||||
Symantec.com > Security Response > Threats and Risks > Adware.BargainBuddy
PRINT THIS PAGE

Adware.BargainBuddy

Printer Friendly Page

Updated: November 6, 2007 3:01:47 PM
Type: Adware
Version: 1.0
Publisher: exact Advertising
Risk Impact: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

When Adware.BargainBuddy is executed, it creates several files and folders in the following location: %ProgramFiles%\Bargain Buddy

Next, the program may create some or all of the following files:
  • %System%\angelex.exe
  • %System%\instsrv.exe
  • %System%\msexreg.exe
  • %System%\netut80ex.vxd
  • %System%\bbchk.exe
  • %System%\exclean.exe
  • %System%\exdl.exe
  • %System%\exdl0.exe
  • %System%\exdl1.exe
  • %System%\exul.exe
  • %System%\javexulm.vxd
  • %System%\mqexdlm.srg
  • %System%\msbe.dll
  • %System%\msxct.exe
  • %Windir%\bbchk.exe
  • %Windir%\exclean.exe
  • %Windir%\exdl.exe
  • %Windir%\exul.exe
  • %Windir%\msxct.exe
  • %Windir%\msxct1.ini
  • %Windir%\zeta.exe
  • %Windir%\ahcb.exe
  • %Windir%\Prefetch\gcrc.txt
  • %Windir%\msxct1.ini
  • %System%\vx0.nls
  • %System%\vx0x.nls
  • %System%\vx1.nls
  • %System%\vx1x.nls
  • %System%\vx2.nls
  • %System%\vx2x.nls
  • %System%\vx3.nls
  • %System%\vx3x.nls
  • %System%\javex80.vxd
  • %System%\ide21201.vxd
  • %System%\netut80ex[TWO VARIABLE CHARACTERS].vxd
  • %System%\psis80ex.ax
  • %System%\mac80ex.idf
  • %System%\trkgif.exe
  • %Windir%\bargain4.exe
  • %Windir%\*MARKETING*.exe
  • %Windir%\Downloaded Program Files\installer_MARKETING1.exe
  • %UserProfile%\Local Settings\Temp\bb.exe


The program may then create the following registry entries so that it executes whenever Windows starts:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Bargains" = "%ProgramFiles%\Bargain Buddy\bin\bargains.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msxct" = "msxct.exe"


It also creates the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Bargains
  • HKEY_LOCAL_MACHINE\SOFTWARE\exactUtil
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bargains
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0878B424-1F95-4E26-B5AB-F0D349D89650}
  • HKEY_CLASSES_ROOT\CLSID\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}
  • HKEY_CLASSES_ROOT\Interface\C6906A23-4717-4E1F-B6FD-F06EBED14177}
  • HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119}
  • HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516A2A3}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Apuc.UrlCatcher
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Apuc.UrlCatcher.1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZESOFT
  • HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_ZESOFT
  • HKEY_LOCAL_MACHINE\SOFTWARE\CashBack
  • HKEY_LOCAL_MACHINE\SOFTWARE\NaviSearch
  • HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil


The program installs itself as a Browser Helper Object for Internet Explorer.

It then monitors Internet usage. It has been reported that the risk will attempt to send information to a remote server.

The program also displays advertisements downloaded on TCP port 80, from the following domain:
adp.ikena.com
Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS