Adware-CommanderNET

Content

Adware-CommanderNET

Type: Program
SubType: Adware
Discovery Date: 03/29/2005
Minimum DAT: 4360 (05/12/2004)
Updated DAT: 4982 (03/12/2007)
Minimum Engine: 5.1.00
Description Added: 05/12/2004
Description Modified: 06/16/2005 12:35 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." No user interface is displayed upon running the installation executable. During the first few launches of Internet Explorer, several updates are downloaded. The initial BHO installed (sbb.dll) is removed and replaced by another (winvbie.dll). At each launch of IE following the settled state after installation, the software contacts direct-ip.com and latinbusca.com. It is appears to be a direct marketing product to drive traffic to the mycriteria.com search engine, which is set as the browser homepage. Invalid URLs (e.g. "www.nopagehere123.com") entered into the address bar simply redirect to the Google home page, as well as address bar searches. Several tests for the delivery of popups were performed but no ads were observed. Browser performance was frequently impacted, with occasional long delays between initiating a request and receiving the page content. This software may be related or linked to Adware-DirectIP .

This application does not display a license agreement when installed. No license agreement is available online at www.direct-ip.com, only a link to an uninstaller which, although it does disengage the BHO from Internet Explorer, fails to remove all associated registry entries.

Privacy

No privacy policy is displayed during installation, nor is any available on the direct-ip.com website.

No transmission of keywords or URL data was observed during testing, but the silent installation and updates along with lack of any license agreement or privacy policy is cause for concern.

System Changes

Files Added

%SystemDir%\winvbie.dll (19 KB)
MD5:8C4B1902850A9ABC749CA59E5505ACEE
%SystemDir%\sbb.dll (14 KB)
MD5:B82417673C11705A5CF3D73B30E6D128
%SystemDir%\msiev32.dll (50 KB)
MD5:A276C624DABCEFDD71614AE1CBF956D4
%SystemDir%\ietb.dll (44 KB)
MD5:B33DF74A30EF7D7FC71072F31B59928C
c:\setup.exe (89 KB)
MD5:2B639B6016A1F1EFAE254C3CAD9C0CBE
c:\program files\temp\
c:\ms.cab (62 KB)
MD5:6D8A13A4AEF03E663BBB86C6203230A6
c:\documents and settings\administrator\local settings\temp\uninstallall2.exe (31 KB)
MD5:9B252028F45DC2475CCC9FAF08EA6553
c:\documents and settings\administrator\local settings\temp\messenger-848473xp.exe (89 KB)
MD5:FF4133BB58EA0CFE055740D4D713AEC0
c:\ct.inf (1 KB)

Registry

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\VONeS.NET\Commander IE Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\VONeS.NET
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}
"default"="{92E1B3F7-0546-421E-9835-904D25B7BA66}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{29F7B7FA-ADC8-48ea-9E1C-EA87A05AE642}
"default"="{6596829B-37D4-40ad-971B-1E9041725C52}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{29F7B7FA-ADC8-48ea-9E1C-EA87A05AE642}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
"HomePageLow"="2346112"
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
"HomePageHigh"="29717003"
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
"LoadConfigLow"="644066112"
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
"LoadConfigHigh"="29717003"
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
"UpdateTimeLow"="759336112"
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
"UpdateTimeHigh"="29717003"
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
"Show"="off"
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies\Addon
HKEY_LOCAL_MACHINE\SOFTWARE\LuCkies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}\iexplore
"Time"="D5-07-06-00-04-00-10-00-00-00-22-00-1A-00-40-01"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}\iexplore
"Count"="4"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}\iexplore
"Type"="3"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{92E1B3F7-0546-421E-9835-904D25B7BA66}\iexplore
"Time"="D5-07-06-00-04-00-10-00-00-00-22-00-1A-00-59-02"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{92E1B3F7-0546-421E-9835-904D25B7BA66}\iexplore
"Count"="9"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{92E1B3F7-0546-421E-9835-904D25B7BA66}\iexplore
"Type"="2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{92E1B3F7-0546-421E-9835-904D25B7BA66}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{92E1B3F7-0546-421E-9835-904D25B7BA66}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{29F7B7FA-ADC8-48EA-9E1C-EA87A05AE642}\iexplore
"Time"="D5-07-06-00-04-00-10-00-00-00-22-00-1A-00-36-01"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{29F7B7FA-ADC8-48EA-9E1C-EA87A05AE642}\iexplore
"Count"="5"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{29F7B7FA-ADC8-48EA-9E1C-EA87A05AE642}\iexplore
"Type"="3"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{29F7B7FA-ADC8-48EA-9E1C-EA87A05AE642}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{29F7B7FA-ADC8-48EA-9E1C-EA87A05AE642}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"AutoSearch"="0"
HKEY_CLASSES_ROOT\CLSID\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}\InprocServer32
"ThreadingModel"="Apartment"
HKEY_CLASSES_ROOT\CLSID\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}\InprocServer32
"(default)"="C:\WINDOWS\system32\winvbie.dll"
HKEY_CLASSES_ROOT\CLSID\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}
"default"="winvbie.dll"
HKEY_CLASSES_ROOT\CLSID\{C4F147D7-BF25-488E-A12B-EFD43E7029BF}
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}\InProcServer32
"ThreadingModel"="Apartment"
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}\InProcServer32
"(default)"="C:\WINDOWS\system32\msiev32.dll"
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}
\Implemented Categories\{00021494-0000-0000-C000-000000000046}
"default"=""
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}
\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}
\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}
"default"="IE Toolbar"
HKEY_CLASSES_ROOT\CLSID\{92E1B3F7-0546-421E-9835-904D25B7BA66}

Note: The entries under the {6596829B-37D4-40ad-971B-1E9041725C52} CLSID below are removed when winvbie.dll is installed.

HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}\InProcServer32
"ThreadingModel"="Apartment"
HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}\InProcServer32
"(default)"="C:\WINDOWS\system32\ietb.dll"
HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}
\Implemented Categories\{00021494-0000-0000-C000-000000000046}
"default"=""
HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}
\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}
\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}
"default"="Commander Toolbar"
HKEY_CLASSES_ROOT\CLSID\{6596829B-37D4-40ad-971B-1E9041725C52}
HKEY_CLASSES_ROOT\CLSID\{29F7B7FA-ADC8-48ea-9E1C-EA87A05AE642}\InprocServer32
"ThreadingModel"="Apartment"
HKEY_CLASSES_ROOT\CLSID\{29F7B7FA-ADC8-48ea-9E1C-EA87A05AE642}\InprocServer32
"(default)"="C:\WINDOWS\system32\sbb.dll"
HKEY_CLASSES_ROOT\CLSID\{29F7B7FA-ADC8-48ea-9E1C-EA87A05AE642}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{29F7B7FA-ADC8-48ea-9E1C-EA87A05AE642}
"default"="Yaya Show BB"
HKEY_CLASSES_ROOT\CLSID\{29F7B7FA-ADC8-48ea-9E1C-EA87A05AE642}

The following registry keys are modified:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page"="http://www.mycriteria.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"="(hex data)"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
"ITBarLayout"="(hex data)"

Network Impact

Additional overhead in bandwidth due to frequent check-in with remote servers and download of updates.

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Aliases

N/A

McAfee > Theat Center > PUP Detail Page

Navigation

Utility Navigation

Content