Malware Domain List

Malware Related => Malware Analysis => Topic started by: JohnC on May 25, 2009, 09:20:21 pm

Title: Cash4Downloads is Adware?
Post by: JohnC on May 25, 2009, 09:20:21 pm
cash4downloads.com  (c4dl.com) is a website which has various software available for download. Does any of their software contain adware?


dl.lunaplayer.com/CS_119/LunaPlayer-1.2.0.0-setup.exe
go.divocodec.com/download.php?affiliate=NP_0712
dl.divocodec.com/fr/DivoCodec-1.1.0.0-setup.exe
playon.play3w.com/index.php?go=download
dl.3wplayer.com/fr/3wPlayer-2.1.0.0-setup.exe
download.domplayer.com/download.php?affiliate=CS_3
dl.domplayer.com/CS_1/DomPlayer-2.1.0.0-setup.exe
dl.pro.winzix.com/CS_2/WinZix Pro-2.3.0.0-setup.exe
dl.winzix.com/fr/WinZix-2.3.0.0-setup.exe
dl.galaplayer.com/fr/GalaPlayer-1.4.0.0-setup.exe
netpumper.com/download.php?affiliate=
dl.netpumper.com/NP_0001/NetPumper-1.50-setup.exe
download.netpumper.com/plugin/2006-05-17/ALPluginIE-1.0.2.3-setup.exe
dl.plugindl.com/NP_0147/PluginDL-1.5.0.0-setup.exe


Looks quite good when scanning at VirusTotal, though I know that in the past they have been tagged, for example this older DivoCodec file has some (generic) detections:
67.15.107.166/files/codec_dv/071213/DivoCodec-1.0.0.2-setup-0712.exe
http://www.virustotal.com/analisis/de84ae396b2472dc5102aec2aa5766f3e2eaced56f83e1d54e1c01764551ee93-1243285015
And their Anti-Leech software also has some detections:
dl.anti-leech.com/alatk.exe
http://www.virustotal.com/analisis/fbbee7d59c2a3f8250550cab683b6aafed6367c21aa871c549a695c96d245f62-1243285137
Title: Re: Cash4Downloads is Adware?
Post by: CkreM on May 25, 2009, 10:20:45 pm
under each of their d/l links they have this:
Code: [Select]
http://cash4downloads.com/info_adware.php
Quote
Adware information

Programs financed by advertisement are completely free for your visitors to download and install. We earn money by showing advertisement on the users computer and can therefore pay you for every free installation.

You can advertise these programs as free.
Title: Re: Cash4Downloads is Adware?
Post by: MysteryFCM on May 25, 2009, 10:47:30 pm
Guess it is ...... installer downloads;

http://install.lunaplayer.com/get_file.php?file=htmlcontrol

Which NOD flagged as Win32/Adware.Agent.NML
Title: Re: Cash4Downloads is Adware?
Post by: MysteryFCM on May 25, 2009, 10:55:47 pm
Also referenced in the .nsi file;

sms.wakenet.se/sms_purchase.php?AppProgram=player_lu&AppVersion=1.2.0.0&AppName=LunaPlayer&AppUrl=www.lunaplayer.com&type=nsis&affid_tr=CS_119&AppUrlSupport=anti.lunaplayer.com/index.php?go=support", t "LunaPlayer Setup", t "$INSTDIR\LunaPlayer.exe")i.r9

http://hosts-file.net/?s=sms.wakenet.se
Title: Re: Cash4Downloads is Adware?
Post by: JohnC on May 25, 2009, 11:01:19 pm
Guess it is ...... installer downloads;

http://install.lunaplayer.com/get_file.php?file=htmlcontrol

Which NOD flagged as Win32/Adware.Agent.NML

That URL gives you http://space.cachefly.net/INScript.dll

http://www.virustotal.com/analisis/bad814fc18182c9e2b173ce73d7ef872274bbf1097c9ee3302e0a16b40f82df7-1243292292

Personally speaking, if a piece of software has advertisements which are part of the program, like a little banner at the top, I don't think it should be tagged. I believe the Adware classification should be used for programs that give annoying popups/popunders.
Title: Re: Cash4Downloads is Adware?
Post by: MysteryFCM on May 25, 2009, 11:04:54 pm
Are we sure that actually is just internal adware though? (a-squared is saying it's Zlob)
Title: Re: Cash4Downloads is Adware?
Post by: JohnC on May 25, 2009, 11:08:01 pm
I haven't checked their software. It was just a comment in general about Adware :)
Title: Re: Cash4Downloads is Adware?
Post by: MysteryFCM on May 25, 2009, 11:13:38 pm
hehe okie, no worries :)
Title: Re: Cash4Downloads is Adware?
Post by: CkreM on May 25, 2009, 11:53:47 pm
one of their free software(hxxp://dl.3wplayer.com/fr/3wPlayer-2.1.0.0-setup.exe) change you IE startup page to www2.iesearch.com
not sure if thats legit..
http://www.google.com/#hl=en&q=www2.iesearch.com&btnG=Google+Search&aq=f&oq=www2.iesearch.com&fp=FqKnkuCRnN0

other then that didn't see anything else.
Title: Re: Cash4Downloads is Adware?
Post by: JohnC on May 26, 2009, 12:18:12 am
There is a category for malware which changes your start page in your browser. Trojan.StartPage.XX

What criteria does malware need to meet in order to get that tag?

I think if it does it automatically, without your consent indeed it should be tagged. But how about when you're asked.

(http://img38.imageshack.us/img38/3688/3wplayer.png)

In this case it does ask you if you want to change your start page. I think ethically speaking all programs like this should have the checkbox unchecked by default, but that is just my opinion. If you uncheck it, it will not change your start page. However if you leave it as it is, then your start page will be changed to http://www2.iesearch.com like you mentioned.

On a seperate note, this program has a bug. When you uninstall it, it asks if you would like to revert back to your original start page (it asks you this whether you changed your start page or not), if you click yes, regardless of what your homepage was originally, it will be changed to msn.com.
Title: Re: Cash4Downloads is Adware?
Post by: CkreM on May 26, 2009, 12:22:15 am
my bad, just clicked next next next to see what it does on the computer :)
didnt notice that actually.
Title: Re: Cash4Downloads is Adware?
Post by: MysteryFCM on May 26, 2009, 12:37:08 am
Related;

http://www.sophos.com/security/analyses/viruses-and-spyware/trojstartpbj.html
http://www.siteadvisor.com/sites/divocodec.com/downloads/
http://www.siteadvisor.com/sites/iesearch.com/downloads/3008202/
http://www.threatexpert.com/report.aspx?md5=aab7c653e1fba61444586e0852542b1a
Title: Re: Cash4Downloads is Adware?
Post by: CM_MWR on May 26, 2009, 01:06:33 am
Quote
I believe the Adware classification should be used for programs that give annoying popups/popunders.

Heh....like Free Antivir when it updates, eh?

I consider that adware myself.  ;D
Title: Re: Cash4Downloads is Adware?
Post by: RS-232 on May 26, 2009, 05:29:54 pm
Regarding 3wPlayer:
http://www.kennethsorling.se/scams/3wplayer.htm