1. /
  2. Security Response/
  3. Adware.Mycashbag

Adware.Mycashbag

Updated:
October 12, 2007 4:40:46 PM
Type:
Adware
Infection Length:
68,936 bytes
Name:
Mycashbag
Version:
1.0.0.1
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the security risk is executed, it creates the following files:
  • %ProgramFiles%\mycashbag\cashbackban.dat
  • %ProgramFiles%\mycashbag\cashbackok.dat
  • %ProgramFiles%\mycashbag\cashbackskip.dat
  • %ProgramFiles%\mycashbag\getinfo.dll
  • %ProgramFiles%\mycashbag\License.txt
  • %ProgramFiles%\mycashbag\mycashbag.dll
  • %ProgramFiles%\mycashbag\uccbp.exe
  • %ProgramFiles%\mycashbag\uninstall.exe


Next, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MyCashbag" = "ProgramFiles\mycashbag\uccbp.exe"

It also creates the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04EF01BB-6BFC-4BF5-B0A8-F15F62E4A541}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302E917D-6BD5-4E5F-9BFA-602F08A1C12D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4269BF80-E154-4137-884E-1627CF035202}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{23FE1A81-8A32-4137-ABDE-47D076676E26}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5AB7B412-F020-406E-BFE9-D9488BEF86DC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6750144B-49DB-480F-AD0E-66D998E9936D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83EBBC91-8A3C-4D0B-8C5B-DF2C9562B43F}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9BC60CB0-D2D0-4C1E-9A34-D39CD2D87E4E}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8BAC09E-D965-4896-8E0E-C5B0452BD5F3}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E4F1A956-BBA6-4FF5-BDE9-7A6A3FF0F5D0}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Getinfo.Util
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Getinfo.Util.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ToolBar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ToolBar.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ViewSource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mycashbag.ViewSource.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB38A9DF-23D4-4252-B207-62E0476CBEAC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04EF01BB-6BFC-4BF5-B0A8-F15F62E4A541}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mycashbag
  • HKEY_LOCAL_MACHINE\SOFTWARE\mycashbag
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04EF01BB-6BFC-4BF5-B0A8-F15F62E4A541}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB38A9DF-23D4-4252-B207-62E0476CBEAC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4269BF80-E154-4137-884E-1627CF035202}


The security risk installs an Internet Explorer toolbar.

It displays popup advertisements whenever certain Web sites are visited or when the user performs certain searches.
Writeup By: Esmonde Morgan
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report