Updated: February 13, 2007 11:35:33 AM
Type: Trackware
Risk Impact: Low
File Names: Bundle.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When Trackware.SAHAgent is executed, it does the following:
- May create the following files:
- %Temp%\Bundle.exe.
- %System%\SahImages\gr_1reg.gif
- %System%\SahImages\gr_2shop.gif
- %System%\SahImages\gr_3cash.gif
- %System%\SahImages\gr_reg_header.gif
- %System%\SahImages\gr_sahs_logo.gif
- %System%\SahImages\submit_pop.gif
- %System%\SahHtml.exe
- %Windir%\Downloaded Program Files\WebInstaller.dll
- %Windir%\Downloaded Program Files\setup.inf
- %Windir%\SAHUninstall.exe
- %Temp%\bundletracking.asp
- %Windir%\Downloaded Program Files\v.dat
- %Windir%\Downloaded Program Files\vg.dat
- %System%\v.dat
- %System%\vg.dat
- %System%\vp.dat
- C:\SahAgent.log
Notes:
- %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- May create several randomly named files which are 8-characters in length in the %Windir% and %System% folders with the following file extensions:
- .dat
- .dll
- .exe
- .html
- .ini.
- May create several files in the %Temp% folder with the following file extensions:
- .dll
- .exe
as well as some or all of the following files:
- cdt1004.sah
- setup4002b.cab
- setup4021.cab
- May create the following registry subkey with several subkeys under this key which are specific to SAHAgent:
HKEY_LOCAL_MACHINE\SOFTWARE\VGroup
- Adds one of the values:
"SAHBundle" = "%Temp%\bundle.exe run"
"[RANDOM NAME]" = "%System%\[RANDOM NAME].exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trackware runs when you start Windows.
Note: [RANDOM NAME] is an 8-character long random sequence of letters and numerals.
- Adds one of the values:
"DisplayName" = "Select Cashback"
"DisplayName" = "ShoptAtHomeSelect Cash Back".
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\[RANDOM NAME]
Note: [RANDOM NAME] is an 8-character long random sequence of letters and numerals.
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5F3B3060-09E0-44C6-86F7-BC7B02B57BEE}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4828C95F-C5DB-4AB6-A945-8D8EC44B98A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4E570F74-DEEE-4FCF-B960-FEEFA4B8C6FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CDE442A3-DC2C-467E-A311-B4BC775D86C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\WEBInstaller.execute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\WEBInstaller.execute.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\WEBInstaller.Cexecute
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\WEBInstaller.Cexecute.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent
HKEY_ALL_USERS\Software\Local AppWizard-Generated Applications\Popup
HKEY_LOCAL_MACHINE\Software\Vgroup
HKEY_ALL_USERS\Software\In3rd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55DE86BA-8ABB-42F5-934B-88816865F0C8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{46138192-DF0A-4A02-B206-8FD94BF4A7C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GRInstall6.Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GRInstall6.Installer.1
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
