1. /
  2. Security Response/
  3. Adware.Caishow

Adware.Caishow

Updated:
July 3, 2006 3:27:17 AM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.Caishow is a Chinese application that may display pop-up advertisements.

When installed, the risk creates the following files:
%ProgramFiles%\CaiShow Tech\CaiShow\BrowerHelper.dll
%ProgramFiles%\CaiShow Tech\CaiShow\CaiShow.exe
%ProgramFiles%\CaiShow Tech\CaiShow\MMSFactory.dll
%ProgramFiles%\CaiShow Tech\CaiShow\MMSSend.dll
%ProgramFiles%\CaiShow Tech\CaiShow\SendShell.exe
%ProgramFiles%\CaiShow Tech\CaiShow\Update.exe
%ProgramFiles%\CaiShow Tech\CaiShow\UpdateManager.exe
%ProgramFiles%\CaiShow Tech\CaiShow\[CHINESE CHARACTERS].exe
%System%\MicrosoftNet.dll

The risk also creates the following nonmalicious files:
%ProgramFiles%\CaiShow Tech\CaiShow\caishow.htm
%ProgramFiles%\CaiShow Tech\CaiShow\caishow.ini
%ProgramFiles%\CaiShow Tech\CaiShow\defaultrec.dll
%ProgramFiles%\CaiShow Tech\CaiShow\dfmmssendrec.dll
%ProgramFiles%\CaiShow Tech\CaiShow\Download.dll
%ProgramFiles%\CaiShow Tech\CaiShow\gdiplus.dll
%ProgramFiles%\CaiShow Tech\CaiShow\madlldlib.dll
%ProgramFiles%\CaiShow Tech\CaiShow\mfc71.dll
%ProgramFiles%\CaiShow Tech\CaiShow\mfc71u.dll
%ProgramFiles%\CaiShow Tech\CaiShow\mp4lib.dll
%ProgramFiles%\CaiShow Tech\CaiShow\msvcp71.dll
%ProgramFiles%\CaiShow Tech\CaiShow\msvcr71.dll
%ProgramFiles%\CaiShow Tech\CaiShow\SendMMS.htm
%ProgramFiles%\CaiShow Tech\CaiShow\ssoaddionalindical.dll
%ProgramFiles%\CaiShow Tech\CaiShow\update.ini
%ProgramFiles%\CaiShow Tech\CaiShow\wavdest.dll
%Windir%\Installer\[RANDOM NAME].msi

The risk then creates and populates the following registry subkeys:
HKEY_CLASSES_ROOT\AppID\BrowerHelperMFC.DLL
HKEY_CLASSES_ROOT\AppID\My.DLL
HKEY_CLASSES_ROOT\AppID\ssoaddionalindical.DLL
HKEY_CLASSES_ROOT\AppID\{18E8C855-FF2E-4BEB-B9D2-E7B25AF92A48}
HKEY_CLASSES_ROOT\AppID\{37BC804E-E26B-4D09-836F-AC15FC0C253E}
HKEY_CLASSES_ROOT\AppID\{FBB4D7BA-CCD3-457D-BEFF-F3B1757BD6B1}
HKEY_CLASSES_ROOT\CLSID\{3AF40CB8-B3BA-4E2D-8968-4BF8DB172997}
HKEY_CLASSES_ROOT\CLSID\{5673A7C0-95CC-4646-BB07-3BD71234CEF9}
HKEY_CLASSES_ROOT\CLSID\{DD6C4862-4BF9-48CE-BD27-9838E30D3DD5}
HKEY_CLASSES_ROOT\Interface\{315420B2-E5C8-4E7B-B812-6676BA4F30CE}
HKEY_CLASSES_ROOT\Interface\{6CA6DE10-8705-4E1B-9117-BCFA5BECE14B}
HKEY_CLASSES_ROOT\Interface\{CE98AD53-16F1-48D3-9208-1203AA19F77E}
HKEY_CLASSES_ROOT\Interface\{D32D8A55-A21A-4237-B8BB-5A5EBEE6746D}
HKEY_CLASSES_ROOT\Interface\{DBD14208-5F2F-40B8-8D97-6DE44C1D2E3D}
HKEY_CLASSES_ROOT\Interface\{DC616C5A-3BD6-4774-9823-F20802655811}
HKEY_CLASSES_ROOT\Interface\{F6CE85C8-99E7-49F5-A1A2-03FFC4FF09A5}
HKEY_CLASSES_ROOT\TypeLib\{1F805A43-0E95-4245-8EAF-9271D520722A}
HKEY_CLASSES_ROOT\TypeLib\{73D53D7B-66DF-419B-9B44-CF3F42ADF5C9}
HKEY_CLASSES_ROOT\TypeLib\{864F198D-6568-4686-B4F5-4A970B85E58B}
HKEY_CLASSES_ROOT\TypeLib\{89A99589-82B0-4983-A882-E8D8DB3DA5C7}
HKEY_CLASSES_ROOT\TypeLib\{CEBE027D-5423-41B8-AF51-9F1C22557CC6}
HKEY_CLASSES_ROOT\TypeLib\{D0581D47-E3CB-402D-B8A6-5F8561B2A36C}
HKEY_CLASSES_ROOT\BrowerHelperMFC.CaiShowBH
HKEY_CLASSES_ROOT\BrowerHelperMFC.CaiShowBH.1
HKEY_CLASSES_ROOT\My.NetAccelerate
HKEY_CLASSES_ROOT\My.NetAccelerate.1
HKEY_CLASSES_ROOT\ssoaddionalindical.Identify
HKEY_CLASSES_ROOT\ssoaddionalindical.Identify.1
HKEY_CLASSES_ROOT\emffile\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\giffile\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\jpegfile\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\MIDFile\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\mp3file\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\MSPaper.Document\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\Paint.Picture\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\pngfile\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\SoundRec\shell\[CHINESE CHARACTERS]
HKEY_CLASSES_ROOT\TIFImage.Document\shell\[CHINESE CHARACTERS]
HKEY_LOCAL_MACHINE\SOFTWARE\CaiShow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3AF40CB8-B3BA-4E2D-8968-4BF8DB172997}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5673A7C0-95CC-4646-BB07-3BD71234CEF9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\51D767EC8AF379D43B3E631A28E7DEF7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\14AA5729DADA23D2F57C1C2297718AC2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Products\8D15EFAFF3F76694E8331E3D97FE51D7
HKEY_CURRENT_USER\Software\Classes\AppID\Download.DLL
HKEY_CURRENT_USER\Software\Classes\AppID\MMSFactory.DLL
HKEY_CURRENT_USER\Software\Classes\AppID\MMSSend.DLL
HKEY_CURRENT_USER\Software\Classes\AppID\{22A36E6E-07CB-4851-AA84-5FC1CA73A1DE}
HKEY_CURRENT_USER\Software\Classes\AppID\{88ABD365-12AE-44E7-8450-DA5C3653325B}
HKEY_CURRENT_USER\Software\Classes\AppID\{F375F726-23D3-4179-9CA2-54FE6E490879}
HKEY_CURRENT_USER\Software\Classes\CLSID\{0E6E0B51-0300-4AE2-B6C4-F4EFE33A33B2}
HKEY_CURRENT_USER\Software\Classes\CLSID\{32F64094-A155-4554-8753-E5E267A8C002}
HKEY_CURRENT_USER\Software\Classes\CLSID\{6ABB6C58-FEB7-43AE-946A-AF05D074F493}
HKEY_CURRENT_USER\Software\Classes\Interface\{315420B2-E5C8-4E7B-B812-6676BA4F30CE}
HKEY_CURRENT_USER\Software\Classes\Interface\{DBD14208-5F2F-40B8-8D97-6DE44C1D2E3D}
HKEY_CURRENT_USER\Software\Classes\Interface\{DC616C5A-3BD6-4774-9823-F20802655811}
HKEY_CURRENT_USER\Software\Classes\Interface\{F6CE85C8-99E7-49F5-A1A2-03FFC4FF09A5}
HKEY_CURRENT_USER\Software\Classes\Download.Download
HKEY_CURRENT_USER\Software\Classes\Download.Download.1
HKEY_CURRENT_USER\Software\Classes\MMSFactory.Send
HKEY_CURRENT_USER\Software\Classes\MMSFactory.Send.1
HKEY_CURRENT_USER\Software\Classes\MMSSend.Send
HKEY_CURRENT_USER\Software\Classes\MMSSend.Send.1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\[CHINESE CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\8D15EFAFF3F76694E8331E3D97FE51D7
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\8D15EFAFF3F76694E8331E3D97FE51D7
HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\51D767EC8AF379D43B3E631A28E7DEF7
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3AF40CB8-B3BA-4E2D-8968-4BF8DB172997}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5673A7C0-95CC-4646-BB07-3BD71234CEF9}

