McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

McAfee® Avert® Labs recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is advertised as an application intended to supplement a user's browsing and general use of the Internet by tracking their usage and then proactively searching out and alerting the user to additional content that matches interest categories that it has identified. There are indications that the software is related to or controlled by WhenU (authors of Adware-SaveNow and Adware-WhenUSearch). Though the package tested appeared to be stand-alone it is indicated in the online EULA that the software "may also enable you to receive advertising-supported versions of many popular software applications or other services without paying a subscription or other premium fee" suggesting potential bundling.

No user interface was displayed upon launching the installer. Only a progress indicator was displayed briefly before full installation of the software took place.

Following installation, an interface resembling a three dimensional cube appears on the desktop. An icon is also present in the System Tray.

This application does not display a license agreement when installed. However, the full text of the license agreement can be accessed on the author's website http://www.memedia.com/eula.html

Privacy

A privacy policy is not displayed during installation for the package analyzed. However, the full text of the policy can be accessed on the author's website http://www.memedia.com/meme_privacy_policy.html

No transmission of personally identifiable data being to remote systems was observed during testing, but indications point to a mechanism similar to what WhenU uses in their advertisement products (using a local database to preclude the need for sending specific user data from the local system). The package tested appeared to come with several interest categories pre-defined to ensure that at least some content would be "found" shortly after installation.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%ProgramFiles% = \Program Files

Files Added

Installer: setupmemepersonal.exe (5151 KB, MD5: 8BA6976A8DFC35C19BCF62FAFB8EB4C8)

%ProgramFiles%\meme\
_ngs.b_ (375 KB)
vdbk1.jpg (6 KB)
vdbk.jpg (13 KB)
tr.dll (505 KB, MD5: C3D98DAC60F6F8A6AE60BAFA9E6745E6)
privacy.html (12 KB)
memeuninst.exe (263 KB, MD5: 422B25DF8A31A149A07FE83516DBFFC4)
meme.htm (136 KB)
meme.exe (905 KB, MD5: 438A203C0D997959AC7F156A7C737A73)
meme.db (118 KB)
meme.cch (3193 KB)
imgdecoder.dll (412 KB, MD5: D9338EFEB7F0513DD226479EA4050188)
global.css (1 KB)
ffext.mod (12 KB)
fb_ui_logo.gif (3 KB)
eula.html (15 KB)
cde.exe (3481 KB, MD5: 4A8B5CB8CD4DF660F5198C66788825DB)
cae.exe (297 KB, MD5: 77D5BF42C135B3A7C521A8392669EDCA)
about.html (2 KB)

%ProgramFiles%\meme\_anim\
(this folder contains many .png files)

c:\documents and settings\(user name)\start menu\programs\meme\
uninstall instructions.lnk (1 KB)
meme.lnk (1 KB)
customer support.lnk (1 KB)
about meme.lnk (1 KB)

c:\documents and settings\(user name)\cookies\
(user name)@www.memedia[1].txt (1 KB)
(user name)@indexstats[2].txt (1 KB)

Registry
The following elements are added (only more significant/high level listed):

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MeMe"="C:\Program Files\MeMe\MeMe.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MeMe]
"UrlInfoAbout"="file:///C:/Program%20Files/MeMe/about.html"
"UninstallString"=""C:\Program Files\MeMe\MeMeUninst.exe""
"Publisher"="MeMedia"
"HelpLink"="mailto:support@memedia.com"
"DisplayVersion"="1.50"
"DisplayName"="MeMe"
"DisplayIcon"="C:\Program Files\MeMe\MeMe.exe,1"

[HKEY_CURRENT_USER\Software\MeMe]
"src_url"="http://offers.memedia.com/pop_up/"
"PartnerParam"="dt=MeMe;q=;i=1"
"PartnerDesc"="MeMe"
"Partner"="WU3D010725W001"
"SetupCmdLine"="http://web.whenu.com/Offers?iou=i&clp=WU3D010725W001"
"timedDBUpdate_rs"="y"
"Version"="6.51"
"ver_url"="http://www.memedia.com/MeMe/versions.html"
"update_url"="http://app.memedia.com/throttle?name=save4.22"
"script_url"="http://app.memedia.com/throttle?name=script-save-1002700877"
"pat_chunks_url"="http://akapp.memedia.com/DataChunksGZ"
"pats_url"="http://akapp.memedia.com/OffersDataGZ"
"InstallDir"="C:\Program Files\MeMe"

[HKEY_CURRENT_USER\Software\MeMe\Settings]
"runIntro"="N"
"alertToDesktop"="N"

