1. /
  2. Security Response/
  3. Adware.CashBackBuddy

Adware.CashBackBuddy

Updated:
February 13, 2007 11:46:31 AM
Type:
Adware
Version:
1.0.0.5
Publisher:
eXact Advertising
Risk Impact:
Medium
File Names:
cashback.exe cb.exe flash.exe mscb.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CashBackBuddy is executed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\CashBack\ad.dat
    • %ProgramFiles%\CashBack\bb_auto_wider.swf
    • %ProgramFiles%\CashBack\bb_click_wider.swf
    • %ProgramFiles%\CashBack\bb_welcome.html
    • %ProgramFiles%\CashBack\bb_welcome1.swf
    • %ProgramFiles%\CashBack\bin\cashback.exe
    • %ProgramFiles%\CashBack\bin\cb.exe
    • %ProgramFiles%\CashBack\bin\flash.exe
    • %ProgramFiles%\CashBack\blank.gif
    • %ProgramFiles%\CashBack\icon.gif
    • %ProgramFiles%\CashBack\logo.gif
    • %ProgramFiles%\CashBack\template.html
    • %ProgramFiles%\CashBack\template2.html
    • %ProgramFiles%\CashBack\template_signin.html
    • %ProgramFiles%\CashBack\ub.dat
    • %ProgramFiles%\CashBack\Uninstall.exe
    • %System%\mscb.dll
    • %Temp%\bb_auto_wider.swf
    • %Temp%\bb_click_wider.swf
    • %Temp%\bb_welcome.html
    • %Temp%\bb_welcome1.swf
    • %Temp%\blank.gif
    • %Temp%\exTmp0.html
    • %Temp%\icon.gif
    • %Temp%\logo.gif
    • %Temp%\template_signin.html
    • %Windir%\Downloaded Program Files\installer_CASHBACK.exe

      Note:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  2. Creates the following registry subkeys:


    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CB.UrlCatcher
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
    \Stats\{CE188402-6EE7-4022-8868-AB25173A3E14}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack
    HKEY_LOCAL_MACHINE\SOFTWARE\CashBack
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \ModuleUsage\C:/WINDOWS/Downloaded Program Files/installer_CASHBACK.exe


  3. Adds the value:

    "CashBack" = "%ProgramFiles%\CashBack\bin\cashback.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows is executed.

  4. Adds the value:

    "SharedDLLs" = "%Windir%\Downloaded Program Files\installer_CASHBACK.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver