Content
MicroBillSystems
- Type
- Program
- SubType
- Discovery Date
- 07/17/2007
- Minimum DAT
- 5076 (07/17/2007)
- Updated DAT
- 5111 (09/03/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/17/2007
- Description Modified
- 09/04/2007 2:23 PM (PT)
Tab Navigation
Characteristics
McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.mcafeesecurity.com/vil/DATReadme.aspx for a list of Program detections added to the DATs.
See http://vil.mcafeesecurity.com/vil/pups/configuration.aspx for information about how to enable, disable, and exclude detection of legitimately installed programs.
This software was initially detected as "FakeBillPayment-A" in DATs prior to 5111.
Distribution
This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is software designed to display increasingly intrusive billing reminders on systems that have been used to access online services using MicroBillSystems for payment/collection. Such online services include sexxxpassport.com, which is used here for example purposes.
To obtain the installer, a checkbox must be selected and then the "GET INSTANT ACCESS NOW!" button pressed. The Terms & Conditions document is not shown unless the user clicks on the large text link (the entire underlined paragraph of text). In that case, the Terms are appended to the bottom of the existing browser page, consisting of over 11 pages.
The software consists primarily of a pair of executables, both of which are set up to launch at each system startup via a registry Run key value. The run value launches the first executable, which then starts the second as a child process. These two processes then co-maintain each other. Once the software is installed and operational, the user is granted access to the website content. No identifying information (name, address, credit card or other billing information) is obtained or required at any point.
Appearing to match the schedule outlined in Section 16.6 of the Terms & Conditions, popup windows begin to appear after three days (the end of the "free trial" period). At that point the user is assumed to be agreeing to pre-billing for 90 days of access to the site, according to the terms.
Over a period of several weeks, these popups become more persistent, eventually appearing without providing the ability to close or minimize them for increasing lengths of time. If the user attempts to resize the window, it will snap back to original size shortly afterward. Additionally, the window has the "always on top" attribute set, obscuring other applications or windows beneath it and impeding use of the system. As noted in the Terms, the billing notices are displayed whether or not the system has an active Internet connection.
Privacy
Upon execution of the installer no visible indication is given that any software is being installed. Several files are dropped and many registry entries created. No license agreement is displayed, although a "Terms of Service" document is available on the website from which the software is downloaded. The software communicates with MicroBillSys.com servers via SSL.
System Changes
General defaults for typical environment variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
Files Added
%WinDir%\system32\mbssm32.exe (590,336 bytes, MD5: 0F6B0C488DF425D06FFB9FDAA40A96C3)
%WinDir%\system32\mbsrm32.exe (91,648 bytes, MD5: AFBD3F7AA39AD33095BBA3D6EEECBC74)
Registry
The following registry keys are created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"mbssm32"="C:\Windows\System32\mbssm32.exe"
Network Impact
Slight additional overhead in bandwidth due to software communications to MicroBillSys.com servers.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Aliases
Aliases
- FakeBillPayment-A
