Content

KeenValue

Type
Program
SubType
Adware
Discovery Date
10/17/2003
Minimum DAT
4299 (10/22/2003)
Updated DAT
4440 (03/04/2005)
Minimum Engine
5.1.00
Description Added
10/20/2003
Description Modified
03/16/2005 10:42 AM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program." 

No visible indication is given that any software is being installed upon execution of the installation program.  Several executables are dropped and a registry Run key is created to ensure one of them is launched at startup.  No license agreement is displayed, although one could be displayed by another installer if bundled with another application.  There is no information available on the http://update.thunderdownloads.com website (with which the program communicates).  A unique identifier for the host system is created and stored in both the registry and in a file.  Following installation, the software communicates briefly with the thunderdownload.com servers, then continues running silently in the background.

Beyond the initial encrypted conversation with the thunderdownloads.com server, no specific activity attributable to the software was observed.  It appears likely that this program does not deliver advertising directly, but is rather a maintenance component for other Intermix Media software.  It could be possible to direct it to download, install, and update other software depending on the commands issued during a check-in.

Privacy

A privacy policy statement is located here: http://www.intermix.com/about_privacy.cfm

However, there is no indication to the user that they should go there to read it.

System Changes

Files Added

C:\Program Files\Common Files\updater\data1.dat
Size: varies

NOTE: The unique ID is stored within this file.
Example:
"<PUID> 7472e2ae-d1e2-4112-875a-c74dd050ec60</PUID><KVUID> 057ce782-a561-483a-af8d-787d88a4e740</KVUID><UPDATESVRTURL>
http://update.thunderdownloads.com/service/update.svr</UPDATESVRTURL>"

C:\Program Files\Common Files\updater\data2.dat
Size: varies

C:\Program Files\Common Files\updater\delupdat.exe
Size: 24,576 bytes
MD5: BAC168B09CDBA93D98ACBB6267C9914D

C:\Program Files\Common Files\updater\sui.exe
Size: 86,073 bytes
MD5: 3B1AFB0317320A145F28BC61FD7CC310

C:\Program Files\Common Files\updater\wupdater.exe
Size: 61,440 bytes
MD5: 4273BCF5F87C39DF769AC89587B96175

Registry Changes (most significant/high-level)

Keys Added:

HKEY_LOCAL_MACHINE\SOFTWARE\updater

Values Added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "updater"
Data: C:\Program Files\Common files\updater\wupdater.exe

HKEY_LOCAL_MACHINE\SOFTWARE\updater "cid"
Data: 01B25032-764A-4634-9B23-0A9039A79119

HKEY_LOCAL_MACHINE\SOFTWARE\updater "EXEName"
Data: wupdater.exe

HKEY_LOCAL_MACHINE\SOFTWARE\updater "Install_Dir"
Data: C:\Program Files\Common files\updater

HKEY_LOCAL_MACHINE\SOFTWARE\updater "installDate"
Data: 2005/02/28 10:41

HKEY_LOCAL_MACHINE\SOFTWARE\updater "puid"
Data: varies
NOTE: The unique ID is also stored here in the registry.

HKEY_LOCAL_MACHINE\SOFTWARE\updater "VersionNumber"
Data: 1.3.5

Network Impact

Additional overhead in bandwidth due to communication with remote servers.  Possible additional bandwidth if updates or components are downloaded.

-----------------------

A previous version of the software was found to have the following characteristics/behavior:

When the install/setup file is being run manually by the user, no gui messageboxes appear, it runs silently, it puts multiple files in the \Program Files\Common Files\KeenValue directory.

  • IESLIDERWIN32.DLL  (94208 bytes)
  • KEENVALUE.EXE  (167936)
  • KILLKEENVALUE.EXE (28672)
  • KV001.DAT (49)
  • KV002.DAT (2012)
  • KV099.DAT (72)
  • KVLHOOKWIN.DLL (24576)
  • KWM.EXE (32768)
  • SENDUNINSTALLINFO.EXE (90193)
  • UNINSTALL.EXE (33572)

It makes a standard registry entry to call the keenvalue.exe file at startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apart from calling the uninstall program directly, Adware-KeenValue can also be removed through Add/Remove programs.

Aliases

Aliases

    N/A