McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a direct-marketing adware application that generates pop-up advertisements while browsing the web.  It also functions as a downloader that can retrieve and install additional applications/components.  No license agreement or privacy policy is displayed upon installation (via .inf DLL registration), although one could be displayed by another installer if bundled with another application.  Following installation, popup ads are displayed while browsing with IE.  Default address bar searches are also redirected through a third party server.

Privacy

There is a privacy policy available on the twain-tech and mx-targeting websites (they appear very similar), although there was no indication given that the user should look for them there.

Privacy policies
http://www.twain-tech.com/privacy.htm
http://www.mx-targeting.com/privacy.htm

A unique identifier for the host system is created and stored in the registry.  Following installation several new components were installed (removing and replacing the original BHO).  Advertisements are based on intercepted search keywords, URLs, and keywords scanned from pages the user browses.

System Changes

Files Added

Name: C:\Windows\twaintec.dll
Size: varies with version (latest twaintec.dll is 172,032 bytes)
MD5: varies (latest version 0.1.4.67 is 5BC556C78C6B896AC8F954E23B7FD461)

Name: C:\Windows\AFLFILIQ.ini  (NOTE: this filename may be random)
Size: varies
MD5: varies
Note: The contents of this file appear to be encrypted.

Name:C:\Windows\preInsTT.exe
Size: varies (multiple versions encountered, latest is 32,768 bytes)
MD5: varies (latest is E2122B80108E0BF53537E64681FC3A72)

Name: C:\Windows\inf\twaintec.inf
Size: varies with version
MD5: varies

Registry Changes (most significant/high-level)

Keys Added:

HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}
HKEY_CLASSES_ROOT\Interface\{5326B223-DC21-43A4-9B79-635E2D18DCB2}
HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj
HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1
HKEY_CLASSES_ROOT\TypeLib\{72892E8E-75DF-4CD2-BE11-E9A0077F44A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42}
HKEY_LOCAL_MACHINE\SOFTWARE\Twaintec

Values Added:

HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32 "(Default)"
Data: C:\WINDOWS\twaintec.dll

HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib "(Default)"
Data: {72892e8e-75df-4cd2-be11-e9a0077f44a8}

HKEY_CLASSES_ROOT\Interface\{5326B223-DC21-43A4-9B79-635E2D18DCB2} "(Default)"
Data: ITwaintecDllObj

HKEY_CLASSES_ROOT\Interface\{5326B223-DC21-43A4-9B79-635E2D18DCB2}\TypeLib "(Default)"
Data: {72892E8E-75DF-4CD2-BE11-E9A0077F44A8}

HKEY_CLASSES_ROOT\TypeLib\{72892E8E-75DF-4CD2-BE11-E9A0077F44A8}\1.1\0\win32 "(Default)"
Data: C:\WINDOWS\twaintec.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Twaintec "TTC4n5trMsgSDisp"
Data: 00, 00, 00, 00

HKEY_LOCAL_MACHINE\SOFTWARE\Twaintec "TTI4d5OfSInst"
Data: {AC9E78A0-5F78-4BB7-BBFE-13801C8AD531}
NOTE: This value appears random, and may be used as an identifier for the specific client.

Network Impact

Additional overhead in incoming bandwidth due to downloading of advertisement data and additional components.
Additional overhead in outgoing bandwidth due to transmission of keywords and clickstream data.

----------------

The above information was gathered analyzing version 0.1.4.67 of the twaintec.dll variant.  An older version of the software was found to behave as follows:

The following Registry key(s) is/are added to hook system startup based on the original location of the file:

HKEY_CLASSES_ROOT\CLSID\{C258EAA1-F9FE-491E-B8FF-CE9AF7A7AFF5}

HKEY_CLASSES_ROOT\TypeLib\{D1020AD1-3754-4C54-BF4D-EA01652EC4BE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SPOOLSVV"  = "SPOOLSVV.EXE -invisible"

Removal

Aliases

Aliases

N/A