[HKEY_CURRENT_USER\Software\MeMe\Partners\WU3D]
"PartnerParam"="dt=MeMe;q=;i=1"
"PartnerDesc"="MeMe"
"InstallTime"="20070604094558"
"Partner"="WU3D010725W001"

[HKEY_CURRENT_USER\Software\MeMe\interests\Serena Williams]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CURRENT_USER\Software\MeMe\interests\rock]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CURRENT_USER\Software\MeMe\interests\Michael Vick]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CURRENT_USER\Software\MeMe\interests\Chicago Bears]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CLASSES_ROOT\TypeLib\{E1D59B9C-C610-4318-87AA-E22D2F68750A}]
[HKEY_CLASSES_ROOT\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}]
[HKEY_CLASSES_ROOT\TypeLib\{A675138B-7E78-4618-BE19-85F993ACB987}]
[HKEY_CLASSES_ROOT\TR.TRFactory.1]
[HKEY_CLASSES_ROOT\TR.TRFactory]
[HKEY_CLASSES_ROOT\MEME.1]
[HKEY_CLASSES_ROOT\Interface\{F6EAD09A-3824-4E75-8457-A3D3B2A8BD9E}]
[HKEY_CLASSES_ROOT\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}]
[HKEY_CLASSES_ROOT\Interface\{D7FB0EA6-9A9A-4A17-8654-946331ACD77F}]
[HKEY_CLASSES_ROOT\Interface\{D3776A01-7DE0-498D-8987-8B9BB4BB2F5C}]
[HKEY_CLASSES_ROOT\Interface\{CD9CBF70-D5B2-4AB5-9397-650F5610339A}]
[HKEY_CLASSES_ROOT\Interface\{CBC01261-5EDA-4E8D-925E-DD02FAA5A4EA}]
[HKEY_CLASSES_ROOT\Interface\{CB999AF2-D800-4E93-BF9C-6110DBB18CBE}]
[HKEY_CLASSES_ROOT\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}]
[HKEY_CLASSES_ROOT\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}]
[HKEY_CLASSES_ROOT\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}]
[HKEY_CLASSES_ROOT\Interface\{4A84E302-6BD7-4B66-8140-EC4972B86C6A}]
[HKEY_CLASSES_ROOT\Interface\{2BD87380-ACFC-4FEF-91CF-382C5834B974}]
[HKEY_CLASSES_ROOT\CLSID\{F4C110AC-2C97-4C7A-B02A-C8F5F7499DDD}]
[HKEY_CLASSES_ROOT\CLSID\{BE4E97D1-E03D-4F20-9792-5652F7850BBD}]
[HKEY_CLASSES_ROOT\CLSID\{9E5AC58F-251B-4525-8273-DA3FD7DB4482}]
[HKEY_CLASSES_ROOT\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}]
[HKEY_CLASSES_ROOT\CLSID\{5946ADC0-2BFD-4356-A29B-B56880D280DB}]
[HKEY_CLASSES_ROOT\CLSID\{393AA0EF-A079-460C-8DBB-636DB16DF529}]
[HKEY_CLASSES_ROOT\CDE.InterestCollection.1]
[HKEY_CLASSES_ROOT\CDE.InterestCollection]
[HKEY_CLASSES_ROOT\CDE.Interest.1]
[HKEY_CLASSES_ROOT\CDE.Interest]
[HKEY_CLASSES_ROOT\CDE.EvtTrigger.1]
[HKEY_CLASSES_ROOT\CDE.EvtTrigger]
[HKEY_CLASSES_ROOT\CAE.InterestData.1]
[HKEY_CLASSES_ROOT\CAE.InterestData]
[HKEY_CLASSES_ROOT\CAE.Analyzer.1]
[HKEY_CLASSES_ROOT\CAE.Analyzer]
[HKEY_CLASSES_ROOT\AppID\{C246F100-ADD0-47C0-8720-9D5A7C0385EA}]
[HKEY_CLASSES_ROOT\AppID\{7168D890-7DD2-4ABE-B3CA-BDBC701A32C7}]
[HKEY_CLASSES_ROOT\AppID\{69E0089F-28BC-4BB5-862B-E2B07C3B83C6}]
[HKEY_CLASSES_ROOT\AppID\TR.DLL]
[HKEY_CLASSES_ROOT\AppID\CDE.EXE]
[HKEY_CLASSES_ROOT\AppID\CAE.EXE]

Network Impact

Additional overhead in bandwidth due to background download of program data and searches for content matching user interest categories.

