Adware-DirectIP

Content

Adware-DirectIP

Type: Program
SubType: Adware
Discovery Date: 06/13/2005
Minimum DAT: 4512 (06/13/2005)
Updated DAT: 4566 (08/24/2005)
Minimum Engine: 5.1.00
Description Added: 06/13/2005
Description Modified: 06/14/2005 11:19 AM (PT)

Tab Navigation

Characteristics

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a Browser Helper Object which, based on examination of the code and strings within the file, is affiliated with direct-ip.com. A full installation package could not be located, so whether a user interface is displayed during installation is presently unknown. There is no evidence that the software is installed after registration of the BHO. No new toolbar or other visual indication is present in Internet Explorer. It is likely that the purpose of the software somehow includes advertising (note the registry value under HKEY_LOCAL_MACHINE\SOFTWARE\BHO656, "popupactive"), although no popup advertising was noted (even after manually setting "popupactive" to 1). It is probable that only partial samples have been received so far which make up part of a larger package.

This may be related to Adware-CommanderNET , which also contains references to direct-ip.com.

As tested, this application does not display a license agreement when installed.

Privacy

No privacy policy is displayed during installation. There does not seem to be any privacy information on the direct-ip.com website.

System Changes

Files Added

c:\task.exe (100 KB)
MD5: FE3B681C765D85B7DD6BB80DD078095D

c:\acrbat.dll (96 KB)
MD5: E5DAF0FFC4092B50D8778A0843198DB4

Registry

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\
{79A002FB-C126-462D-B4A7-81D6B42D1666}

HKEY_LOCAL_MACHINE\SOFTWARE\BHO656

HKEY_LOCAL_MACHINE\SOFTWARE\BHO656
"popupactive"="0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{79A002FB-C126-462D-B4A7-81D6B42D1666}\iexplore
"Time"="D5-07-06-00-05-00-0A-00-15-00-38-00-09-00-C4-02"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{79A002FB-C126-462D-B4A7-81D6B42D1666}\iexplore
"Count"="1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{79A002FB-C126-462D-B4A7-81D6B42D1666}\iexplore
"Type"="3"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{79A002FB-C126-462D-B4A7-81D6B42D1666}\iexplore

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ext\Stats\{79A002FB-C126-462D-B4A7-81D6B42D1666}

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0\HELPDIR
"default"="C:\"

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0\HELPDIR

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0\FLAGS
"default"="0"

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0\FLAGS

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0\0\win32
"default"="C:\acrbat.dll"

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0\0\win32

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0\0

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0
"default"="ShowMyBar 1.0 Type Library"

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}\1.0

HKEY_CLASSES_ROOT\TypeLib\{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj.1\CLSID
"default"="{79A002FB-C126-462D-B4A7-81D6B42D1666}"

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj.1\CLSID

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj.1
"default"="ShowBarObj Class"

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj.1

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj\CurVer
"default"="ShowMyBar.ShowBarObj.1"

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj\CurVer

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj\CLSID
"default"="{79A002FB-C126-462D-B4A7-81D6B42D1666}"

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj\CLSID

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj
"default"="ShowBarObj Class"

HKEY_CLASSES_ROOT\ShowMyBar.ShowBarObj

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}\TypeLib
"Version"="1.0"

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}\TypeLib
"(default)"="{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}"

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}\TypeLib

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}
\ProxyStubClsid32
"default"="{00020424-0000-0000-C000-000000000046}"

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}
\ProxyStubClsid32

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}
\ProxyStubClsid
"default"="{00020424-0000-0000-C000-000000000046}"

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}
\ProxyStubClsid

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}
"default"="IShowBarObj"

HKEY_CLASSES_ROOT\Interface\{F370F307-2AF6-4A7D-A592-818529C57779}

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}
\VersionIndependentProgID
"default"="ShowMyBar.ShowBarObj"

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}
\VersionIndependentProgID

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\TypeLib
"default"="{4AF42E5B-9541-49EE-ABD6-72A6EC9EAE70}"

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\TypeLib

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\Programmable

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\ProgID
"default"="ShowMyBar.ShowBarObj.1"

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\ProgID

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\InprocServer32
"ThreadingModel"="Apartment"

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\InprocServer32
"(default)"="C:\acrbat.dll"

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}\InprocServer32

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}
"default"="ShowBarObj Class"

HKEY_CLASSES_ROOT\CLSID\{79A002FB-C126-462D-B4A7-81D6B42D1666}

Network Impact

No additional network traffic was observed during testing, although a more complete package or installation may perform communications.

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Aliases

N/A

McAfee > Theat Center > PUP Detail Page

Navigation

Utility Navigation

Content

Adware-DirectIP

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Tab Navigation

Characteristics

Removal

Aliases

Aliases

Threat Resources

Footer