McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a direct-marketing adware application that generates pop-up advertisements while browsing the web.  Additionally, it functions as a downloader that retrieves and installs additional applications/components.

No visible indication is given that any software is being installed upon execution.  One new DLL file is dropped (a Browser Helper Object) and several registry entries are created.  At the next launch of Internet Explorer, the BHO contacts the server at www.f1organizer.com and retrieves configuration information.  This information is stored in a fake DLL file.  The program then proceeds to download and install several additional affiliate software packages as instructed by the configuration file.  In turn, these packages may also instigate installation of further components.

Additionally, search keywords are sniffed and often directed to the Lycos "Sidesearch" engine, causing an additional pane to appear on the left side of the browser with Lycos search results.

Privacy

This software installs several other affiliate components, many of which may have privacy implications.  The distributor of this software is Addictive Technologies, although it is not obvious (the company name is only present in the DLL file properties). There is a privacy policy available on the www.addictivetechnologies.com website, although there is not an easy way for the end user to know they are obligated to agree with it.  The privacy policy states that the authors do not attempt to correlate collected URLs visited with personal identity, but warn that some personal data may be inadvertently collected if it is communicated within URLs on some third party websites.  The privacy policy is open-ended, and the user is to be bound by the most current version posted at all times.  Additionally, the policy states that additional third party content and applications may be installed arbitrarily in the future.

System Changes

Files Added

The following files are added to C:\Windows\System32\

Name: ATPartners.dll
Size: 96,256 bytes
MD5: 560EFD6B420E3B2F4B1FAE620750209B

Name: im64.dll
Size: varies
MD5: varies

A folder named "AT-Games" is created in the user's Favorites to which these files are added (Note: the names and number of .url links may vary)

Big Fish Games.url
FlyorDie Games.url
Gamehouse Games.url

Registry Changes (most significant/high-level)

Keys Added:

HKEY_CLASSES_ROOT\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}
HKEY_CLASSES_ROOT\F1.Organizer
HKEY_CLASSES_ROOT\F1.Organizer.1
HKEY_CLASSES_ROOT\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{00000EF1-0786-4633-87C6-1AA7A44296DA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMO

Values Added:

HKEY_CLASSES_ROOT\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA} "(Default)"
Data: F1 Organizer Class

HKEY_CLASSES_ROOT\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\InprocServer32 "(Default)"
Data: C:\WINDOWS\System32\ATPART~1.DLL

HKEY_CLASSES_ROOT\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\ProgID "(Default)"
Data: F1.Organizer.1

HKEY_CLASSES_ROOT\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\TypeLib "(Default)"
Data: {EF100007-F409-426a-9E7C-CB211F2A9786}

HKEY_CLASSES_ROOT\CLSID\{00000EF1-0786-4633-87C6-1AA7A44296DA}\VersionIndependentProgID "(Default)"
Data: F1.Organizer

HKEY_CLASSES_ROOT\F1.Organizer "(Default)"
Data: F1 Organizer Class

HKEY_CLASSES_ROOT\F1.Organizer\CLSID "(Default)"
Data: {00000EF1-0786-4633-87C6-1AA7A44296DA}

HKEY_CLASSES_ROOT\F1.Organizer\CurVer "(Default)"
Data: F1.Organizer.1

HKEY_CLASSES_ROOT\F1.Organizer.1 "(Default)"
Data: F1 Organizer Class

HKEY_CLASSES_ROOT\F1.Organizer.1\CLSID "(Default)"
Data: {00000EF1-0786-4633-87C6-1AA7A44296DA}

HKEY_CLASSES_ROOT\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0 "(Default)"
Data: Favorite 1.0 Type Library

HKEY_CLASSES_ROOT\TypeLib\{EF100007-F409-426A-9E7C-CB211F2A9786}\1.0\0\win32 "(Default)"
Data: C:\WINDOWS\System32\ATPartners.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DMO "DisplayName"
Data: ATP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DMO "UninstallString"
Data: regsvr32 /s /u C:\WINDOWS\System32\ATPartners.dll

Network Impact

Additional overhead in bandwidth due to download of third party software.
Additional overhead in bandwidth due to advertisment content downloaded.

Removal

Aliases

Aliases

N/A