Symptoms

Method of Infection

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants

N/A

All Information

Overview -

Characteristics

Characteristics -

McAfee® Avert® Labs recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is advertised as an application intended to supplement a user's browsing and general use of the Internet by tracking their usage and then proactively searching out and alerting the user to additional content that matches interest categories that it has identified. There are indications that the software is related to or controlled by WhenU (authors of Adware-SaveNow and Adware-WhenUSearch). Though the package tested appeared to be stand-alone it is indicated in the online EULA that the software "may also enable you to receive advertising-supported versions of many popular software applications or other services without paying a subscription or other premium fee" suggesting potential bundling.

No user interface was displayed upon launching the installer. Only a progress indicator was displayed briefly before full installation of the software took place.

Following installation, an interface resembling a three dimensional cube appears on the desktop. An icon is also present in the System Tray.

This application does not display a license agreement when installed. However, the full text of the license agreement can be accessed on the author's website http://www.memedia.com/eula.html

Privacy

A privacy policy is not displayed during installation for the package analyzed. However, the full text of the policy can be accessed on the author's website http://www.memedia.com/meme_privacy_policy.html

No transmission of personally identifiable data being to remote systems was observed during testing, but indications point to a mechanism similar to what WhenU uses in their advertisement products (using a local database to preclude the need for sending specific user data from the local system). The package tested appeared to come with several interest categories pre-defined to ensure that at least some content would be "found" shortly after installation.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%ProgramFiles% = \Program Files

Files Added

Installer: setupmemepersonal.exe (5151 KB, MD5: 8BA6976A8DFC35C19BCF62FAFB8EB4C8)

%ProgramFiles%\meme\
_ngs.b_ (375 KB)
vdbk1.jpg (6 KB)
vdbk.jpg (13 KB)
tr.dll (505 KB, MD5: C3D98DAC60F6F8A6AE60BAFA9E6745E6)
privacy.html (12 KB)
memeuninst.exe (263 KB, MD5: 422B25DF8A31A149A07FE83516DBFFC4)
meme.htm (136 KB)
meme.exe (905 KB, MD5: 438A203C0D997959AC7F156A7C737A73)
meme.db (118 KB)
meme.cch (3193 KB)
imgdecoder.dll (412 KB, MD5: D9338EFEB7F0513DD226479EA4050188)
global.css (1 KB)
ffext.mod (12 KB)
fb_ui_logo.gif (3 KB)
eula.html (15 KB)
cde.exe (3481 KB, MD5: 4A8B5CB8CD4DF660F5198C66788825DB)
cae.exe (297 KB, MD5: 77D5BF42C135B3A7C521A8392669EDCA)
about.html (2 KB)

%ProgramFiles%\meme\_anim\
(this folder contains many .png files)

c:\documents and settings\(user name)\start menu\programs\meme\
uninstall instructions.lnk (1 KB)
meme.lnk (1 KB)
customer support.lnk (1 KB)
about meme.lnk (1 KB)

c:\documents and settings\(user name)\cookies\
(user name)@www.memedia[1].txt (1 KB)
(user name)@indexstats[2].txt (1 KB)

Registry
The following elements are added (only more significant/high level listed):

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MeMe"="C:\Program Files\MeMe\MeMe.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MeMe]
"UrlInfoAbout"="file:///C:/Program%20Files/MeMe/about.html"
"UninstallString"=""C:\Program Files\MeMe\MeMeUninst.exe""
"Publisher"="MeMedia"
"HelpLink"="mailto:support@memedia.com"
"DisplayVersion"="1.50"
"DisplayName"="MeMe"
"DisplayIcon"="C:\Program Files\MeMe\MeMe.exe,1"

[HKEY_CURRENT_USER\Software\MeMe]
"src_url"="http://offers.memedia.com/pop_up/"
"PartnerParam"="dt=MeMe;q=;i=1"
"PartnerDesc"="MeMe"
"Partner"="WU3D010725W001"
"SetupCmdLine"="http://web.whenu.com/Offers?iou=i&clp=WU3D010725W001"
"timedDBUpdate_rs"="y"
"Version"="6.51"
"ver_url"="http://www.memedia.com/MeMe/versions.html"
"update_url"="http://app.memedia.com/throttle?name=save4.22"
"script_url"="http://app.memedia.com/throttle?name=script-save-1002700877"
"pat_chunks_url"="http://akapp.memedia.com/DataChunksGZ"
"pats_url"="http://akapp.memedia.com/OffersDataGZ"
"InstallDir"="C:\Program Files\MeMe"

[HKEY_CURRENT_USER\Software\MeMe\Settings]
"runIntro"="N"
"alertToDesktop"="N"

