Content

CasOnline

Type
Program
SubType
Win32
Discovery Date
04/27/2005
Length
Varies
Minimum DAT
4478 (04/27/2005)
Updated DAT
5272 (04/11/2008)
Minimum Engine
5.1.00
Description Added
04/27/2005
Description Modified
09/08/2005 11:48 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is an online gambling application. Upon launching the installer, a user interface is presented. After pressing Next on the initial installation interface installation proceeds without any further display of policies/agreements or request for user input.

Following installation the program is launched and initial setup downloads begin. A total of over 30MB of content (mainly graphics and music) is downloaded to the host system. Following the initial download and setup, the software makes regular communications to remote servers while running (see Network Impact below).

This application does not display a license agreement when installed. A license agreement is available online and can be accessed on the author's website here .

Privacy

The software communicates with remote servers on several ports during initial setup and operation. A unique identifier is created for the host system and transmitted during communications. Regular communications take place while the software is running. It is not clear what information may potentially be communicated (the majority of the background transmissions appear to use a proprietary protocol not easily interpreted), although if the user signs up to play "for money" games then transmission of personal information would necessarily occur.

No privacy policy is displayed during installation. A privacy policy is available online and can be accessed on the author's website here .

System Changes

Files Added

  • Installer: casinone.exe (3280 KB)
    MD5: B6CC65C352C38D53F3319638857FE915
  • c:\program files\casinoonnet\unwise.ini (5 KB)
  • c:\program files\casinoonnet\unwise.exe (124 KB)
    MD5: F0F97D8AD32AB1FB3B04B38AA44B4F56
  • c:\program files\casinoonnet\shared_.dll (72 KB)
    MD5: 2F6808E94DFF0DEC9B526465EAE1B9FB
  • c:\program files\casinoonnet\install.log (size varies)
  • c:\program files\casinoonnet\pv.exe (60 KB)
    MD5: A98E0F4EAF8260CA5190B0D247A7896A
  • c:\program files\casinoonnet\promo.gif (10 KB)
  • c:\program files\casinoonnet\processlist.txt (size varies))
  • c:\program files\casinoonnet\listproc.exe (32 KB)
    MD5: E9541E255A1AE392AAC00125F9C11911
  • c:\program files\casinoonnet\casino.exe (124 KB)
    MD5: 19553159C21E4F54E78B077696054ABA
  • c:\program files\casinoonnet\utils\
  • c:\program files\casinoonnet\utils\tooltips.ini (7 KB)
  • c:\program files\casinoonnet\utils\sounddrv.dll (252 KB)
    MD5: 79B2F9D6929B2DDAB0BDD31A3FAC0FA3
  • c:\program files\casinoonnet\utils\pl.iss (5 KB)
  • c:\program files\casinoonnet\utils\mmi.dll (372 KB)
    MD5: 3B4AD11EA6C4199D7EC0C850F20F763F
  • c:\program files\casinoonnet\utils\extractzip.dll (76 KB)
    MD5: EC54B3A63C33ECD80381732AD820020E
  • c:\program files\casinoonnet\utils\ecinw.iss (4 KB)
  • c:\program files\casinoonnet\utils\cst.iss (22 KB)
  • c:\program files\casinoonnet\utils\conditions.txt (20 KB)
  • c:\program files\casinoonnet\utils\ccrd.iss (3 KB)
  • c:\program files\casinoonnet\utils\casinoonnet.exe (2368 KB)
    MD5: C59DCB9B9A10A1486DC2846AE5768A38

    Many graphics and sound resources are downloaded and stored in the following top-level folders (many have subfolders as well)
  • c:\program files\casinoonnet\update\
  • c:\program files\casinoonnet\slotsmedia\
  • c:\program files\casinoonnet\roulette\
  • c:\program files\casinoonnet\vp\
  • c:\program files\casinoonnet\pvp\
  • c:\program files\casinoonnet\pgp\
  • c:\program files\casinoonnet\media\
  • c:\program files\casinoonnet\login\
  • c:\program files\casinoonnet\lobby\
  • c:\program files\casinoonnet\keno\
  • c:\program files\casinoonnet\gamehist\
  • c:\program files\casinoonnet\craps\
  • c:\program files\casinoonnet\cash\
  • c:\program files\casinoonnet\caribpoker\
  • c:\program files\casinoonnet\bj\
  • c:\program files\casinoonnet\baccarat\
  • c:\documents and settings\ \ start menu\programs\casino-on-net\uninstall casino-on-net.lnk (1 KB)
  • c:\documents and settings\ \start menu\programs\casino-on-net\casino-on-net.lnk (1 KB)
  • c:\documents and settings\ \desktop\casino-on-net.lnk (1 KB)
  • c:\documents and settings\ \cookies\administrator@www.888[2].txt (size varies)

Registry

The following registry keys are created:

  • HKEY_CURRENT_USER\Software\VHLD
  • HKEY_CURRENT_USER\Software\VHLD
    "DEMOID"="50231567"
  • HKEY_CURRENT_USER\Software\VHLD
    "C_LANG"="0"
  • HKEY_CURRENT_USER\Software\VHLD\MACHINE_ID
  • HKEY_CURRENT_USER\Software\casinoonnet
  • HKEY_CURRENT_USER\Software\casinoonnet\casino
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "MULTI_HAND"="1"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "REPORT"="1;0;0;5;"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "REPORT_NUM"="1"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "COOKIE_ID"="0"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "DEMO_PASSWORD"="yhbqd85"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "DEMO_USERNAME"="e4qu84v"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "P1"="195.244.211.244:8500^"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "MEDIAPATH"="C:\PROGRA~1\CASINO~1\"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "MAIL_VER"="1"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "IP"="realgwa.casino-on-net.com"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "IP1"="demogwa.casino-on-net.com"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SETTINGS
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Upd_Flag"="0"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Upg_Date"="05/09/07"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Upd_Ver"=""
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "S_IP"="195.244.211.225"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Curr_Ver"="(hex data)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Casino-on-Net
    "UninstallString"="(hex data)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Casino-on-Net
    "DisplayName"="Casino-on-Net"

Network Impact

The application was found to use the following network connection(s):

  • clientreport.random-logic.com(192.118.67.41):80 (TCP)
  • www.888.com(213.219.54.201):80 (TCP)
  • demogwa.casino-on-net.com(195.244.198.247):701 (TCP)
  • 195.244.221.225:7500 (TCP)
  • 195.244.221.244:8500 (TCP)

Additional overhead in bandwidth due to download of initial program content (~30+MB) and maintenance of multiple server connections while running.

Symptoms

N/A This is not a virus or trojan.

Method of Infection

N/A This is not a virus or trojan.

Variants

Variants

    N/A

All Information

Overview -

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Aliases

  • CasinoOnNet

Characteristics

Characteristics -

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is an online gambling application. Upon launching the installer, a user interface is presented. After pressing Next on the initial installation interface installation proceeds without any further display of policies/agreements or request for user input.

Following installation the program is launched and initial setup downloads begin. A total of over 30MB of content (mainly graphics and music) is downloaded to the host system. Following the initial download and setup, the software makes regular communications to remote servers while running (see Network Impact below).

This application does not display a license agreement when installed. A license agreement is available online and can be accessed on the author's website here .

Privacy

The software communicates with remote servers on several ports during initial setup and operation. A unique identifier is created for the host system and transmitted during communications. Regular communications take place while the software is running. It is not clear what information may potentially be communicated (the majority of the background transmissions appear to use a proprietary protocol not easily interpreted), although if the user signs up to play "for money" games then transmission of personal information would necessarily occur.

No privacy policy is displayed during installation. A privacy policy is available online and can be accessed on the author's website here .

System Changes

Files Added

  • Installer: casinone.exe (3280 KB)
    MD5: B6CC65C352C38D53F3319638857FE915
  • c:\program files\casinoonnet\unwise.ini (5 KB)
  • c:\program files\casinoonnet\unwise.exe (124 KB)
    MD5: F0F97D8AD32AB1FB3B04B38AA44B4F56
  • c:\program files\casinoonnet\shared_.dll (72 KB)
    MD5: 2F6808E94DFF0DEC9B526465EAE1B9FB
  • c:\program files\casinoonnet\install.log (size varies)
  • c:\program files\casinoonnet\pv.exe (60 KB)
    MD5: A98E0F4EAF8260CA5190B0D247A7896A
  • c:\program files\casinoonnet\promo.gif (10 KB)
  • c:\program files\casinoonnet\processlist.txt (size varies))
  • c:\program files\casinoonnet\listproc.exe (32 KB)
    MD5: E9541E255A1AE392AAC00125F9C11911
  • c:\program files\casinoonnet\casino.exe (124 KB)
    MD5: 19553159C21E4F54E78B077696054ABA
  • c:\program files\casinoonnet\utils\
  • c:\program files\casinoonnet\utils\tooltips.ini (7 KB)
  • c:\program files\casinoonnet\utils\sounddrv.dll (252 KB)
    MD5: 79B2F9D6929B2DDAB0BDD31A3FAC0FA3
  • c:\program files\casinoonnet\utils\pl.iss (5 KB)
  • c:\program files\casinoonnet\utils\mmi.dll (372 KB)
    MD5: 3B4AD11EA6C4199D7EC0C850F20F763F
  • c:\program files\casinoonnet\utils\extractzip.dll (76 KB)
    MD5: EC54B3A63C33ECD80381732AD820020E
  • c:\program files\casinoonnet\utils\ecinw.iss (4 KB)
  • c:\program files\casinoonnet\utils\cst.iss (22 KB)
  • c:\program files\casinoonnet\utils\conditions.txt (20 KB)
  • c:\program files\casinoonnet\utils\ccrd.iss (3 KB)
  • c:\program files\casinoonnet\utils\casinoonnet.exe (2368 KB)
    MD5: C59DCB9B9A10A1486DC2846AE5768A38

