McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a direct-marketing adware application that generates pop-up advertisements while browsing the web.

No visible indication is given that any software is being installed upon execution of the installation program.  Four files are dropped and several registry entries are created.  An identifier for the host system is created and stored in the registry. An entry in the Registry Run key is added to launch an update component each time the system is started. A Browser Helper Object (the main DLL) is installed in Internet Explorer. Following installation, the software silently transmits URLs selected during browsing, and retrieves and displays frequent popup advertisements.

Privacy

No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application.  No EULA or privacy policy related to the software could be found. There is a privacy policy available on the AdRoar website ( http://www.adroar.com/privacy.html ), but it describes only the policy for the website itself.  It appears the full URLs requested by Internet Explorer are transmitted to the software's servers.  This presents a privacy risk if personally identifiable data is present in the URL arguments (filling out an online form on a website that does not utilize encryption, for example).

System Changes

Files Added

C:\WINDOWS\AdRoar.dll

Version 1.0.0.9
Size: 118,784 bytes
MD5: 390033BF2EABDF2D14E3698213681231

Version 1.0.0.15
Size: 122,880 bytes
MD5: 1A0C16F52FF75A104DD3126A195C2EF3

C:\WINDOWS\artmmp.ini
Size: varies

This file contains configuration information for the software.  Example:

"[CONFIG]
version=1.0.0.15
url=http://tt2.avres.net/10015/AdRoar.dll
adurl=http://ar.avres.net/5/req/
skip=3
max=15
start=2"

C:\WINDOWS\ARUpdate.exe
Size: 86,016 bytes
MD5: 5F45E52554D022A757BA637E4E03B0A5

C:\WINDOWS\cpruninst.exe
Size: 270,415 bytes
MD5: E4C15ADA37C24C83720E20A2AD1C946F

Registry Changes (most significant/high-level)

Keys Added:

HKEY_CURRENT_USER\Software\AdRoarPlugin
HKEY_CLASSES_ROOT\AdRoar.Band
HKEY_CLASSES_ROOT\AdRoar.Band.1
HKEY_CLASSES_ROOT\CLSID\{BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8}
HKEY_CLASSES_ROOT\Interface\{91D91D21-8008-429D-821C-7266AAC84A9F}
HKEY_CLASSES_ROOT\TypeLib\{ACE8D3BA-7742-44C4-920D-FD25BD1E8245}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
WCPR

Values Added:

HKEY_CURRENT_USER\Software\AdRoarPlugin "AddUrl"
Data: http://ar.avres.net/5/req/

HKEY_CURRENT_USER\Software\AdRoarPlugin "configName"
Data: mm2

HKEY_CURRENT_USER\Software\AdRoarPlugin "dcount"
Data: 00, 00, 00, 00

HKEY_CURRENT_USER\Software\AdRoarPlugin "ID"
Data: 607706FD2A194771BE96BD3B6A02A3AA
NOTE: This is where the system identifier is stored. The data will vary.

HKEY_CURRENT_USER\Software\AdRoarPlugin "InstallationDate"
Data: 050303

HKEY_CURRENT_USER\Software\AdRoarPlugin "Update"
Data: 38414.9

HKEY_CLASSES_ROOT\AdRoar.Band\CLSID "(Default)"
Data: {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8}

HKEY_CLASSES_ROOT\CLSID\{BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8}\InprocServer32 "(Default)"
Data: C:\WINDOWS\AdRoar.dll

HKEY_CLASSES_ROOT\TypeLib\{ACE8D3BA-7742-44C4-920D-FD25BD1E8245}\1.0\0\win32 "(Default)"
Data: C:\WINDOWS\AdRoar.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "{BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8}"
Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AdRoarUpdate"
Data: C:\WINDOWS\ARUpdate.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
WCPR "DisplayName"
Data: WCPR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
WCPR "UninstallString"
Data: C:\WINDOWS\cpruninst.exe 0

Network Impact

Additional overhead in bandwidth due to transmission of selected URLs.
Additional overhead in bandwidth due to download of advertising content and software updates.

Removal

Aliases

Aliases

N/A