McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.aspx for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.aspx for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary:

This is not a Virus or Trojan.

It is an adware dropper which drops adware related components on the system.

Upon execution it adds “WinNB58.dll” as Browser Helper Object for the Internet Explorer and installs itself as the toolbar for the Internet explorer as shown below.

Browser Helper Objects are executable files that are loaded when the browser is launched. They can perform various tasks, such as generating extra pop-up ads, monitoring page navigation, etc.

In the background it makes internet connections without user’s knowledge with “download.getmirar.com” and “awbeta.net-nucleus.com”

While browsing the internet it may pop up some advertisements as shown below

Privacy:

No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application. No Privacy policy related to the software could be found.

Installation:

File name: “a7285bb1.EXE”
MD5Hash: “a7285bb1d7a7eb9a265e64aad1585251”

Following folder is added:

• %Program Files%\InetGet2

Following files are added:

• MirarSetup_876072.exe (Detected as Adware-Mirar)
• WinDmy.dll (Detected as Adware-Mirar)
• WinNB58.dll (Detected as Adware-Mirar)
• NNBar_VCSetup_876072.exe (Detected as Adware-Mirar)

Following registry keys are added:

• HKEY_CLASSES_ROOT\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
• HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
• HKEY_CLASSES_ROOT\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}
• HKEY_CLASSES_ROOT\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
• HKEY_CLASSES_ROOT\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}
• HKEY_CLASSES_ROOT\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
• HKEY_CLASSES_ROOT\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
• HKEY_CLASSES_ROOT\NN_Bar_Dummy.NN_BarDummy
• HKEY_CLASSES_ROOT\NN_Bar_Dummy.NN_BarDummy.1
• HKEY_CLASSES_ROOT\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}
• HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
• HKEY_CLASSES_ROOT\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}

Network Impact
Additional overhead in the bandwidth due to unwanted internet connections.

Removal

Aliases

Aliases

• Adware.Win32.SaveNow.bj (Kaspersky)
• Adware/Mirar (Fortinet)