The risk also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%ProgramFiles%\CaiShow Tech\CaiShow\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\"%ProgramFiles%\CaiShow Tech\" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\0262F10FC566740686B539050DE7DB69\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\MMSFactory.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\041E0BFCEE60FBA83E34DFD1628090FF\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\MMSSend.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\0F88A300530942E96B8D37506857E506\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\CaiShow.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\0FF2AEFF45EEA0A48A4B33C1973B6094\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\msvcr71.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\14AA5729DADA23D2F57C1C2297718AC2\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%System%\MicrosoftNet.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\1912BE7FD83F3D26BC7C94B6B2AB7D78\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\ssoaddionalindical.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\1DEA09A7138CF5B3C2CCE72A2E7C5ED2\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\Download.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\1F246B57F05476CA11E5858E0508A143\"8D15EFAFF3F76694E8331E3D97FE51D7" = "01:\Software\Microsoft\Internet Explorer\MenuExt\[CHINESE CHARACTERS]\contexts"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\288249C0965235B1D6E1E68F2664D6BF\"8D15EFAFF3F76694E8331E3D97FE51D7" = "01:\Software\Microsoft\Internet Explorer\MenuExt\[CHINESE CHARACTERS]\"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\2BCD7B4C1786475E0BBB347A1EAD64A9\"8D15EFAFF3F76694E8331E3D97FE51D7" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\305B09CE8C53A214DB58887F62F25536\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\msvcp71.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\32EB6BCD8253993E8281808D6265ADD2\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\caishow.htm"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\34135461A6C1DFF5C25EA5AD34866A15\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\defaultrec.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\4A8C3C5263190A44A01498D716DF370D\"8D15EFAFF3F76694E8331E3D97FE51D7" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\52AA4CA3A82A90F428A603ACA026F053\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\mfc71u.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\58AFFA0581745225300DA35FFE91E85C\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\mp4lib.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\6DAFA372696644ED48471B0CB1EF33F0\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\caishow.ini"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\7D0F9833BA32EE4050A2AE33EA58660F\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\BrowerHelper.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\8043E79E62D55612D5B2B54A5CD33410\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\SendShell.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\84755F8FCF90F80B0AB0AA245848185B\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\wavdest.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\84AC706F233C9204FAA893DB6F19C24D\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\mfc71.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\8AF2DBB21506EFC3C1A44D39AA6C6687\"8D15EFAFF3F76694E8331E3D97FE51D7" = "02:\Software\CaiShow\ini"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\957AE07208ABDBD242355856D8F90CBA\"8D15EFAFF3F76694E8331E3D97FE51D7" = "02:\Software\CaiShow\path"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\A552277172AC17C688357D0F7705D587\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\[CHINESE CHARACTERS].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\AA35EABA21C53B418ABB6615E517D65C\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\UpdateManager.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\CA146A70E068ACFCF0525620348A8144\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\madlldlib.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\D1349BFF71B6168EB2D8FA7FFAA1D0EE\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\dfmmssendrec.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\E3A0E19C005360470407E07A0CE0A6D7\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\SendMMS.htm"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\F1B496B301445D115AA4000972A8B18B\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\gdiplus.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\F1F463F9A4C24C1894228DA7B322813E\"8D15EFAFF3F76694E8331E3D97FE51D7" = "02:\Software\CaiShow\shell"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\F766C97F4C3C8E6B156736593C092669\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\Update.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[USER SID]\Components\FA88DB4C2049552173960AEC970F7588\"8D15EFAFF3F76694E8331E3D97FE51D7" = "%ProgramFiles%\CaiShow Tech\CaiShow\update.ini"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\"%System%\MicrosoftNet.dll" = [NUMBER]

The risk also attempts to register an uninstaller with the following parameters:
Display name: Microsoft Explore Ex
Uninstall string: MsiExec.exe /I{FAFE51D8-7F3F-4966-8E33-E1D379EF157D}
by creating and populating the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FAFE51D8-7F3F-4966-8E33-E1D379EF157D}

The risk may display pop-up advertisements.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver