=AdVantage;q=;i=1"
dbg_trayicon_rs = "Y"
tt_custom_rs = "30"
uninst_rs = "1.008241"
shelp_url = "http://www.memedia.com/advantage/privacypolicy.html"
snhelp_url = "http://www.memedia.com/advantage/privacypolicy.html"
extra_url = "http://downloads.memedia.com/advantage/extra.exe"
extraver_url = "http://downloads.memedia.com/advantage/extraver.html"
ziptomsa_url = "http://akapp.memedia.com/ziptomsa"
InstallTime = "20080408123928"
LastPartner = "MEAD0602"
SetupCmdLine = "http://web.memedia.com/Offers?iou=i&clp=MEAD0602"
zip = ""
no_x_rs = "Y"
uninstall_cmd_rs = ""
tr_rs = "2.00"

Other details

To mark the presence in the system, the following Mutex objects were created:

FeedBack_SharedMutex
WhenU_WhenUSave_SharedMutex

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.