Updated: October 12, 2007 4:40:46 PM
Type: Adware
Infection Length: 68,936 bytes
Name: Mycashbag
Version: 1.0.0.1
Risk Impact: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
When the security risk is executed, it creates the following files:
- %ProgramFiles%\mycashbag\cashbackban.dat
- %ProgramFiles%\mycashbag\cashbackok.dat
- %ProgramFiles%\mycashbag\cashbackskip.dat
- %ProgramFiles%\mycashbag\getinfo.dll
- %ProgramFiles%\mycashbag\License.txt
- %ProgramFiles%\mycashbag\mycashbag.dll
- %ProgramFiles%\mycashbag\uccbp.exe
- %ProgramFiles%\mycashbag\uninstall.exe
Next, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MyCashbag" = "ProgramFiles\mycashbag\uccbp.exe"
It also creates the following registry subkeys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04EF01BB-6BFC-4BF5-B0A8-F15F62E4A541}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302E917D-6BD5-4E5F-9BFA-602F08A1C12D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4269BF80-E154-4137-884E-1627CF035202}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23FE1A81-8A32-4137-ABDE-47D076676E26}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AB7B412-F020-406E-BFE9-D9488BEF86DC}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6750144B-49DB-480F-AD0E-66D998E9936D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83EBBC91-8A3C-4D0B-8C5B-DF2C9562B43F}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9BC60CB0-D2D0-4C1E-9A34-D39CD2D87E4E}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8BAC09E-D965-4896-8E0E-C5B0452BD5F3}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E4F1A956-BBA6-4FF5-BDE9-7A6A3FF0F5D0}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Getinfo.Util
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Getinfo.Util.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ToolBar
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ToolBar.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ViewSource
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ViewSource.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB38A9DF-23D4-4252-B207-62E0476CBEAC}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04EF01BB-6BFC-4BF5-B0A8-F15F62E4A541}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mycashbag
- HKEY_LOCAL_MACHINE\SOFTWARE\mycashbag
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04EF01BB-6BFC-4BF5-B0A8-F15F62E4A541}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB38A9DF-23D4-4252-B207-62E0476CBEAC}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4269BF80-E154-4137-884E-1627CF035202}
The security risk installs an Internet Explorer toolbar.
It displays popup advertisements whenever certain Web sites are visited or when the user performs certain searches.
Writeup By: Esmonde Morgan
Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
