Adware / Spyware Issues: October 2007 Archives

Do you think the following website is all sweetness and light?
Click to Enlarge

.....well, now that you mention it....
Click to Enlarge

....whoops. Still, it's worth noting that, as with so many of these infection files, you DO sometimes get a few chances to redeem yourself before everything goes pear shaped:
Click to Enlarge

Mind you, this would be a pretty boring blog entry if we did the sensible thing and failed to run the executable, right? Run it, run it, I hear you cry.

Well, okay then, just for you I'll run it...this is what ends up in your System32 Folder:


One of the files made reference to IFRAMES inside the code - never a good sign:


The page mentioned wasn't available during testing, so it could have been trying to load pretty much anything at all, from dubious advert to rogue executable. Who knows. What we do know, is that when everything is done and dusted, you're left with references to Browser Helper Objects:


...Winsock Layer hijacks...


...and a rogue service:


....that's a lot of hoop jumping to monitor what websites you're visiting, but oh well.

YHGames - no fun, no games.

Presenting IKatzu, the browser helper object that supposedly pops adverts but doesn't actually seem to do anything. Not at the moment, anyway - but that doesn't mean we can't investigate. Shall we dig around behind the scenes and see where this comes from? Let's kick things off by looking at some of the files that get dumped into your System32 folder when the initial executable is activated by the user:


The purpose of this bundle of joy is to show you adverts - as you might have expected. However, what's far more interesting than the actual application is the tangled web behind the software. A quick Google for the program seems to hint at a page promising terms and conditions, from a site called However, at present the "page is not available". Thanks to good old Google cache, I was able to retrieve the T&Cs - because I'm sure Artella don't want those going missing, right? - and ran them through the Eula Analyzer. A brief look at the page made my grind teeth and probably clench a few fists, because it is so reminiscent of the "Olde Worlde" Adware bundle license agreements from 2005 / 06, where six hundred odd applications are listed along with links to other website EULAs, many of which would lead you to 404 errors or worse. I was hoping this kind of license had gone out with the Ark, but apparently not. In this case, things aren't much better - for the sake of an application that's supposed to show you some adverts, on a regular 17 Inch monitor (at least, I think that's what I'm using, don't blame me if I'm wrong), the whole thing took SEVENTEEN PAGES OF INDIVIDUAL TEXT to scroll through.

That's a lot of text.

There are also a few links off site to other pages of information, and references to companies that might be included "if applicable". All in all, not the best start. However, it gets worse - the entire EULA can be read here, and these are the results:

Number of characters: 55671
Number of words: 9399
Number of sentences: 357
Average words per sentence: 26.33
Flesch Score: 23.5
Flesch Grade: 17 : Beyond Twelfth Grade reading level
Automated Readability Index: 20 : Beyond Twelfth Grade reading level
Coleman-Liau Index: 21 : Beyond Twelfth Grade reading level
Gunning-Fog Index: 42 : Beyond Twelfth Grade reading level

...that's a pretty crazy EULA someone expects you to wade through. 9,399 words? 300+ sentences? All to see some ads? No thanks.

There's a fair amount of talk regarding removal of the advertising software in conjunction with something called "", so off we go to have a look:
Click to Enlarge it just me, or does the picture of the laughing dude creep you out too? Ick. Anyway, a Whois search is predictably fruitless:
Click to Enlarge

Any and all useful information is hidden by "Moniker Privacy Services". That seems to be true for most (if not all) sites involved in this distribution network. We're left with Artella, so let's go check them out:
Click to Enlarge

The interesting thing here is that although this site also has its contact details hidden via Moniker Privacy Services, they sort of made that pointless by placing an address on the front page of their website - 48 Bella Vista, Edificio No. 27, Local No. 2, Ciudad de Panama, Rep. De Panama.

Bit weird?

Anyway, we finally have an address so we're vaguely better off than we were previously. However - things are about to get even weirder. Let's take a quick jump over to their Uninstall Page where they come down hard on anyone wanting to remove their application from a PC:
Click to Enlarge

"Please be aware that many so called "ad ware removers" and "spy ware removers" can cause damage to your computer and may alter your computer in such a way that our automated removal application will not function. At the present time, there is no third party software which is capable of removing Artella applications. If you have purchased an application which claims to remove Artella, we encourage you to contact your credit card company and request an immediate reversal with the reason of "Product Not As Described" and/or contact the Better Business Bureau."

