Vulnerability Development mailing list archives

Re: All Advantage Spyware

From: George Karatsiolis <benettor () IRC GR>
Date: Sat, 16 Sep 2000 15:53:35 +0300

Exploring advert.dll version 2.0 (build 12) (the one on Go!Zilla 3.5)
I found that:

- advert.dll *DOES NOT* collects current system user name as listed on
  Software\Microsoft\Windows\CurrentVersion\RegisteredOwner
  and RegisteredOrganization.

- advert.dll *DOES NOT* opens a listen() socket to accept commands from
  a remote machine.

- advert.dll creates a hidden window with "advert.dll hidden window"
  ClassName:

:0040B926 C745E074A44600          mov [ebp-20], 0046A474
:0040B92D 51                      push ecx

  (USER32.RegisterClassA)

:0040B92E E8D9B60500              Call 0046700C
:0040B933 6A00                    push 00000000
:0040B935 8B432E                  mov eax, dword ptr [ebx+2E]
:0040B938 50                      push eax
:0040B939 6A00                    push 00000000
:0040B93B 6A00                    push 00000000
:0040B93D 6A10                    push 00000010
:0040B93F 6A10                    push 00000010
:0040B941 6A00                    push 00000000
:0040B943 6A00                    push 00000000
:0040B945 6A00                    push 00000000

  and caption: "[hidden window]":

:0040B947 68A6A44600              push 0046A4A6
:0040B94C 688DA44600              push 0046A48D
:0040B951 6A00                    push 00000000

  (USER32.CreateWindowExA)

:0040B953 E8A4B40500              Call 00466DFC
:0040B958 8BF0                    mov esi, eax
:0040B95A 89732A                  mov dword ptr [ebx+2A], esi
:0040B95D 53                      push ebx

- advert.dll calls from "Rasapi32.dll" the following functions:

  RasEnumConnectionsA
  RasGetConnectStatusA
  RasHangUpA
  RasEnumEntriesA
  RasDialA
  RasGetErrorStringA

  and enums all dialup sessions and collects information such
  as ISP Name, Dialup Number (incl. area code) and Username (only
  username without the password).

  See what MSDN Microsoft says about:

  * RasEnumConnections: This function lists all active RAS connections.
    It returns each connections handle and phone book entry name.

  * RasHangUpA: The RasHangUp function terminates a remote access
    connection. The connection is specified with a RAS connection handle.

  RasHangUpA ? ;-)

- advert.dll communicates with http://www.adsoftware.com/

- advert.dll collects information for all installed applications from:
  "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"

:0040A944 689DA14600              push 0046A19D
:0040A949 6802000080              push 80000002
:0040A94E 8D4DDC                  lea ecx, dword ptr [ebp-24]
:0040A951 51                      push ecx
:0040A952 E871F3FFFF              call 00409CC8
:0040A957 83C40C                  add esp, 0000000C
:0040A95A FF859CFDFFFF            inc dword ptr [ebp+FFFFFD9C]
:0040A960 66C78590FDFFFF5000      mov word ptr [ebp+FFFFFD90], 0050
:0040A969 66C78590FDFFFF5C00      mov word ptr [ebp+FFFFFD90], 005C

- advert.dll beyond other, imports the following DLL and functions:

ADVAPI32.dll:
-------------
RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA,
RegEnumKeyExA,
RegEnumValueA, RegQueryInfoKeyA, RegQueryValueExA, RegSetValueExA

KERNEL32.dll:
-------------
CloseHandle, CreateDirectoryA, CreateFileA, CreateFileW, CreateMutexA
CreateThread, DeleteCriticalSection, DeleteFileA, DeleteFileW
DosDateTimeToFileTime, DuplicateHandle, EnterCriticalSection
ExitProcess, ExitThread, FileTimeToDosDateTime
FileTimeToLocalFileTime, FindClose, FindFirstFileA, FindNextFileA
FindResourceA, FreeEnvironmentStringsA, FreeLibrary FreeResource,
GetACP, GetCPInfo, GetCurrentProcess, GetCurrentProcessId
GetCurrentThread, GetCurrentThreadId, GetDateFormatA, GetDriveTypeA
GetEnvironmentStrings, GetExitCodeThread, GetFileAttributesA
GetFileAttributesW, GetFileSize, GetFileTime, GetFileType
GetFullPathNameA, GetLastError, GetLocalTime, GetModuleFileNameA,
GetModuleHandleA, GetPrivateProfileStringA, GetProcAddress,
GetStartupInfoA, GetStdHandle, GetStringTypeW, GetSystemInfo
GetTempFileNameA, GetTempPathAGetTimeZoneInformation, GetVersion
GetVersionExA, GetVolumeInformationA, GetWindowsDirectoryA, GlobalAlloc
GlobalFree, GlobalLock, GlobalMemoryStatus, GlobalUnlock,
InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA
LoadResource, LocalAlloc, LocalFileTimeToFileTime, LocalFree, LocalHandle
LocalLock, LocalReAlloc, LocalUnlock, LockResource, MoveFileExA, MulDiv
MultiByteToWideChar, RaiseException, ReadFile, ReleaseMutex
ReleaseSemaphore, ResumeThread, RtlUnwind, SetConsoleCtrlHandler
SetEndOfFile, SetErrorMode, SetFileAttributesA, SetFilePointer
SetFileTime, SetHandleCount, SetThreadPriority, SizeofResource, Sleep
SleepEx, SuspendThread, TerminateThread, TlsAlloc, TlsFree, TlsGetValue
TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree
VirtualQuery, WaitForMultipleObjectsEx, WaitForSingleObject,
WaitForSingleObjectEx, WideCharToMultiByte, WinExec, WriteFile, lstrcmpA
lstrcmpiA

