Content

Adware-Qoolaid

Type
Program
SubType
Adware
Discovery Date
06/09/2004
Minimum DAT
4365 (06/09/2004)
Updated DAT
4628 (11/15/2005)
Minimum Engine
5.1.00
Description Added
06/09/2004
Description Modified
03/16/2005 9:28 AM (PT)

Tab Navigation

Characteristics

Distribution

This is a direct-marketing application that generates extra pop-up ads while using Internet Explorer.

No visible indication is given that any software is being installed upon execution of the installation program itself.  No license agreement is displayed, although one may be displayed by another installer if bundled with another application. The application is self-maintaining and ensures that it remains on the system using multiple references to its executables (Startup items, registry keys).  It also hides certain files from view with Windows Explorer and re-loads or recreates files as necessary.  The processes are also hidden from viewing with the Task Manager.

Following installation, the program generates popup advertisements drawn from the clkoptimizer.com ad network.

Upon execution, the installer creates the following randomly named files, (names are examples):
C:\Windows\System32\wkqyik.exe
C:\Windows\System32\hqxpzq.exe
C:\Windows\System32\easqoa.dll
C:\Windows\System32\cpigwp.dll
C:\Windows\System32\pvgqav.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hnfyun.exe

The installer then quits and initiates wkqyik.exe which creates
C:\Windows\hgkang.dll

Privacy

Program creates a unique identifier (UUID) for tracking program operations.

hgkang.dll (not an actual DLL) simply contains a copy of this UUID.  Example:
"[GENERAL]
test_write=sd_test
uuid=a5428d3a-dd13-48c4-9748-87934e46f3c5"

The UUID is also written to the registry here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components

System Changes

Files Added

c:\Documents and Settings\All Users\Start Menu\Programs\Startup\hnfyun.exe
c:\WINDOWS\system32\pvgqav.dat
c:\WINDOWS\system32\wkqyik.exe
Size: 32,768 bytes
MD5: F24FE041D3E3344BA056C32D89E3F1D7

c:\WINDOWS\hgkang.dll
Size: varies
MD5: varies

c:\WINDOWS\system32\cpigwp.dll
Size: 5,632 bytes
MD5: E432F8E8E7EFDE01A8F18D72A3278C42

c:\WINDOWS\system32\easqoa.dll
Size: 24,576 bytes
MD5: 2FCF3D26E38BF0EF0D1A3DC3A1BAEB49

c:\WINDOWS\system32\hqxpzq.exe
Size: 3,072 bytes
MD5: EA395F379C8B09DC21E9B1D5FEB229E7

NOTE: hnfyun.exe, hgkang.dll, easqoa.dll, hqxpzq.exe, and wkqyik.exe are masked and are not displayed in Windows Explorer (even when selecting "Show hidden files and folders" and disabling "Hide protected operating system files").  However, they will be evident in a command line directory listing.

Registry Changes (most significant/high-level)

Keys Added:
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsgnq
HKEY_CLASSES_ROOT\CLSID\{4e025b52-fe87-4d58-8750-8bcd546127a0}
HKEY_CLASSES_ROOT\CLSID\{4e025b52-fe87-4d58-8750-8bcd546127a0}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{4e025b52-fe87-4d58-8750-8bcd546127a0}\ProgId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\a5428d3a-dd13-48c4-9748-87934e46f3c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Narrator"

NOTE: The CLSID key appears to be randomly generated and so will vary from one installation to the next.

Values Added:
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsgnq "(Default)"
Data: {4e025b52-fe87-4d58-8750-8bcd546127a0}

HKEY_CLASSES_ROOT\CLSID\{4e025b52-fe87-4d58-8750-8bcd546127a0} "(Default)"
Data: eifrei.class

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\a5428d3a-dd13-48c4-9748-87934e46f3c5 "StubPath"
Data: C:\WINDOWS\System32\hqxpzq.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Narrator"
Data: C:\WINDOWS\System32\wkqyik.exe

Network Impact

Bandwidth consumed from downloading popup advertisements (s.clkoptimizer.com)
Bandwidth consumed updating configuration (u.clkoptimizer.com)

--------------

A previous version of this software was found to have the following behavior:

Installation

Upon execution, the application installs itself into the %Sysdir% directory as wuwbqy.dat .

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

For example:

c:\WINDOWS\system32\wuwbqy.dat

The following Registry key(s) is/are added to hook system startup:

HKEY_CLASSES_ROOT\CLSID\{c923045f-9f83-4f75-83fb-2a3748fcc0a4}\InProcServer32 "(Default)" = "lulogz.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\6d55e99a-bfa6-4b5e-8096-ede5eda51779 "StubPath" = "lulwpm.exe"

Aliases

Aliases

    N/A