Threat Profile: Adware-MemWatcher

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 9/8/2003
Date Added: 9/10/2003
Origin: Unknown
Length: Varies
Type: Program
Subtype: Adware
DAT Required: 4292
Removal Instructions
   
 
 
   

Description

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Symptoms

N/A This is not a virus or trojan

Method

N/A This is not a virus or trojan
   

Virus Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan.  It is detected as a "potentially unwanted program."  It is a direct-marketing adware application that generates pop-up advertisements while browsing the web. 

Upon execution the application drops many executables in c:\program files\ memorywatcher folder and %windir%\system32 folder. It also tries to periodically download the updated copies of the dropped files. It creates multiple hidden files (copy of same files) in %windir%\system32 folder that are not visible in windows explorer.

The application does not have any name of the company associated with it nor does it show any EULA.

The application also spawns at least two more processes with random names that are shown in process explorer. These processes are persistent and re-spawn themselves if killed. It also executes the internet explorer process and start showing ads without even visiting any website. It keeps track of the user browsing habits and displays ads according to it.

The names of files associated with the adware are

  • MemoryWatcher_b.exe
  • MemoryWatcher.exe
  • Wowex32.exe (’32’ may vary and may not be present at all)

It is observed to contact following websites

Installation

It adds the downloaded files to run registry key in order to get executed on each reboot.

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "58AL7EM3JDSP6W” Data: C:\WINDOWS\System32\HotEkc.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MemoryWatcher "DisplayName" Data: Memory Watcher
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MemoryWatcher "UninstallString" Data: C:\Program Files\MemoryWatcher\uninst.exe

It creates following files upon execution

The generated files are stored in c:\program files\MemoryWatcher and %windir%\system32.

  • File name: COMCTL32.OCX (608,448 bytes)
  • File name: TrayIcon.ocx (Size: 36,864 bytes)
  • File name: MemoryWatcher.exe (Size: 53,248 bytes)
    MD5: 15 B3 DC 1B 0D 02 DE 71 09 92 FA 94 13 F7 52 78
  • File name: uninst.exe (Size: 85,886 bytes)
    MD5: 1E 81 D8 A3 11 55 EF 32 76 E2 19 47 F4 18 A2 7E
  • File name: wowex32.exe (Size: 458,752 bytes) 
    MD5: B6 A5 F5 6C B2 50 D6 D1 97 48 37 92 19 46 BA 31

The files in the system32 folder have the attribute of system and hidden files so they are not visible in windows explorer even if the “show hidden file” property is set. There are multiple copies of same file in system32 folder. Whenever one process is killed the application randomly spawns its copy. Also the file names are random. For example in this case there are five copies of process Ejo3bl.exe with different name. If this process is killed one of the other file starts executing.

  • File name: %windir%\system32\Ejo3bI.exe (Size: 233,494 bytes)
    MD5: D5 DA 0C 97 75 3B 55 3B DA FE 21 AA 31 3A F6 B5
  • File name: %windir%\system32\HotEkc.exe (Size: 458,774 bytes)
    MD5: 62 47 6B 86 F8 F7 72 93 4F 07 C6 E4 67 8B 5D 26

Note: whenever the network is available the application downloads its updated copies. In that case the MD5 shown above will change.

EULA at a glance

Some interesting parts of the EULA as given on the website www.memorywatcher.com/TOS.html (as of January 21, 2005 ) are:

(Note: This version of program does not show EULA at the time of installation.)

1)    By installing the Memory Watcher Software on your computer, you understand that: (i) Several ADVERTISING CONSOLES may be launched for the duration of time you spend online. These consoles may continue to be launched as long as you have MemoryWatcher installed on your machine. MemoryWatcher does not monitor the activities or collect information from users once they have left MemoryWatcher .

2)   QuadroGram may automatically transmit to and install on your computer , Software improvements, corrections, adaptations, conversions to more recent Software versions or any other changes to the Software, with or without giving notice.

3)   By using the Software, you may be exposed to contaminated files, computer viruses, eavesdropping, harassment, electronic trespassing, hacking and other harmful acts or consequences that might lead to unauthorized invasion of privacy, loss of data and other damages . Under no circumstances and under no legal theory, tort, contract, or otherwise, shall QuadroGram, its licensors, or any of its affiliated entities be liable to you or any other person for any direct, special, incidental, or consequential damages of any kind including, without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss of data, loss of functionality, or any and all other commercial or non-commercial damages or losses, even if QuadroGram shall have been informed of the possibility of such damages, or for any claim by any other party. The Software is provided for your use, as described above, free of charge, and is supported by advertising revenue. By downloading the Memory Watcher software, you agree to receive advertising messages delivered on your computer in any form and of any frequency.

Final word: Even when the memorywatcher application is closed the ads keep on showing contradictory to what EULA says.

Note: This is not the “whole” EULA, author has taken out some interesting points just for the purpose of example.

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95