Content

Adware-Fuel

Type
Program
SubType
Adware
Discovery Date
01/19/2005
Minimum DAT
4309 (12/17/2003)
Updated DAT
5608 (05/07/2009)
Minimum Engine
5.1.00
Description Added
04/25/2004
Description Modified
01/28/2006 4:16 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that generates pop-up advertisements.

This application does not display a license agreement when installed. Installation is completely silent. Upon execution the software checks in with notifier.altpayments.com and downloads an updated version if applicable. A registry Run key is created to ensure the software is launched at each system startup. The software may download advertising content from adserv1.internetfuel.com during browsing. It appears to be related to MovieLand.com and/or MediaPipe. The terms of service on the MovieLand.com site (http://www.movieland.com/terms.html ) mention the following (as of 1/28/2006):

"2. HOW IT WORKS
BY PARTICIPATING IN THE MOVIELAND / MEDIAPIPE FREE TRIAL OFFER THE MEDIAPIPE SOFTWARE WILL ENABLE YOU TO ACCESS THE AVAILABLE CONTENT FOR THE PERIOD OF TIME THAT SPECIFIED ON THE ADVERTISMENT YOU HAVE CLICKED THROUGH.

IF YOU DO NOT PROVIDE PAYMENT INFORMATION DURING THE TRIAL PERIOD OUR BILLING SOFTWARE WILL BE ENABLED UPON THE EXPIRATION OF YOUR TRIAL PERIOD. THE BILLING SOFTWARE WILL RUN ON YOUR COMPUTER, DISPLAYING POP-UP WINDOW REMINDERS THAT PROVIDE YOU WITH VARIOUS METHODS OF PAYMENT FOR THE ANNUAL LICENSE. THESE POP-UP WINDOWS WILL APPEAR MORE FREQUENTLY UNTIL YOU CHOOSE ONE OF THE PAYMENT OPTIONS AND PAY FOR THE LICENSE. THE BILLING SOFTWARE IS SOLELY DESIGNED TO PREVENT FRAUDULENT AND UNAUTHORIZED USE OF THE MEDIAPIPE SOFTWARE."

This billing "reminder" popup component appears distinct from the other software (MediaPipe, etc.) which make up the Movieland.com service. When installing the full package from Movieland.com, which includes the billing reminder component, referenences to a privacy policy and terms of service are present.

Privacy

A privacy policy is not displayed during installation.

The software may retrieve advertisment data for display in popup windows while browsing the web. It is not clear whether data is transmitted to third party locations.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

"*" - Denotes files that, though installed along with the software, are by themselves innocent and not included in detection.

Files Added

  • Installer: altpayv2.exe (396 KB)
    MD5: A102657FDE87F7EDFF56F0A6046AC753
  • %ProgramFiles%\itbill\itbill.exe (400 KB)
    MD5: A2FCFC57C499D7F0DC6D18ADFD3A1967
  • c:\documents and settings\(username)\local settings\temp\upd22.tmp (400 KB) (name varies)
  • c:\documents and settings\(username)\cookies\(username)@www.movieland[1].txt (1 KB)
  • c:\documents and settings\(username)\cookies\(username)@ads.vitalix[1].txt (1 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\itbill
    "UninstallString"=""C:\Program Files\ItBill\itbill.exe" /Uninstall"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\itbill
    "DisplayName"="Notification Utility"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Notification Utility"=""C:\Program Files\ItBill\itbill.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\itbill
  • HKEY_LOCAL_MACHINE\SOFTWARE\altpayV2
  • HKEY_CLASSES_ROOT\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}
  • HKEY_CLASSES_ROOT\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}
    "default"="IHUBAWindow"
  • HKEY_CLASSES_ROOT\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}
    "(default)"="HUBAWindow Class"
  • HKEY_CLASSES_ROOT\AppID\{7911272A-A32A-404E-8A51-EE18B99B18C4}
    "default"="AMNotifier"
  • HKEY_CLASSES_ROOT\AppID\AMNotifier.EXE
  • HKEY_CLASSES_ROOT\AMNotifier.HUBAWindow.1
  • HKEY_CLASSES_ROOT\AMNotifier.HUBAWindow

Network Impact

The application listens on the following network connection(s):

  • itbill.exe 1036 (UDP)

Additional overhead in bandwidth due to download of updates or other components, and download of popup window content.

Aliases

Aliases

    N/A