Content

IPInsight

Type
Program
SubType
Adware
Discovery Date
07/01/2002
Length
Minimum DAT
4211 (07/10/2002)
Updated DAT
5107 (08/28/2007)
Minimum Engine
5.1.00
Description Added
09/09/2003
Description Modified
08/24/2007 4:48 PM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a "stub" installation program which downloads and installs additional direct marketing advertising software.  It must be executed on the host system (either manually, or by another process) to install.    No visible indication is given that anything is being installed upon execution of the installation program.  No license agreement or privacy policy is shown during the installation process.  The third party & affiliate packages installed may perform various advertising functions (displaying pop-up ads, redirecting browser default search and error pages, sending intercepted search and URL data to other servers, etc.)

Privacy

No license agreement is displayed, although one could be displayed by another installer if bundled with another application. The executable sets a registry Run key to ensure it is executed on startup.  There is a EULA available at http://www.abetterinternet.com/policies.htm, but no indication to the user that it exists or that they are bound to it by installing the software.

The EULA does lay out specifics about what they are allowed to do, which is extensive (Section 2): 

"2. Functionality - BI [Better Internet], through its advertising software known as Ceres, delivers advertising and various information and promotional messages to your computer screen while you view Internet web pages. BetterInternet is able to provide you with BI free of charge as a result of your agreement to download and use BI, and accept the advertising and promotional messages it delivers.

By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to BetterInternet, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from BetterInternet affiliates; and install Third Party Software.

In addition, you further understand and agree, by installing the Software, that BetterInternet and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer."

System Changes

Files Added

A more full-featured installation program is downloaded upon execution.  The name seems to depend on the stub installer version.  For "farmmext.exe", "mm_reco.exe" is downloaded.  In the case of "belt.exe" the file is named "bi_reco.exe".  All other added files are downloaded/created by this installer.

Name: C:\Documents and Settings\Administrator\Local Settings\Temp\DrTemp\mm_reco.exe
Size: 70,656 bytes (ASPack 2.12 packed)
MD5: A4E2A9A38E834F6FDA7049261BAC6A62 (packed)
          47069206956DC360AAE2C5A513722542 (unpacked)

Registry Changes (most significant/high-level)

The addition of a registry value in the Run key is the only change that can be said to be made by the software directly.  The bulk of the system changes are initiated by the downloaded installer.

Values Added:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "farmmext"
Data: C:\farmmext.exe
Note: The data depends on the location of the file at the time of execution.

Network Impact

Additional overhead in bandwidth due to download of 3rd party components.
Additional overhead in bandwidth due to retrieval of advertising content and transmission of system info, web searches, and other tracking information.

----------------

A previous version of this software was found to have the following behavior/characteristics:

This is not a virus or trojan.  There is more than one version of this Application.

This is a process or IE Browser Helper Object that monitors addresses entered into web forms.  These addresses are sent to a remote location and are recorded into a database.

This program is generally installed by certain 3rd party applications, generally freeware. The third party installer installs all the files for this program. Once the  application is run, it creates a registry entry to run the program at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SENTRY = "[Location from where the file is executed] \Sentry.exe"

Symptoms

Method of Infection

Variants

Variants

    N/A

All Information

Overview -

Aliases

  • Adware-IPSentry
  • IPSentry

Characteristics

Characteristics -

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a "stub" installation program which downloads and installs additional direct marketing advertising software.  It must be executed on the host system (either manually, or by another process) to install.    No visible indication is given that anything is being installed upon execution of the installation program.  No license agreement or privacy policy is shown during the installation process.  The third party & affiliate packages installed may perform various advertising functions (displaying pop-up ads, redirecting browser default search and error pages, sending intercepted search and URL data to other servers, etc.)

Privacy

No license agreement is displayed, although one could be displayed by another installer if bundled with another application. The executable sets a registry Run key to ensure it is executed on startup.  There is a EULA available at http://www.abetterinternet.com/policies.htm, but no indication to the user that it exists or that they are bound to it by installing the software.

The EULA does lay out specifics about what they are allowed to do, which is extensive (Section 2): 

"2. Functionality - BI [Better Internet], through its advertising software known as Ceres, delivers advertising and various information and promotional messages to your computer screen while you view Internet web pages. BetterInternet is able to provide you with BI free of charge as a result of your agreement to download and use BI, and accept the advertising and promotional messages it delivers.

By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to BetterInternet, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from BetterInternet affiliates; and install Third Party Software.

In addition, you further understand and agree, by installing the Software, that BetterInternet and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer."

System Changes

Files Added

A more full-featured installation program is downloaded upon execution.  The name seems to depend on the stub installer version.  For "farmmext.exe", "mm_reco.exe" is downloaded.  In the case of "belt.exe" the file is named "bi_reco.exe".  All other added files are downloaded/created by this installer.

Name: C:\Documents and Settings\Administrator\Local Settings\Temp\DrTemp\mm_reco.exe
Size: 70,656 bytes (ASPack 2.12 packed)
MD5: A4E2A9A38E834F6FDA7049261BAC6A62 (packed)
          47069206956DC360AAE2C5A513722542 (unpacked)

Registry Changes (most significant/high-level)

The addition of a registry value in the Run key is the only change that can be said to be made by the software directly.  The bulk of the system changes are initiated by the downloaded installer.

Values Added:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "farmmext"
Data: C:\farmmext.exe
Note: The data depends on the location of the file at the time of execution.

Network Impact

Additional overhead in bandwidth due to download of 3rd party components.
Additional overhead in bandwidth due to retrieval of advertising content and transmission of system info, web searches, and other tracking information.

----------------

A previous version of this software was found to have the following behavior/characteristics:

This is not a virus or trojan.  There is more than one version of this Application.

This is a process or IE Browser Helper Object that monitors addresses entered into web forms.  These addresses are sent to a remote location and are recorded into a database.

This program is generally installed by certain 3rd party applications, generally freeware. The third party installer installs all the files for this program. Once the  application is run, it creates a registry entry to run the program at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SENTRY = "[Location from where the file is executed] \Sentry.exe"

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A