Content

Adware-Cygo

Type
Program
SubType
Adware
Discovery Date
12/12/2005
Minimum DAT
4648 (12/12/2005)
Updated DAT
5185 (12/13/2007)
Minimum Engine
5.1.00
Description Added
12/12/2005
Description Modified
03/03/2006 5:18 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is a browser hijacker adware that redirects the browser home page and default searches. Two services are installed and a registry Run key is set to ensure that the software is loaded at each system startup. Installation is silent and no interface is presented after launching the installer.

The browser home page is set to www.cygo.net, and default address bar searches are redirected to search.cygo.net.

The new default home page:

The below was the result of typing "home loans" into the Internet Explorer address bar.

A new button is placed in the Internet Explorer toolbar as well.

This application does not display a license agreement when installed.

Privacy

A privacy policy is not displayed during installation. Though not observed, a wide range of possibly privacy-impacting activities could be undertaken by the software (download of other components or third party software, etc.) As no privacy policy is present, and the filenames used seem deceptively similar to those of common system processes or otherwise designed to appear as system components (e.g. "crssrp.exe" vs. "crssr.exe", also "msservice.exe" and "msmon.exe", placed in system folders) there may be cause for concern about future privacy issues.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

  • Installer: ba09a903.exe (name may vary) (214 KB)
    MD5: 6E938DFB0DB5545A75A0A7D2A2891466
  • %SystemDir%\msservice.exe (229 KB)
    MD5: C84AA2B32E4718FC0047D573BD6422C3
  • %SystemDir%\msrestart.exe (223 KB)
    MD5: 8C23E1B426EC11F982A8D5B2E136B2E7
  • %SystemDir%\msmon.exe (229 KB)
    MD5: 10B7D9B8F419E5A8682F0607FA83F733
  • %WinDir%\umsetup.inc (1 KB)
  • %WinDir%\msite.inc (1 KB)
  • %WinDir%\msetup.inc (1 KB)
  • %WinDir%\cygo.ico (1 KB)
  • %WinDir%\csrssu.exe (214 KB)
    MD5: 6E938DFB0DB5545A75A0A7D2A2891466
  • %WinDir%\csrssp.exe (249 KB)
    MD5: 00BB3F92258F5BDD8FCA3AAC033933AF
  • %WinDir%\csrssp.dll (40 KB)
    MD5: B275387690470E88AB18FEDA56004F7A
  • c:\documents and settings\administrator\local settings\temp\msservice.zip (229 KB)
    MD5: C84AA2B32E4718FC0047D573BD6422C3
  • c:\documents and settings\administrator\local settings\temp\msrestart.zip (223 KB)
    MD5: 8C23E1B426EC11F982A8D5B2E136B2E7
  • c:\documents and settings\administrator\local settings\temp\msmon.zip (229 KB)
    MD5: 10B7D9B8F419E5A8682F0607FA83F733
  • c:\documents and settings\administrator\local settings\temp\csrssu.zip (214 KB)
    MD5: 6E938DFB0DB5545A75A0A7D2A2891466
  • c:\documents and settings\administrator\local settings\temp\csrssp.zip (249 KB)
    MD5: 00BB3F92258F5BDD8FCA3AAC033933AF
  • c:\documents and settings\administrator\local settings\temp\csrssp.dll (40 KB)
    MD5: B275387690470E88AB18FEDA56004F7A

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "ufile"="C:\WINDOWS\csrssu.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
    \{10954C80-4F0F-11d3-B17C-00C0DFE39736}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    \MSServiceModule
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    \MSMonitorModule
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    \LEGACY_MSSERVICEMODULE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSServiceModule
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSMonitorModule
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSSERVICEMODULE
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search

The following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Start Page"="http://www.cygo.net"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
    "SearchAssistant"="http://search.cygo.net/iesearch.php?key=%s"

Network Impact

Additional overhead in bandwidth due to redirection of home page.

Aliases

Aliases

    N/A