Virus Characteristics
This is not a virus or trojan. It is an potentially unwanted program that requires users to download an installer, agreeing to the terms of the program, which includes sending a messages to all users on your AOL Instant Messenger buddy list with a link to the installer page.
This application works when visiting the www.wgutv.com or download.buddylinks.net websites. A link to these sites arrives in an instant message. Once this page has loaded, users are prompted to install and run a program.
The full license agreement is here:
http://www.wgutv.com/terms.html
Excerpt:
| ...In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or "buddy" list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the "buddylinks.net" entry in your "Start Menu", selecting the "buddylinks.net Configuration" item, and unchecking the appropriate option. You may also refer to PSD Tools’ website at http://www.psdtools.com for an uninstaller
|
The application creates several directories in the following folders:
- %Program Files%\buddylinks.net
- %Program Files%\Common Files\PSD Tools
A registry run key is created to load one of the components:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run "PSD Tools Channel" = C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
The following files may be present on a machine that has run this application:
- %Start Menu%\buddylinks.net\Games\Saddam Escapes\Play.lnk
- %Start Menu%\buddylinks.net\Games\Saddam Escapes\Uninstall.lnk
- %Program Files%\buddylinks.net\Games\Saddam Game\Disabled.jpg
- %Program Files%\buddylinks.net\Games\Saddam Game\Down.jpg
- %Program Files%\buddylinks.net\Games\Saddam Game\Mask.bmp
- %Program Files%\buddylinks.net\Games\Saddam Game\Normal.jpg
- %Program Files%\buddylinks.net\Games\Saddam Game\Over.jpg
- %Program Files%\buddylinks.net\Games\Saddam Game\saddam.swf
- %Program Files%\buddylinks.net\Games\Saddam Game\shell.exe
- %Program Files%\buddylinks.net\Games\Saddam Game\skin.ini
- %Program Files%\buddylinks.net\Games\Saddam Game\uninst.exe
- %Program Files%\Common Files\PSD Tools\ChannelUp.exe
- %WinDir%\Downloaded Program Files\ShellInstaller.INF
- %WinDir%\Downloaded Program Files\ShellInstaller.ocx
- %temp%\game_dl.exe
- %temp%\game_install.exe
The following registry keys are also evidence that this application was run:
- HKEY_CLASSES_ROOT\Interface\{00D38C81-14B3-44DE-B023-3BDC5BDE4FEC
- HKEY_CLASSES_ROOT\CLSID\{FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4}