Content

Adware-Click

Type
Program
SubType
Adware
Discovery Date
09/14/2005
Minimum DAT
4581 (09/14/2005)
Updated DAT
4698 (02/16/2006)
Minimum Engine
5.1.00
Description Added
09/14/2005
Description Modified
01/28/2006 5:50 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that generates pop-up windows leading to other search engines, and replaces link targets while browsing the web. The DLL is registered as a BHO, and redirects links to other search engines (e.g. morwillsearch.com). It appears that search terms are intercepted and sent to these third party servers, which respond with links. Instead of redirecting the user right away, the results are instead substituted when the user clicks on a valid link from their original search results. In the example below, the words "home loans" were entered into Google, and then the link to the government Housing and Urban Development page was selected. The actual page presented was the morwillsearch.com site.

The executable, when launched, runs silently in the background and periodically opens full screen browser windows to similar search engines (most frequently morwillsearch.com and imgs.klikfind.com). The executable does not establish a way to ensure repeated launch, however (no registry Run keys or other similar methods were observed).

No license agreement is shown on execution/installation.

Privacy

A privacy policy is not displayed during installation. The BHO was observed to communicate search terms to other search engines (morwillsearch.com, golden-search.com, etc.)

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

"*" - Denotes files that, though installed along with the software, are by themselves innocent and not included in detection.

Files Added

  • qyhgxsro.dll (116 KB) (name varies)
    MD5: 1A1C52BA3D2B52476C24C5F1CD5D2BF7
  • 1087781.exe (6 KB) (name varies)
    MD5: 671FC4FDCD195D0914DB3DB47012633E

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{CAEFA8EB-B417-46c7-82D1-1B8D1D8EF924}
  • HKEY_CLASSES_ROOT\HTMLEdit.Bho.1
  • HKEY_CLASSES_ROOT\HTMLEdit.Bho
  • HKEY_CLASSES_ROOT\CLSID\{CAEFA8EB-B417-46c7-82D1-1B8D1D8EF924}

      Network Impact

      Additional overhead in bandwidth due to download of search page content (for search page popups), and caching of links for redirection.

      • Aliases

      Aliases

        N/A