McAfee > Theat Center > Virus Detail Page

Overview

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that inserts links into web page content while browsing. Additionally, "tool tip" windows are shown if the user hovers the cursor over these new links. At that time communications are made with servers in the qklinkserver.com domain to retrieve the appropriate content for the window. The keywords that triggered the link insert are sent to the server, and the server responds with the content for the window. The software is installed as a Browser Helper Object Internet Explorer, and a registry Run key is created to ensure re-installation of the software at each system startup. No license agreement is displayed upon execution of the installer. There is no indication in Internet Explorer that the software is installed.

Page content without Adware-Linkmaker:

Page content with Adware-Linkmaker (note new links silently inserted):

"Tool tip" context information presented for new links:

Privacy

No privacy policy is displayed during installation. Keywords or phrases found in web page content are sent to remote servers if the user hovers the cursor over the new links. Otherwise no transmission of data was observed.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

• Installer: hpsw.exe (1096 KB)
  MD5: E0E7FAC6A4011AD0A18586D6289E71AA
• %ProgramFiles%\jalmp\uninstall.exe (24 KB)
  MD5: BF3ADCC90163E4D7F4DF07871F9DEEB4
• %ProgramFiles%\jalmp\jalmp.dll (184 KB)
  MD5: 0556D3DC1737D2E85C3728E70E3A2FCF
• %ProgramFiles%\jalmp\arpf.cfg (size & MD5 may vary)
  This file contains a list of keywords/phrases that trigger insertion of links

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "susse"=""C:\WINDOWS\system32\hpsw.exe""
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Uninstall\Quicklinks
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Meld
  
• HKEY_CLASSES_ROOT\TypeLib\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
  
• HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
  
• HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
  "CLSID"="{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}"
  
• HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
  "(default)"="QuickLinks MIME Filter"
  
• HKEY_CLASSES_ROOT\Permeation.Trecker
  
• HKEY_CLASSES_ROOT\Permeation.Trecker.1
  
• HKEY_CLASSES_ROOT\Permeation.Permeater
  
• HKEY_CLASSES_ROOT\Permeation.Permeater.1
  
• HKEY_CLASSES_ROOT\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F}
  
• HKEY_CLASSES_ROOT\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F}
  "default"="ITrecker"
  
• HKEY_CLASSES_ROOT\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
  
• HKEY_CLASSES_ROOT\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
  "default"="Trecker Class"
  
• HKEY_CLASSES_ROOT\CLSID\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
  
• HKEY_CLASSES_ROOT\CLSID\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
  "default"="Permeater Class"
  

Network Impact

Additional overhead in bandwidth due to download of content for "tool tip" windows, and possible software updates.

Symptoms

N/A This is not a virus or trojan.

Method of Infection

N/A This is not a virus or trojan.

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants

N/A

All Information

Overview -

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Characteristics

Characteristics -

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that inserts links into web page content while browsing. Additionally, "tool tip" windows are shown if the user hovers the cursor over these new links. At that time communications are made with servers in the qklinkserver.com domain to retrieve the appropriate content for the window. The keywords that triggered the link insert are sent to the server, and the server responds with the content for the window. The software is installed as a Browser Helper Object Internet Explorer, and a registry Run key is created to ensure re-installation of the software at each system startup. No license agreement is displayed upon execution of the installer. There is no indication in Internet Explorer that the software is installed.

Page content without Adware-Linkmaker:

Page content with Adware-Linkmaker (note new links silently inserted):

"Tool tip" context information presented for new links:

Privacy

No privacy policy is displayed during installation. Keywords or phrases found in web page content are sent to remote servers if the user hovers the cursor over the new links. Otherwise no transmission of data was observed.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

• Installer: hpsw.exe (1096 KB)
  MD5: E0E7FAC6A4011AD0A18586D6289E71AA
• %ProgramFiles%\jalmp\uninstall.exe (24 KB)
  MD5: BF3ADCC90163E4D7F4DF07871F9DEEB4
• %ProgramFiles%\jalmp\jalmp.dll (184 KB)
  MD5: 0556D3DC1737D2E85C3728E70E3A2FCF
• %ProgramFiles%\jalmp\arpf.cfg (size & MD5 may vary)
  This file contains a list of keywords/phrases that trigger insertion of links

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "susse"=""C:\WINDOWS\system32\hpsw.exe""
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Uninstall\Quicklinks
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Meld
  
• HKEY_CLASSES_ROOT\TypeLib\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
  
• HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
  
• HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
  "CLSID"="{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}"
  
• HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
  "(default)"="QuickLinks MIME Filter"
  
• HKEY_CLASSES_ROOT\Permeation.Trecker
  
• HKEY_CLASSES_ROOT\Permeation.Trecker.1
  
• HKEY_CLASSES_ROOT\Permeation.Permeater
  
• HKEY_CLASSES_ROOT\Permeation.Permeater.1
  
• HKEY_CLASSES_ROOT\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F}
  
• HKEY_CLASSES_ROOT\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F}
  "default"="ITrecker"
  
• HKEY_CLASSES_ROOT\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
  
• HKEY_CLASSES_ROOT\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F}
  "default"="Trecker Class"
  
• HKEY_CLASSES_ROOT\CLSID\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
  
• HKEY_CLASSES_ROOT\CLSID\{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}
  "default"="Permeater Class"
  

Network Impact

Additional overhead in bandwidth due to download of content for "tool tip" windows, and possible software updates.

Symptoms

Symptoms -

N/A This is not a virus or trojan.

Method of Infection

Method of Infection -

N/A This is not a virus or trojan.

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

N/A