.....ouch! And "no third party which is capable of removing Artella applications"? I guess this was just a dream, then. I went and tried their Uninstaller:


Imagine my dismay, then, when after hitting the YOU REMOVE NOW button the entry from Add / Remove programs just....vanished. No confirmation, no box appearing to say job well done....nothing. The entry from "Manage Add Ons" in IE had vanished, and a few files had disappeared from the System32 Folder, but that was about it - a bunch of files were still sitting there with no real indication that anything much had changed.

So I restarted my machine, hoping to see a lean, clean machine - but, lo and behold....


...the same files, still sitting there! Are they active? Are they dead? And aren't I supposed to report those pesky removal tools to the Better Business Bureau? Who knows, is what the response of the average (and probably not so average) Internet user is going to be. Even better, running quick HijackThis scan shows the following:


...ads_cpd.exe is still listed as a service! (It's still sitting in the System32 Folder, too). Considering they spent so much time complaining about third party removal tools, you'd have thought they'd have done a better job of it with their own uninstaller but oh well.

We're not done yet with this page, either. Remember "48 Bella Vista", listed as their "main headquarters" on the frontpage of their website? Well on the Uninstall Page, their "main headquarters" are listed as "Avenida Winston Churchill, Edificio Vista Del Mar, No. 43 Ciudad de Panam?, Rep. De Panam?." it just me, or do they have two different main headquarters?

Let's finish this one off with a familiar face - going back to the huge EULA page, who should be listed but....
Click to Enlarge

...Mirar! Yep, just when you thought things couldn't get any more convoluted, along comes yet another element into an already crowded and confusing mix.

....what was I writing about again? Oh yeah, IKatzu. Sorry. Given the seemingly endless EULA pages, the amount of secrecy with regards who a lot of these associated sited are registered to, the multiple "main headquarters" addresses, T&C pages that seemingly no longer exist and an uninstaller that doesn't really instill faith into the end-user, I don't recommend installing this application. honest, did you think I was going to say anything else?

Q Nyx - Popup Heaven

| | Comments (0)

Here's an interesting one from China.."Q Nyx". No idea what that means, but it isn't good if you get it on your PC. Your computer won't go into meltdown or anything, but you will see a lot of popups. It's a fairly standard hijack, with a whole bunch of files dumped into your System32 Folder:
Click to Enlarge

From there, generic popups windows and slightly porntacular images are the order of the day:
Click to Enlarge
Click to Enlarge

A number of security programs are mentioned in the code of one of the executables, which would seem to indicate it's going to try and tamper with them:


....never a good thing, really, is it?

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

My colleague Chris Mannon recently came across a file that contains all sorts of Botnet fun and games, along with a fair amount of spam related action into the bargain....and final tie-in to a familiar face. Shall we take a look?

Of course.

I always like to get a look at the file sitting all harmless and stuff on the desktop - don't you? I hope so, because here it is:


It should come as no surprise that both files are "in use" by another application and you can't delete them via normal methods.

...yeah, it's not doing much yet but it does get more interesting. If the end user is duped into running the executable, it vanishes and deposits two files into the System32 Directory:


That's not all - I mentioned Spam, right? Well, while running, it has the ability to manipulate mail in Outlook (spam, spam, spam, spam) and specifically looks for Opera Mail usernames and passwords.

Can you guess what kind of Spam it sends?


....yep, it's related to our "good friend" The Storm Worm, because "Get Krackin" is the latest scam to come out of the Storm Stable.

We detect this bundle of joy as DSData.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher

Skype were good enough to notify us about something they recently came across, and the results are pretty interesting. To kick things off, here's a victim complaining about the infection on the Skype forum. that? Okay, cool. Then let's begin:


As you might have guessed, that's the executable sitting on your desktop. Run it, and you'll see the following:


...oooh, the promise of plug-in excitement! However, what you see next should give the game away. Note the amazingly out of place login button on the fake Skype application:
Click to Enlarge

If you enter your login details, you'll be handed a "Your details aren't valid" message:
Click to Enlarge which point, your login credentials have been sent back to base. We detect this as Skype Defender - do yourself a favour, and ONLY download applications related to Skype from the official Skype website.


About this Archive

This page is a archive of entries in the Adware / Spyware Issues category from October 2007.

Adware / Spyware Issues: September 2007 is the previous archive.

Adware / Spyware Issues: June 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.