[HKEY_CURRENT_USER\Software\MeMe\Partners\WU3D]
"PartnerParam"="dt=MeMe;q=;i=1"
"PartnerDesc"="MeMe"
"InstallTime"="20070604094558"
"Partner"="WU3D010725W001"

[HKEY_CURRENT_USER\Software\MeMe\interests\Serena Williams]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CURRENT_USER\Software\MeMe\interests\rock]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CURRENT_USER\Software\MeMe\interests\Michael Vick]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CURRENT_USER\Software\MeMe\interests\Chicago Bears]
"guid"="0"
"weight"="100"
"lastModify"="1180975558"

[HKEY_CLASSES_ROOT\TypeLib\{E1D59B9C-C610-4318-87AA-E22D2F68750A}]
[HKEY_CLASSES_ROOT\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}]
[HKEY_CLASSES_ROOT\TypeLib\{A675138B-7E78-4618-BE19-85F993ACB987}]
[HKEY_CLASSES_ROOT\TR.TRFactory.1]
[HKEY_CLASSES_ROOT\TR.TRFactory]
[HKEY_CLASSES_ROOT\MEME.1]
[HKEY_CLASSES_ROOT\Interface\{F6EAD09A-3824-4E75-8457-A3D3B2A8BD9E}]
[HKEY_CLASSES_ROOT\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}]
[HKEY_CLASSES_ROOT\Interface\{D7FB0EA6-9A9A-4A17-8654-946331ACD77F}]
[HKEY_CLASSES_ROOT\Interface\{D3776A01-7DE0-498D-8987-8B9BB4BB2F5C}]
[HKEY_CLASSES_ROOT\Interface\{CD9CBF70-D5B2-4AB5-9397-650F5610339A}]
[HKEY_CLASSES_ROOT\Interface\{CBC01261-5EDA-4E8D-925E-DD02FAA5A4EA}]
[HKEY_CLASSES_ROOT\Interface\{CB999AF2-D800-4E93-BF9C-6110DBB18CBE}]
[HKEY_CLASSES_ROOT\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}]
[HKEY_CLASSES_ROOT\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}]
[HKEY_CLASSES_ROOT\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}]
[HKEY_CLASSES_ROOT\Interface\{4A84E302-6BD7-4B66-8140-EC4972B86C6A}]
[HKEY_CLASSES_ROOT\Interface\{2BD87380-ACFC-4FEF-91CF-382C5834B974}]
[HKEY_CLASSES_ROOT\CLSID\{F4C110AC-2C97-4C7A-B02A-C8F5F7499DDD}]
[HKEY_CLASSES_ROOT\CLSID\{BE4E97D1-E03D-4F20-9792-5652F7850BBD}]
[HKEY_CLASSES_ROOT\CLSID\{9E5AC58F-251B-4525-8273-DA3FD7DB4482}]
[HKEY_CLASSES_ROOT\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}]
[HKEY_CLASSES_ROOT\CLSID\{5946ADC0-2BFD-4356-A29B-B56880D280DB}]
[HKEY_CLASSES_ROOT\CLSID\{393AA0EF-A079-460C-8DBB-636DB16DF529}]
[HKEY_CLASSES_ROOT\CDE.InterestCollection.1]
[HKEY_CLASSES_ROOT\CDE.InterestCollection]
[HKEY_CLASSES_ROOT\CDE.Interest.1]
[HKEY_CLASSES_ROOT\CDE.Interest]
[HKEY_CLASSES_ROOT\CDE.EvtTrigger.1]
[HKEY_CLASSES_ROOT\CDE.EvtTrigger]
[HKEY_CLASSES_ROOT\CAE.InterestData.1]
[HKEY_CLASSES_ROOT\CAE.InterestData]
[HKEY_CLASSES_ROOT\CAE.Analyzer.1]
[HKEY_CLASSES_ROOT\CAE.Analyzer]
[HKEY_CLASSES_ROOT\AppID\{C246F100-ADD0-47C0-8720-9D5A7C0385EA}]
[HKEY_CLASSES_ROOT\AppID\{7168D890-7DD2-4ABE-B3CA-BDBC701A32C7}]
[HKEY_CLASSES_ROOT\AppID\{69E0089F-28BC-4BB5-862B-E2B07C3B83C6}]
[HKEY_CLASSES_ROOT\AppID\TR.DLL]
[HKEY_CLASSES_ROOT\AppID\CDE.EXE]
[HKEY_CLASSES_ROOT\AppID\CAE.EXE]

Network Impact

Additional overhead in bandwidth due to background download of program data and searches for content matching user interest categories.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

N/A