Home / malwarePDF  

Adware:Win32/ClickPotato


First posted on 23 August 2010.
Source: SecurityHome

Aliases :

Adware:Win32/ClickPotato is also known as ADSPY/AdSpy.Gen2 (Avira), AdWare.AdSpy (Ikarus), Pinball (Sunbelt Software).

Explanation :

Adware:Win32/ClickPotato is a program that displays pop-up and notification style advertisements based on the user's browsing habits.
Top

Adware:Win32/ClickPotato is a program that displays pop-up and notification style advertisements based on the user's browsing habits. InstallationAdware:Win32/ClickPotato makes the following changes to the registry: Adds subkey: HKLM\SOFTWARE\ClickPotatoLite Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE.1 Adds subkey: HKLM\SOFTWARE\Classes\AppID\MenuButtonIE.DLL Adds subkey: HKLM\SOFTWARE\Classes\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} Adds subkey: HKLM\SOFTWARE\Classes\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} Adds subkey: HKLM\SOFTWARE\Classes\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08} Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info.1 Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles.1 Adds subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} Adds value: €œButtonText€ With data: €œClickPotato€ Adds value: €œCLSID€ With data: €œ{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}€ Adds value: €œClsidExtension€ With data: €œ{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}€ Adds value: €œDefault Visible€ With data: €œYes€ Adds value: €œHotIcon€ With data: €œC:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201€ Adds value: €œIcon€ With data: €œC:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201€ To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} Adds value: €œClickPotatoLiteSA€ To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: €œClickPotatoLiteSA€ To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Adware:Win32/ClickPotato makes the following system changes to the users machine:

  • Creates directory:
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\

    Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.
  • Creates the files in that directory:
    ClickPotatoLiteSA.exe
    ClickPotatoLiteSAAX.dll
    ClickPotatoLiteSABHO.dll
    ClickPotatoLiteSAHook.dll
    ClickPotatoLiteUninstaller.exe
  • Creates directory:
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\

    Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.
  • Creates the files in that directory:
    chrome.manifest
    install.rdf
  • Creates directory:
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\plugins\

    Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.
  • Creates the file in that directory:
    npclntax_ClickPotatoLiteSA.dll
  • Creates directory:
    %startmenu%\ClickPotato\

    Where %startmenu% represents the users start menu, i.e. C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
  • Creates the files in that directory:
    About Us.lnk
    ClickPotato Customer Support.lnk
    ClickPotato Uninstall Instructions.lnk
  • Creates directory:
    %programdata%\ClickPotatoLiteSA\

    Where %programdata% represents the users programdata folder, ie. C:\ProgramData
  • Creates the files in that directory:
    ClickPotatoLiteSA.dat
    ClickPotatoLiteSAAbout.mht
    ClickPotatoLiteSAau.dat
    ClickPotatoLiteSAEULA.mht
    ClickPotatoLiteSA_hpk.dat
    ClickPotatoLiteSA_kyf.dat
  • Once installed, Adware:Win32/ClickPotato can be seen as a shortcut on an Internet Explorer toolbar, as seen in the image below: The adware's presence can also be see in the 'Manage Add-ons' window, as seen in the image below: Adware:Win32/ClickPotato may also display an icon on a user's desktop, as seen in the image below:

    Analysis by Michael Johnson

    Last update 23 August 2010

     

    TOP