    Many graphics and sound resources are downloaded and stored in the following top-level folders (many have subfolders as well)
  • c:\program files\casinoonnet\update\
  • c:\program files\casinoonnet\slotsmedia\
  • c:\program files\casinoonnet\roulette\
  • c:\program files\casinoonnet\vp\
  • c:\program files\casinoonnet\pvp\
  • c:\program files\casinoonnet\pgp\
  • c:\program files\casinoonnet\media\
  • c:\program files\casinoonnet\login\
  • c:\program files\casinoonnet\lobby\
  • c:\program files\casinoonnet\keno\
  • c:\program files\casinoonnet\gamehist\
  • c:\program files\casinoonnet\craps\
  • c:\program files\casinoonnet\cash\
  • c:\program files\casinoonnet\caribpoker\
  • c:\program files\casinoonnet\bj\
  • c:\program files\casinoonnet\baccarat\
  • c:\documents and settings\ \ start menu\programs\casino-on-net\uninstall casino-on-net.lnk (1 KB)
  • c:\documents and settings\ \start menu\programs\casino-on-net\casino-on-net.lnk (1 KB)
  • c:\documents and settings\ \desktop\casino-on-net.lnk (1 KB)
  • c:\documents and settings\ \cookies\administrator@www.888[2].txt (size varies)

Registry

The following registry keys are created:

  • HKEY_CURRENT_USER\Software\VHLD
  • HKEY_CURRENT_USER\Software\VHLD
    "DEMOID"="50231567"
  • HKEY_CURRENT_USER\Software\VHLD
    "C_LANG"="0"
  • HKEY_CURRENT_USER\Software\VHLD\MACHINE_ID
  • HKEY_CURRENT_USER\Software\casinoonnet
  • HKEY_CURRENT_USER\Software\casinoonnet\casino
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "MULTI_HAND"="1"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "REPORT"="1;0;0;5;"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "REPORT_NUM"="1"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "COOKIE_ID"="0"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "DEMO_PASSWORD"="yhbqd85"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "DEMO_USERNAME"="e4qu84v"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "P1"="195.244.211.244:8500^"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "MEDIAPATH"="C:\PROGRA~1\CASINO~1\"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "MAIL_VER"="1"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "IP"="realgwa.casino-on-net.com"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\INIT
    "IP1"="demogwa.casino-on-net.com"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SETTINGS
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Upd_Flag"="0"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Upg_Date"="05/09/07"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Upd_Ver"=""
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "S_IP"="195.244.211.225"
  • HKEY_CURRENT_USER\Software\casinoonnet\casino\SDL
    "Curr_Ver"="(hex data)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Casino-on-Net
    "UninstallString"="(hex data)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Casino-on-Net
    "DisplayName"="Casino-on-Net"

Network Impact

The application was found to use the following network connection(s):

  • clientreport.random-logic.com(192.118.67.41):80 (TCP)
  • www.888.com(213.219.54.201):80 (TCP)
  • demogwa.casino-on-net.com(195.244.198.247):701 (TCP)
  • 195.244.221.225:7500 (TCP)
  • 195.244.221.244:8500 (TCP)

Additional overhead in bandwidth due to download of initial program content (~30+MB) and maintenance of multiple server connections while running.

Symptoms

Symptoms -

N/A This is not a virus or trojan.

Method of Infection

Method of Infection -

N/A This is not a virus or trojan.

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A