Home / malware

PDF

Adware:Win32/GamePlayLabs

First posted on 07 June 2012.
Source: Microsoft

Aliases :

Adware:Win32/GamePlayLabs is also known as W32/GamePlay.B (Norman), ADSPY/GamePlayLabs.A.13 (Avira).

Explanation :

Adware:Win32/GamePlayLabs is a program that collects data when you browse websites. It then uses this data to display targeted advertising.

Installation

You may install Adware:Win32/GamePlayLabs electively from a specific website.

Upon installation, Adware:Win32/GamePlayLabs may create different files to run in different Internet browsers. For example, it installs the following files to run in Internet Explorer:

• %Application Data%\GamePlayLabs Plugin\BHO.dll
• %Application Data% \GamePlayLabs Plugin\gplplugin.crx
• %Application Data% \GamePlayLabs Plugin\gplplugin.xpi
• %Application Data%\GamePlayLabs Plugin\setup.ini
• %Application Data% \GamePlayLabs Plugin\Uninstall.exe

Note: %Application Data% refers to application data directory, for example: c:\Documents and Settings\Administrator\Local Settings\Application Data

Adware:Win32/GamePlayLabs adds itself as a Firefox extension by adding the following directories with supporting files:

• %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com
• %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com\chrome\content
• %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com\chrome\locale\en-US
• %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com\defaults\preferences

Note: %DefaultFirefoxProfile% refers to the location that Firefox uses stores its profiles, for example: c:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zi8xn3a1.default

Below are some examples of Firefox files we have observed being installed:

• chrome.manifest
• ff-overlay.xul
• icon.png
• install.rdf
• overlay.js
• overlay.properties
• prefs.js
• setup.ini

Adware:Win32/GamePlayLabs adds itself as a Google Chrome extension by adding the following directories with supporting files:

• %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\<random characters>\1.0_0
• %LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\chrome-extension_<random characters>_0.localstorage

Below are some examples of Google Chrome files we have observed being installed:

• background.html
• gameplaylabs.png
• gameplaylabsplugin.js
• manifest.json
• npGamePlayLabsPlugin.dll

Adware:Win32/GamePlayLabs makes the following changes to the registry:

• 
  
  Creates the following subkey:
  
  HKCU\Software\GamePlayLabs
  
  
  
• 
  
  Registers itself as a BHO (Browser Helper Object) by adding the following subkeys:
  
  HKLM\SOFTWARE\Classes\AppID\BHO.DLL
  HKLM\SOFTWARE\Classes\AppID\{65C994A2-C65A-4A20-BA92-AADAFC0DCE49}
  HKLM\SOFTWARE\Classes\BHO.GamePlayLabsBHO
  HKLM\SOFTWARE\Classes\BHO.GamePlayLabsBHO.1
  HKLM\SOFTWARE\Classes\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}
  HKLM\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}
  HKLM\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{984A9162-8891-4D19-8CFE-17648BB4E1EC}
  
  
  
• 
  
  Adds the following subkey, values and data to add an uninstall entry to the Add/remove programs list dialog:
  
  In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePlayLabs Plugin
  Sets value: "DisplayName"
  With data: "GamePlayLabs Plugin"
  Sets value: "UninstallString"
  With data: €œ\Application Data\GamePlayLabs Plugin\Uninstall.exe€
  
  

Program behavior

If you install the program, you may be asked to provide certain personal information during the registration process. Adware:Win32/GamePlayLabs may store this information, then later use it to display targeted advertising on your computer. You may also be sent a questionnaire requesting more information for the same purpose of providing targeted advertising.

Adware:Win32/GamePlayLabs has also been observed collecting information when you visit the GamePlayLabs website, such as:

• Email addresses
• Passwords
• Computer name
• Internet connection information

Once installed, Adware:Win32/GamePlayLabs may collect your browsing data the utilizes this information to display targeted advertising.

After being installed as a BHO, you can see Adware:Win32/GamePlayLabs in the Internet Explorer 'Manage Add-ons' dialog:



After being installed as a Firefox extension, you can see Adware:Win32/GamePlayLabs in the Firefox 'Add-ons' dialog:





Adware:Win32/GamePlayLabs data-collecting behavior is mentioned in their end-user license agreement (EULA):





Analysis by Michael Johnson & Ding Plazo

Last update 07 June 2012

 

TOP