Content

Adware-Tubby

Type
Program
SubType
Adware
Discovery Date
03/30/2005
Length
Varies
Minimum DAT
4454 (03/24/2005)
Updated DAT
6238 (01/26/2011)
Minimum Engine
5.1.00
Description Added
03/24/2005
Description Modified
04/18/2005 10:57 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a direct-marketing application that adds a toolbar to Internet Explorer and makes modifications to the homepage.  It appears that the software has additional functionality, as it attempts to contact a server at 69.50.173.250.  Currently it seems that the service on the server side is inactive, replying only with a 404 error.

No visible indication is given that any software is being installed upon execution of the installation program.  A DLL is dropped and several registry entries are created, then the original installer executable is deleted.  No license agreement is displayed, although one could be displayed by another installer if bundled with another application.  A copy of the DLL is loaded into the explorer.exe process as well as being installed into Internet Explorer as a Browser Helper Object (BHO).  Following installation, the software changes the user's homepage to a pornographic search portal (thenewsearch.com) and adds a search toolbar to Internet Explorer and Windows Explorer.  If the homepage setting is altered, the software will change it back during the first contact to a website with Internet Explorer following a reboot.

Privacy

No privacy policy is displayed.  The authors of the software are unknown.  The silent attempts to contact a remote server are questionable, but it is not possible to determine the true privacy implications due to lack of functioning replies.

System Changes

Files Added

C:\WINDOWS\system32\ADV.dll
Size: 70,144 bytes
MD5: 1FCA9D28DCAA0BB49EB5A205F7D886D3

C:\WINDOWS\system32\ADV.ini
Size: 1,961 bytes
MD5: (varies)

Registry Changes (most significant/high-level)

Keys Added:

HKEY_CURRENT_USER\Software\ADV TON
HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}
HKEY_CLASSES_ROOT\Tubby.ToolBandObj
HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1
HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{9EAC0102-5E61-2312-BC2D-414456544F4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Advanced Search

Values Added:

HKEY_CURRENT_USER\Software\ADV TON\Options "Dnl"
Data: 00, 00, 00, 00

HKEY_CURRENT_USER\Software\ADV TON\Options "Run"
Data: 01, 00, 00, 00

HKEY_CURRENT_USER\Software\ADV TON\Options "Shown"
Data: 00, 00, 00, 00

HKEY_CURRENT_USER\Software\ADV TON\Options "mlu"
Data: 75, AA, 0F, 00

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E} "(Default)"
Data: Advanced Search

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\InprocServer32 "(Default)"
Data: C:\WINDOWS\System32\ADV.dll

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\InprocServer32 "ThreadingModel"
Data: Apartment

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\ProgID "(Default)"
Data: Tubby.ToolBandObj.1

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\Programmable "(Default)"
Data:

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\TypeLib "(Default)"
Data: {9EAC0102-5E61-2312-BC2B-414456544F4E}

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\Version "(Default)"
Data: 1.0

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\VersionIndependentProgID "(Default)"
Data: Tubby.ToolBandObj

HKEY_CLASSES_ROOT\Tubby.ToolBandObj "(Default)"
Data: Advanced Search

HKEY_CLASSES_ROOT\Tubby.ToolBandObj\CLSID "(Default)"
Data: {9EAC0102-5E61-2312-BC2D-414456544F4E}

HKEY_CLASSES_ROOT\Tubby.ToolBandObj\CurVer "(Default)"
Data: Tubby.ToolBandObj.1

HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1 "(Default)"
Data: Advanced Search

HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1\CLSID "(Default)"
Data: {9EAC0102-5E61-2312-BC2D-414456544F4E}

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0 "(Default)"
Data: TB 1.0 Type Library

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0\0\win32 "(Default)"
Data: C:\WINDOWS\System32\ADV.dll

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0\FLAGS "(Default)"
Data: 0

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0\HELPDIR "(Default)"
Data: C:\WINDOWS\System32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "{9EAC0102-5E61-2312-BC2D-414456544F4E}"
Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{9EAC0102-5E61-2312-BC2D-414456544F4E} "(Default)"
Data: Tubby

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Advanced Search "DisplayName"
Data: Advanced Search

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Advanced Search "UninstallString"
Data: regsvr32 /u /s C:\WINDOWS\System32\ADV.dll

Network Impact

Additional overhead in bandwidth due to attempts to contact a server (for what purpose is unknown).