WSOCK32.dll:
------------
WSAAsyncGetHostByName, WSAAsyncSelect, WSACancelAsyncRequest, WSACleanup
WSAGetLastError, WSAStartup, closesocket, connect, htonl, htons
inet_addr, ioctlsocket, ntohl, ntohs, recv, select, send, shutdown
socket

- advert.dll exports:

__stdcall SocketWndProc(HWND__ *, unsigned int, unsigned int, long)
__lockDebuggerData(), __unlockDebuggerData(), _GetStatus
_IsConnectOkay, _OnClick, _Paint, _RetryConnect, _SetAdRecordedCallback
_SetBandwidthThrottle, _SetCallback, _SetMinimumAdDisplayTime
_SetNetworkCallback, _SetNetworkState, _SetProxy, _Shutdown, _StartOffline
_Startup, _StopOffline, _UseDefaultAd, __DebuggerHookData, _adler32
_compress, _debugTriggerEvent, _deflate, _deflateCopy, _deflateEnd
_deflateInit2_, _deflateInit_, _deflateParams, _deflateReset,
_deflateSetDictionary, _inflate, _inflateEnd, _inflateInit2_
_inflateInit_, _inflateReset, _inflateSetDictionary, _inflateSync
_zlibVersion, std_GetStatus, std_IsConnectOkay, std_OnClick, std_Paint,
std_RetryConnect, std_SetAdRecordedCallback, std_SetBandwidthThrottle
std_SetCallback, std_SetMinimumAdDisplayTime, std_SetNetworkCallback
std_SetNetworkState, std_SetProxy, std_Shutdown, std_Startup
std_UseDefaultAd, std_debugTriggerEvent

- advert.dll contains the following resources:

  1 Bitmap (company logo)
  1 Icon
  6 Dialogs (that prompts for user information)
  24 RCData, GIF files of 57k
  Version Information

- advert.dll contains the following messages ;-) :

  * The quick brown fox jumped over the moon.
  * The eagle has landed on the lazy dog.
  * The buzzard flies at one.
  * The truth is out there.



Visit http://egnatia.ee.auth.gr/~gkar/wintask and download WinTask 9x/NT.
This utility allows you to list and stop any process that runs on your
computers. Stop that hidden window and you will not receive and send
information. Mail me for suggestions and bugs.

If someone has an advert.dll older than version 2.0 (build 12) please
contact me asap.

More information on advert.dll on a future post.

George Karatsiolis
gkar () ee auth gr
benettor () irc gr

Current thread:

Re: All Advantage Spyware, (continued)
- - Re: All Advantage Spyware Jonathan Rickman (Sep 13)
    - Re: All Advantage Spyware Daniel McCranie (Sep 13)
    - Re: All Advantage Spyware Vitaly Osipov (Sep 14)
    - What is AIM Adware? (Re: All Advantage Spyware) Vitaly Osipov (Sep 15)
    - Re: What is AIM Adware? (Re: All Advantage Spyware) Juan M. Courcoul (Sep 16)
    - Re: What is AIM Adware? (Re: All Advantage Spyware) jlarimer (Sep 16)
    - Re: What is AIM Adware? (Re: All Advantage Spyware) Vitaly Osipov (Sep 16)
    - Re: All Advantage Spyware Warren Young (Sep 16)
- Re: All Advantage Spyware Flaherty, Jack (Sep 12)
  - Re: All Advantage Spyware rompa (Sep 14)
    - Re: All Advantage Spyware George Karatsiolis (Sep 16)
- Re: All Advantage Spyware Blue Boar (Sep 12)
- Re: All Advantage Spyware Mark Collins (Sep 13)