Content

Adware-PromulGate

Type
Program
SubType
Adware
Discovery Date
01/19/2005
Minimum DAT
4347 (04/04/2004)
Updated DAT
5009 (04/13/2007)
Minimum Engine
5.1.00
Description Added
04/15/2004
Description Modified
03/17/2005 7:35 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

The application is responsible for displaying anonymous ads through Pop-Ups. The ads are displayed after certain intervals, where the length of intervals is very long and may vary. The application registers Active-x components, which are responsible for showing ads. Very rarely it also tries to install third party softwares and prompt the user to download and run various scripts. The executable does not have any company name associated with it. After the installation is done a EULA is stored in the %windir%\system32 folder with the other downloaded files. The un-installation process requires internet connectivity.

The names of files associated with the adware are

  • ~mysetup.exe
  • k13w13.[date].exe ([date] is the system date when the file gets installed, its is optional in the name)
  • kmin.exe
  • vmss.exe
  • wsxsvc.exe

It is observed to contact following websites

Note: %Windir% is location of windows directory (For Example: C:\windows in XP)

Installation

It adds following files to run registry key for auto-restart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Dvx: "%WINDIR%\System32\wsxsvc\wsxsvc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\vmss: "%WINDIR%\System32\vmss\vmss.exe"

Other Registry Changes

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}\InprocServer32\: "%WINDIR%\System32\wsxsvc\wsx.ocx"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\InprocServer32\: "%WINDIR%\System32\wsxsvc\wsx.ocx"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\DMVLite\DisplayName: "DMVlite"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\DMVLite\UninstallString: "C:\Program Files\Internet Explorer\iexplore.exe "%WINDIR%\System32\wsxsvc\uninstall.html""

HKEY_LOCAL_MACHINE\SOFTWARE\Dvx\Version: "2.16.0000"

HKEY_LOCAL_MACHINE\SOFTWARE\Dvx\Install: "%WINDIR%\System32\wsxsvc"

It creates following files upon execution

  • %WINDIR%\system32\vmss\vmss.exe
  • %WINDIR%\system32\wsxsvc\License.txt
  • %WINDIR%\system32\wsxsvc\uninstall.html
  • %WINDIR%\system32\wsxsvc\wsx.dll
  • %WINDIR%\system32\wsxsvc\wsx.ocx
  • %WINDIR%\system32\wsxsvc\wsxsvc.exe
  • C:\keys.ini.
  • C:\Documents and Settings\Administrator\Local Settings\Temp\kmin.exe
  • C:\Documents and Settings\Administrator\Local Settings\Temp\vmstmp\vmstmp.exe
  • C:\Documents and Settings\All Users\Application Data\vmss\vmss.inf
  • C:\Documents and Settings\All Users\Application Data\wsxs\Adverts\199.dfn
  • C:\Documents and Settings\All Users\Application Data\wsxs\Adverts\281.dfn
  • C:\Documents and Settings\All Users\Application Data\wsxs\Adverts\284.dfn
  • C:\Documents and Settings\All Users\Application Data\wsxs\Adverts\313.dfn
  • C:\Documents and Settings\All Users\Application Data\wsxs\*

Some interesting parts of the EULA

DELFIN may modestly deliver highly relevant offers in many ways including but not limited to the following:

 

- Embedded offers are displayed within some applications.

- Desktop icons and installation files may be placed on YOUR computer that link to other products and services.

- Modest interstitial windows are displayed on YOUR computer desktop.

- Browser based rich media and search results.

In an effort to provide YOU with highly relevant advertising, the SOFTWARE PRODUCT displays offers in association with web sites that contextually match the advertiser.

The SOFTWARE PRODUCT will make brief, but occasional contact with DELFIN’s advertising servers and 3rd party servers solely for the purpose to update offers, activity information, and technology enhancement features.

Note: This is not the “whole” EULA, author has taken out some interesting points just for the purpose of example. This version of program does not show EULA at the time of installation.

Aliases

Aliases

    N/A