Updated: February 13, 2007 11:32:40 AM
Type: Adware
Publisher: GAIN Publishing
Risk Impact: Low
File Names:
Fsg_[VERSION NUMBER].exe
Trickler_[VERSION NUMBER].exe
CMESys.eGMT.exe
GainPlugin.dll
HDPlugin
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.GAIN is installed, it does the following:
- May insert a file in the %System% folder. The file name appears to differ depending on which program installs Adware.GAIN. Some known file names are:
- Fsg_[VERSION NUMBER].exe
- Trickler.exe.
Note: %System% is a variable. The adware component locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Creates the following files:
- %ProgramFiles%\Common Files\CMEII\*.*
- %ProgramFiles%\Common Files\GMT\*.*
- %Windir%\Temp\Trickler_[VERSION NUMBER].exe
- %Windir%\Temp\fsg[VERSION NUMBER].exe
- %Windir%\Downloaded Program Files\GainPlugin.dll
- %UserProfile%\Start Menu\Programs\Startup\GStartup.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\GAIN Publishing\About GAIN Publishing.lnk
- C:\Documents and Settings\All Users\Start Menu\Programs\GAIN Publishing\GAIN Publishing Web Site.URL
Notes:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
- Creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{54e7e082-1da6-412e-96b5-c290fcef5329}
HKEY_CLASSES_ROOT\CLSID\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0}
HKEY_CLASSES_ROOT\Interface\{22D34833-06F9-4CE6-9FF7-CE4DA0BA351D}
HKEY_CLASSES_ROOT\Interface\{54E7E080-1DA6-412E-96B5-C290FCEF5329}
HKEY_CLASSES_ROOT\TypeLib\{2EC7A834-9C5E-4154-BADC-0D86A2EDC82D}
HKEY_CLASSES_ROOT\TypeLib\{54E7E081-1DA6-412E-96B5-C290FCEF5329}
HKEY_CLASSES_ROOT\GetAndRun.DFRun
HKEY_CLASSES_ROOT\GetAndRun.DFRun.1
HKEY_CLASSES_ROOT\HDPlugin.HDPluginCtrl
HKEY_CLASSES_ROOT\HDPlugin.HDPluginCtrl.1
HKEY_CLASSES_ROOT\ttjltept
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\{4A840E1E-2BA8-47de-923E-0E00407EB530}
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\CME
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\GMT
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\CMEII\GSNInstalled
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat\GMT
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\GInternet
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\trickles
HKEY_LOCAL_MACHINE\SOFTWARE\hlnpan
- Adds the values:
"Trickler" = "[PATH TO ADWARE FILE]"
"CMESys" = "%ProgramFiles%\Common Files\CMEII\CMESys.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Adware runs when you start Windows.
- Connects to a server on the [RANDOM NAME].gator.com domain on port 80 and submits Web browsing habits to the server. The adware also downloads advertisements from the server.
Note: Other programs download Adware.GAIN to allow them to download and display advertisements in pop-up windows.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
