Home / malware Adware:Win32/ClickPotato
First posted on 23 April 2019.
Source: MicrosoftAliases :
Adware:Win32/ClickPotato is also known as ADSPY/AdSpy.Gen2, AdWare.AdSpy, Pinball.
Explanation :
Adware:Win32/ClickPotato is a program that displays pop-up and notification-style advertisements based on the user's browsing habits. ClickPotato offers a free tool that allows users to access and search free streaming videos of popular films and TV shows. The tool is a multi-component adware program designed to monitor a user's online browsing behavior to deliver targeted advertising. It may also install components related to Win32/Hotbar and Win32/ShopperReport. InstallationAdware:Win32/ClickPotato makes the following changes to the registry: Adds subkey: HKLMSOFTWAREClickPotatoLite Adds subkey: HKLMSOFTWAREClassesMenuButtonIE.ButtonIE Adds subkey: HKLMSOFTWAREClassesMenuButtonIE.ButtonIE.1 Adds subkey: HKLMSOFTWAREClassesAppIDMenuButtonIE.DLL Adds subkey: HKLMSOFTWAREClassesCLSID{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} Adds subkey: HKLMSOFTWAREClassesAppID{11C27351-716B-4052-9361-E3B0A3F8221C} Adds subkey: HKLMSOFTWAREClassesTypeLib{814BAA91-DC22-4350-87D6-0C86E93F7F08} Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.Info Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.Info.1 Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.UserProfiles Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.UserProfiles.1 Adds subkey: HKLMSOFTWAREMicrosoftInternet ExplorerExtensions{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} Adds value: "ButtonText" With data: "ClickPotato" Adds value: "CLSID" With data: "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" Adds value: "ClsidExtension" With data: "{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}" Adds value: "Default Visible" With data: "Yes" Adds value: "HotIcon" With data: "C:Program FilesClickPotatoLitein10.0.511.0ClickPotatoLiteSABHO.dll,201" Adds value: "Icon" With data: "C:Program FilesClickPotatoLitein10.0.511.0ClickPotatoLiteSABHO.dll,201" To subkey: HKLMSOFTWAREMicrosoftInternet ExplorerExtensions{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} Adds value: "ClickPotatoLiteSA" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Adds value: "ClickPotatoLiteSA" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall Adware:Win32/ClickPotato makes the following system changes to the users computer: Creates directory:
%programfiles%ClickPotatoLitein10.0.%varies%.0
Where %programfiles% represents the user's program folder and %varies% is a three digit number indicating the release number. Creates the following files in this directory:
ClickPotatoLiteSA.exe
ClickPotatoLiteSAAX.dll
ClickPotatoLiteSABHO.dll
ClickPotatoLiteSAHook.dll
ClickPotatoLiteUninstaller.exe Creates directory:
%programfiles%ClickPotatoLitein10.0.%varies%.0firefoxextensions
Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number. Creates the following files in this directory:
chrome.manifest
install.rdf Creates directory:
%programfiles%ClickPotatoLitein10.0.%varies%.0firefoxextensionsplugins
Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number. Creates the following file in this directory:
npclntax_ClickPotatoLiteSA.dll Creates directory:
ClickPotato
Note:refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%AppDataRoamingMicrosoftWindowsStart Menu'. Creates the following files in this directory:
About Us.lnk
ClickPotato Customer Support.lnk
ClickPotato Uninstall Instructions.lnk
Creates directory:
%programdata%ClickPotatoLiteSA
Where %programdata% represents the users programdata folder, that is, C:ProgramData Creates the following files in this directory:
ClickPotatoLiteSA.dat
ClickPotatoLiteSAAbout.mht
ClickPotatoLiteSAau.dat
ClickPotatoLiteSAEULA.mht
ClickPotatoLiteSA_hpk.dat
ClickPotatoLiteSA_kyf.dat Program behavior Creates shortcuts Once installed, Adware:Win32/ClickPotato can be seen as a shortcut on an Internet Explorer toolbar, as seen in the image below: The adware's presence can also be see in the 'Manage Add-ons' window, as seen in the image below: Adware:Win32/ClickPotato may also display an icon on a user's desktop, as seen in the image below: Bundles with other programs
Adware:Win32/ClickPotato may be distributed bundled with known free download software such as: FLVBlaster VLC Xvid Easy Video OpenOffice Lime Wire eMule ARES 2010 Version Audacity 7zip
The installer may also include other adware programs such as Adware:Win32/HotBar, Adware:Win32/ShopperReport and BrowserModifier:Win32/Zwangi.
Displays in multiple browsers In the wild, we have observed Win32/CLickPotato running in the following browsers: Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Firefox 3.6 Firefox 4.0 Analysis by Michael Johnson & Methusela FerrerLast update 23 April 2019