A Korean Trick or Treat?

| | Comments (0)

Here's a weird one - there are hints and suggestions that some sort of advertising mechanism is in place, but with the program being from Korea it's vaguely tricky to know exactly what is going on. Let's take a look anyway...

http://blog.spywareguide.com/upload/2007/05/da0-thumb.jpg
Click to Enlarge

Of course, the site is in Korean and the EULA isn't exactly easy to understand which doesn't really help:

http://blog.spywareguide.com/upload/2007/05/da1-thumb.jpg
Click to Enlarge

In fact, the installer is so fiddly it took a good five minutes to work out what buttons to press to get it to run in the first place! After everything is up and running on the PC, this is what we're left with:

da2.jpg

...and now, it's time to run this thing and see what it does! An icon is dumped onto your Taskbar and into IE itself, and when you click either you see this:

http://blog.spywareguide.com/upload/2007/05/da3-thumb.jpg
Click to Enlarge

......yeah, I have no clue either. If you click into the other tab, things look a little more useful:

http://blog.spywareguide.com/upload/2007/05/da4-thumb.jpg
Click to Enlarge

From the looks of it, one of the primary functions of this program is to store basic "notes" about the sites you visit in the interface. Beyond that, I have no idea if you can do more with the data you input, or if the program has any other "features". Here's where it gets interesting - from the translated page:

To case of the keyword which the user does not register with the site which generally is useful movement
- Ex) Seoul watching -> seoul.go.kr/ and pcfree -> pcfree.co.kr
- -> With www automatic conversion function.
- In compliance with the malignant cord or other Hangul (Korean alphabet) keyword program the function which intercepts the part which is rightly connected with an advertisement characteristic site in the dictionary.
- The user wants search engine configuration feature.
- Up-to-date version connection (DirectConnector) it maintains rightly the automatic update function for. (Default)

Allowing for a hopeless translation, this is effectively saying it grabs keywords and relates them to advertisements in the "dictionary". Of course, I don't know what "dictionary" they speak of. Built in word-list to pop relevant adverts? Or something else altogether? Who knows, but I couldn't get it to pop anything while running it so a final decision on this thing is still pending.

...don't you just hate it when that happens?

Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Chris Mannon, FSL Senior Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 18, 2007 7:54 AM.

Skype Phish? was the previous entry in this blog.

The Pooo Hijack, and an Empty Sweetbox... is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.