Research: May 2007 Archives

Here's an interesting roundup of unrelated Chinese oddities for you to get your teeth into. First off, let's look at something that redirects you to....er.....well, you'll see.....

poo1.jpg

From this file leaps great things - or at least, a bizarrely named hijack:

http://blog.spywareguide.com/upload/2007/05/poo2-thumb.jpg
Click to Enlarge

That's right, your IE homepage is hijacked to....Pooo.cn (Beta!) and restrictions are placed in the IE settings so you can't change it back easily. The site itself is a typical Chinese multimedia website, with an endless collection of videos and flash animations:

http://blog.spywareguide.com/upload/2007/05/poo3-thumb.jpg
Click to Enlarge

...yeah, makes no sense to me either. So there we have it, short, sweet and, er, odd.

Next up, something that I came across while looking for something else - sadly, the main site this stuff launches from is apparently dead but that doesn't mean we can't take a look at it:

sweet1.jpg

...well, we all like sweets, right? If you run the executable, you'll see what is presumably a EULA:

http://blog.spywareguide.com/upload/2007/05/sweet2-thumb.jpg
Click to Enlarge

Of course, I have no idea what it says but let's press on anyway:

http://blog.spywareguide.com/upload/2007/05/sweet3-thumb.jpg
Click to Enlarge

I can't be sure, but it looks like some sort of media player. Another offering from the same people gives us a (very limited) web browser:

http://blog.spywareguide.com/upload/2007/05/sweetbrowser1-thumb.jpg
Click to Enlarge

...again, with the main site down it doesn't currently do much other than sit there and look nice. However, thanks to the wonderful Internet Archive, we can go back and have a look at the main site:

http://blog.spywareguide.com/upload/2007/05/sweet4-thumb.jpg
Click to Enlarge

...so, it looks like a good bet that both of these applications were simply there to serve up the movies and videos from that website. If the site ever comes back online, we might be able to get a firm answer and wrap everything up in a neat little bow or something...

Here's a weird one - there are hints and suggestions that some sort of advertising mechanism is in place, but with the program being from Korea it's vaguely tricky to know exactly what is going on. Let's take a look anyway...

http://blog.spywareguide.com/upload/2007/05/da0-thumb.jpg
Click to Enlarge

Of course, the site is in Korean and the EULA isn't exactly easy to understand which doesn't really help:

http://blog.spywareguide.com/upload/2007/05/da1-thumb.jpg
Click to Enlarge

In fact, the installer is so fiddly it took a good five minutes to work out what buttons to press to get it to run in the first place! After everything is up and running on the PC, this is what we're left with:

da2.jpg

...and now, it's time to run this thing and see what it does! An icon is dumped onto your Taskbar and into IE itself, and when you click either you see this:

http://blog.spywareguide.com/upload/2007/05/da3-thumb.jpg
Click to Enlarge

......yeah, I have no clue either. If you click into the other tab, things look a little more useful:

http://blog.spywareguide.com/upload/2007/05/da4-thumb.jpg
Click to Enlarge

From the looks of it, one of the primary functions of this program is to store basic "notes" about the sites you visit in the interface. Beyond that, I have no idea if you can do more with the data you input, or if the program has any other "features". Here's where it gets interesting - from the translated page:

To case of the keyword which the user does not register with the site which generally is useful movement
- Ex) Seoul watching -> seoul.go.kr/ and pcfree -> pcfree.co.kr
- -> With www automatic conversion function.
- In compliance with the malignant cord or other Hangul (Korean alphabet) keyword program the function which intercepts the part which is rightly connected with an advertisement characteristic site in the dictionary.
- The user wants search engine configuration feature.
- Up-to-date version connection (DirectConnector) it maintains rightly the automatic update function for. (Default)

Allowing for a hopeless translation, this is effectively saying it grabs keywords and relates them to advertisements in the "dictionary". Of course, I don't know what "dictionary" they speak of. Built in word-list to pop relevant adverts? Or something else altogether? Who knows, but I couldn't get it to pop anything while running it so a final decision on this thing is still pending.

...don't you just hate it when that happens?

Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Chris Mannon, FSL Senior Threat Researcher

Pages

About this Archive

This page is a archive of entries in the Research category from May 2007.

Research: March 2007 is the previous archive.

Research: July 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.