Adware-SaveNow

Content

Adware-SaveNow

Type: Program
SubType: Adware
Discovery Date: 10/15/2003
Length
Minimum DAT: 4298 (10/15/2003)
Updated DAT: 5434 (11/14/2008)
Minimum Engine: 5.1.00
Description Added: 11/21/2003
Description Modified: 10/24/2006 11:00 AM (PT)

Risk Assessment

Corporate User: N/A
Home User: N/A

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing application that generates pop-up advertisements while browsing the web.

Upon execution this file launches an installation dialogue and presents a license agreement. A brief overview of the software’s functionality and intended use is also present. After pressing “I Agree” the software creates several files, along with an entry in the registry “Run” key to ensure launch at startup. If Internet Explorer is currently running, the software contacts the WhenU servers and downloads configuration data, then displays a new browser window indicating that the SaveNow software has been installed. A link to the privacy policy is present on this page. Following installation, the software monitors browsing activities and pulls down advertising from the WhenU servers when it detects a match with its local database.

NOTE: There are two similar packages for this software. "SaveNow" is a stand-alone application. "Save!" has similar functionality, but is reportedly intended to be bundled with other software in order to enable the publishers to offer products for free to end users. Forced removal of "Save!" will likely cause any associated ad-supported software to stop functioning.

Privacy

At this time (1/21/2005) the latest version (2.6.4.7) of the SaveNow software does not appear to transmit any personally-identifiable data to third parties. However, the privacy policy and license agreement are open-ended, specifying that software updates and agreement changes or amendments may happen at any time.

The privacy policies can be viewed using the links below:
SaveNow - http://www.whenu.com/pc_savenow.html
Save! - http://www.whenu.com/pc_save.html

System Changes

Files Added

The following files are created in C:\Program Files\Save\

Name: ReadMe.txt
Size: 3,962 bytes

Name: save.cch
Size: (varies)

Name: save.db
Size: (varies)

Name: save.exe
Size: 315,904 bytes
MD5: DF954293E614C7363CB82D15109518D8

Name: save.htm
Size: 84,192 bytes

Name: SaveUninst.exe
Size: 24,124 bytes
MD5: AA9F305228B39FBEF58DB805152E210A

Name: store.db
Size: (varies)

NOTE: Soon after installation, updated versions of several key files are downloaded which overwrite the originals. These have properties as listed below.

Name: Save.exe
Size: 365,120 bytes
MD5: 990DB24D6CA4A4D96FCAA3EB94275D72

Name: Save.htm
Size: 76,187 bytes

Name: SaveUninst.exe
Size: 30,336 bytes
MD5: CF3576FF37CC70DA886F113E83BEBE19

Registry (most significant/high-level)

Keys Added:

HKEY_CLASSES_ROOT\WUSN.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\SaveNow
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV
HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood

Values Added:

HKEY_CLASSES_ROOT\WUSN.1 "WUSN_Id"
Data: 8C, 87, 99, 6D, E8, 88, 1D, 4C, AE, 12, 22, A5, FC, 13, 8B, 27

NOTE: The WUSN_Id value may vary from one installation to the next.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WhenUSave"
Data: C:\Program Files\Save\Save.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SaveNow "DisplayIcon"
Data: C:\Program Files\Save\Save.exe,1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SaveNow "DisplayName"
Data: SaveNow

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SaveNow "DisplayVersion"
Data: 2.60

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SaveNow "HelpLink"
Data: www.whenu.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SaveNow "Publisher"
Data: WhenU.com, Inc.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SaveNow "UninstallString"
Data: "C:\Program Files\Save\SaveUninst.exe" /rWUSV /kSaveNow /dSaveNow

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SaveNow "UrlInfoAbout"
Data: www.whenu.com

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "db_script_update"
Data: 1002500002

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "extra_url"
Data: http://spweb.whenu.com/extra.exe

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "extraver_url"
Data: http://spweb.whenu.com/extraver.html

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "FullDBTime"
Data: N

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "InstallDir"
Data: C:\Program Files\Save

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "InstallTime"
Data: 20050125141743

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "LastPartner"
Data: SNOW0702

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "newuser_rs"
Data: Y

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "Partner"
Data: SNOW0702

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "PartnerB"
Data: WUSV

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "PartnerDesc"
Data: SaveNow

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "PartnerParam"
Data: dt=Save Now!,q=,i=1

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "pat_chunks_url"
Data: http://akapp.whenu.com/DataChunksGZ

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "pats_url"
Data: http://akapp.whenu.com/OffersDataGZ

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "script_url"
Data: http://akdwl.whenu.com/offscript2.html

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "SetupCmdLine"
Data: http://app.whenu.com/Offers?url=SNOW0702&cpartners=0

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "TotalPartner"
Data: 1

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "update_url"
Data: http://akdwl.whenu.com/saveupdate.exe

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "ver_url"
Data: http://www.whenu.com/versions.html

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "Version"
Data: 2.60

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave "ziptomsa_url"
Data: http://spapp.whenu.com/ziptomsa

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV "InstallTime"
Data: 20050125141742

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV "Partner"
Data: SNOW0702

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV "PartnerDesc"
Data: SaveNow

HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave\Partners\WUSV "PartnerParam"
Data: dt=Save Now!,q=,i=1

Network Impact

Additional overhead in bandwidth due to downloading of advertising content.
Additional overhead in bandwidth due to SaveNow client software updates.

============

Note: A previous version of the software was found to have the following behavior:

Upon execution, the installing program copies the main application and other files to

c:\Program Files\SaveNow

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SaveNow" = "C:\Program Files\SaveNow\SaveNow.exe"

Symptoms

Method of Infection

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

N/A

All Information

Overview -

Characteristics

Characteristics -