Symptoms

N/A This is not a virus or trojan

Method of Infection

N/A This is not a virus or trojan

Variants

Variants

    N/A

All Information

Overview -

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Characteristics

Characteristics -

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a direct-marketing application that adds a toolbar to Internet Explorer and makes modifications to the homepage.  It appears that the software has additional functionality, as it attempts to contact a server at 69.50.173.250.  Currently it seems that the service on the server side is inactive, replying only with a 404 error.

No visible indication is given that any software is being installed upon execution of the installation program.  A DLL is dropped and several registry entries are created, then the original installer executable is deleted.  No license agreement is displayed, although one could be displayed by another installer if bundled with another application.  A copy of the DLL is loaded into the explorer.exe process as well as being installed into Internet Explorer as a Browser Helper Object (BHO).  Following installation, the software changes the user's homepage to a pornographic search portal (thenewsearch.com) and adds a search toolbar to Internet Explorer and Windows Explorer.  If the homepage setting is altered, the software will change it back during the first contact to a website with Internet Explorer following a reboot.

Privacy

No privacy policy is displayed.  The authors of the software are unknown.  The silent attempts to contact a remote server are questionable, but it is not possible to determine the true privacy implications due to lack of functioning replies.

System Changes

Files Added

C:\WINDOWS\system32\ADV.dll
Size: 70,144 bytes
MD5: 1FCA9D28DCAA0BB49EB5A205F7D886D3

C:\WINDOWS\system32\ADV.ini
Size: 1,961 bytes
MD5: (varies)

Registry Changes (most significant/high-level)

Keys Added:

HKEY_CURRENT_USER\Software\ADV TON
HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}
HKEY_CLASSES_ROOT\Tubby.ToolBandObj
HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1
HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{9EAC0102-5E61-2312-BC2D-414456544F4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Advanced Search

Values Added:

HKEY_CURRENT_USER\Software\ADV TON\Options "Dnl"
Data: 00, 00, 00, 00

HKEY_CURRENT_USER\Software\ADV TON\Options "Run"
Data: 01, 00, 00, 00

HKEY_CURRENT_USER\Software\ADV TON\Options "Shown"
Data: 00, 00, 00, 00

HKEY_CURRENT_USER\Software\ADV TON\Options "mlu"
Data: 75, AA, 0F, 00

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E} "(Default)"
Data: Advanced Search

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\InprocServer32 "(Default)"
Data: C:\WINDOWS\System32\ADV.dll

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\InprocServer32 "ThreadingModel"
Data: Apartment

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\ProgID "(Default)"
Data: Tubby.ToolBandObj.1

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\Programmable "(Default)"
Data:

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\TypeLib "(Default)"
Data: {9EAC0102-5E61-2312-BC2B-414456544F4E}

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\Version "(Default)"
Data: 1.0

HKEY_CLASSES_ROOT\CLSID\{9EAC0102-5E61-2312-BC2D-414456544F4E}\VersionIndependentProgID "(Default)"
Data: Tubby.ToolBandObj

HKEY_CLASSES_ROOT\Tubby.ToolBandObj "(Default)"
Data: Advanced Search

HKEY_CLASSES_ROOT\Tubby.ToolBandObj\CLSID "(Default)"
Data: {9EAC0102-5E61-2312-BC2D-414456544F4E}

HKEY_CLASSES_ROOT\Tubby.ToolBandObj\CurVer "(Default)"
Data: Tubby.ToolBandObj.1

HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1 "(Default)"
Data: Advanced Search

HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1\CLSID "(Default)"
Data: {9EAC0102-5E61-2312-BC2D-414456544F4E}

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0 "(Default)"
Data: TB 1.0 Type Library

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0\0\win32 "(Default)"
Data: C:\WINDOWS\System32\ADV.dll

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0\FLAGS "(Default)"
Data: 0

HKEY_CLASSES_ROOT\TypeLib\{9EAC0102-5E61-2312-BC2B-414456544F4E}\1.0\HELPDIR "(Default)"
Data: C:\WINDOWS\System32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "{9EAC0102-5E61-2312-BC2D-414456544F4E}"
Data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{9EAC0102-5E61-2312-BC2D-414456544F4E} "(Default)"
Data: Tubby

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Advanced Search "DisplayName"
Data: Advanced Search

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\Advanced Search "UninstallString"
Data: regsvr32 /u /s C:\WINDOWS\System32\ADV.dll

Network Impact

Additional overhead in bandwidth due to attempts to contact a server (for what purpose is unknown).

Symptoms

Symptoms -

N/A This is not a virus or trojan

Method of Infection

Method of Infection -

N/A This is not a virus or trojan

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A