Adware.MoeMoney

Printer Friendly Page

Updated: February 13, 2007 11:33:03 AM

Type: Adware

Version: Not available

Publisher: EBates

Risk Impact: Low

File Names: EbatesMoeMoneyMaker14.exe EbateMoeMoneyMaker0.exe EbatesMoeMoneyMaker1.exe EbatesMoeMoneyMaker

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

This adware requires Wjview.exe, a legitimate Microsoft file, in order to function correctly.

When Adware.MoeMoney is executed, it does the following:

May create some of the following files and folders:
- %ProgramFiles%\Ebates_MoeMoneyMaker\Ap350\ebmm350.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Ap350\psid399.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\disp350.exe (Adware.WebRebates)
- %ProgramFiles%\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe (Adware.MoeMoney)
- %ProgramFiles%\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe (Adware.MoeMoney)
- %ProgramFiles%\Ebates_MoeMoneyMaker\README.txt
- %ProgramFiles%\Ebates_MoeMoneyMaker\Da350\<Current User>\42949a6e27dd.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Da350\<Current User>\42bc3fc14716.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Da350\350sh.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Da350\42949a6652.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Sy350\350_0.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Sy350\350_1.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Sy350\350_2.dat
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_counv.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_couyv.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_non.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_nv.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\pref350a.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\pref350a_dis.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\scri350a.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Html\spec350a_yv.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm.ico
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_clickhere.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_getcashbck.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_no.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_submit.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_yes.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_clear.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_button_savenow.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_logo_greenbground.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_moe.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_moe_logo.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_hot.ico
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_logo1.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_logo_topmox.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_question.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_reminder.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_top.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_with_cash.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_spacer.gif
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\log.txt
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_counv.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_couyv.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_non.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_nv.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\pref350a.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\pref350a_dis.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
- %ProgramFiles%\Ebates_MoeMoneyMaker\Sy350\Tp350\spec350a_yv.htm
- %ProgramFiles%\EbatesMoeMoneyMaker
- %Userprofile%\Local Settings\Temp\djebmm350.exe
- %Userprofile%\Local Settings\Temp\jkill.exe
  
  Note:
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- %Userprofile% is a variable that refers to the C:\Documents and Settings\<Current User> folder
Adds the values:

"EbatesMoeMoneyMaker" = "wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files EbatesMoeMoneyMaker""
"EbatesMoeMoneyMaker0" = "%Programfiles%\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that the adware starts every time Windows starts.
Adds the value:

"djebmm350.exe" = "%Userprofile%\Local Settings\Temp\djebmm350.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Adds the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Ebates HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ins HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\unebmm350 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uninstall\ebatessvr2.xml
Drops a file named disp350.exe. This file is detected as Adware.WebRebates.
Records Internet browsing habits and sends the collected information to a predetermined Web server.
Downloads and displays advertisements.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}