1. /
  2. Security Response/
  3. Adware.GAIN

Adware.GAIN

Updated:
February 13, 2007 11:32:40 AM
Type:
Adware
Publisher:
GAIN Publishing
Risk Impact:
Low
File Names:
Fsg_[VERSION NUMBER].exe Trickler_[VERSION NUMBER].exe CMESys.eGMT.exe GainPlugin.dll HDPlugin
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.GAIN is installed, it does the following:
  1. May insert a file in the %System% folder. The file name appears to differ depending on which program installs Adware.GAIN. Some known file names are:

    • Fsg_[VERSION NUMBER].exe
    • Trickler.exe.

      Note: %System% is a variable. The adware component locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following files:

    • %ProgramFiles%\Common Files\CMEII\*.*
    • %ProgramFiles%\Common Files\GMT\*.*
    • %Windir%\Temp\Trickler_[VERSION NUMBER].exe
    • %Windir%\Temp\fsg[VERSION NUMBER].exe
    • %Windir%\Downloaded Program Files\GainPlugin.dll
    • %UserProfile%\Start Menu\Programs\Startup\GStartup.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\GAIN Publishing\About GAIN Publishing.lnk
    • C:\Documents and Settings\All Users\Start Menu\Programs\GAIN Publishing\GAIN Publishing Web Site.URL

      Notes:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{54e7e082-1da6-412e-96b5-c290fcef5329}
    HKEY_CLASSES_ROOT\CLSID\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0}
    HKEY_CLASSES_ROOT\Interface\{22D34833-06F9-4CE6-9FF7-CE4DA0BA351D}
    HKEY_CLASSES_ROOT\Interface\{54E7E080-1DA6-412E-96B5-C290FCEF5329}
    HKEY_CLASSES_ROOT\TypeLib\{2EC7A834-9C5E-4154-BADC-0D86A2EDC82D}
    HKEY_CLASSES_ROOT\TypeLib\{54E7E081-1DA6-412E-96B5-C290FCEF5329}
    HKEY_CLASSES_ROOT\GetAndRun.DFRun
    HKEY_CLASSES_ROOT\GetAndRun.DFRun.1
    HKEY_CLASSES_ROOT\HDPlugin.HDPluginCtrl
    HKEY_CLASSES_ROOT\HDPlugin.HDPluginCtrl.1

    HKEY_CLASSES_ROOT\ttjltept
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\{4A840E1E-2BA8-47de-923E-0E00407EB530}
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\CME
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\GMT
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\CMEII\GSNInstalled
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat\GMT
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\GInternet
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\trickles
    HKEY_LOCAL_MACHINE\SOFTWARE\hlnpan


  4. Adds the values:

    "Trickler" = "[PATH TO ADWARE FILE]"
    "CMESys" = "%ProgramFiles%\Common Files\CMEII\CMESys.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the Adware runs when you start Windows.

  5. Connects to a server on the [RANDOM NAME].gator.com domain on port 80 and submits Web browsing habits to the server. The adware also downloads advertisements from the server.

    Note: Other programs download Adware.GAIN to allow them to download and display advertisements in pop-up windows.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver