Content

Adware-DropSpam

Type
Program
SubType
Adware
Discovery Date
12/16/2005
Length
Varies
Minimum DAT
4652 (12/16/2005)
Updated DAT
5269 (04/08/2008)
Minimum Engine
5.1.00
Description Added
12/16/2005
Description Modified
12/20/2005 1:15 PM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

This is not a virus or a Trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that redirects home and default search pages, establishes email proxies, and may download and install additional advertising applications/components.

This software establishes an email proxy on the host system. It reconfigures many popular mail clients (Outlook, Outlook Express, etc.) to send mail to dropspam.com servers instead of the user's normal mail server. The user's account information for their original mail server is collected from the local system and sent to dropspam.com so that the redirected mail can be sent on through the user's original server and account. Some variants of this software include an Internet Explorer toolbar, while others run only as a separate application (in some cases an icon is present in the system tray). Depending on the version/variant, redirection of the user's browser home and search pages may be included. The software has also been observed attempting to download and install other known PUPs (Adware-BB and Spyware-WebHancer ).

Depending on the variant, the application may display a license agreement when installed. However, even when canceling the dialog displaying the agreement the software remained installed on the system (i.e. the license agreement was only displayed after installation had already occurred).

Privacy

A privacy policy is not displayed during installation. A policy can be accessed on the DropSpam website: http://www.dropspam.com/privacy.html

The software transmits email account information to the DropSpam servers during installation and the email proxy established passes all email through DropSpam servers.

System Changes

Files Added

  • %WINDIR% \ewwsetup.exe (779,036 bytes)
    MD5: FBE4439576DE62A51DF2431432812271
  • %WINDIR% \uninstalltb.exe (40,960 bytes)
    MD5: AD81ECD93282A07CF04AC8906834ED1C
  • c:\documents and settings\%USER% \local settings\temp
    \_tix.log
  • c:\documents and settings\%USER% \application data
    \microsoft\addins\ewwotb.dll (167,936 bytes)
    MD5: 31E5E21B6FD8908F4AEC5A2FEE97B3E9
  • c:\program files\dropspam\setup.exe (71,168 bytes)
    MD5: F9EC6ABD080C000E6DE728FB8048708B
  • c:\program files\dropspam\oehk.dll (196,608 bytes)
    MD5: D232879EE8630A7DA09AA5D4C159643E
  • c:\program files\dropspam\ansmtp.dll (389,120 bytes)
    MD5: E72DDC50ABFF8834037046E125965997
  • c:\program files\dropspam\ewwie.dll (167,936 bytes)
    MD5: BC100BE312EC64FDCD7BF0D11080A394
  • c:\program files\dropspam\_setupx.dll (15,872 bytes)
  • c:\program files\dropspam\uninstalltb.exe (40,960 bytes)
    MD5: AD81ECD93282A07CF04AC8906834ED1C
  • c:\program files\dropspam\passworddll.dll (62,976 bytes)
    MD5: EE5031FD5D37DD160AAD6FC4CE1B852C
  • c:\program files\dropspam\eww.exe (311,296 bytes)
    MD5: 11ED8A778C6E91F0F357D5B107155AA6
  • c:\program files\dropspam\setup.ini (size & MD5 vary)
  • c:\program files\dropspam\oesrv.exe (155,648 bytes)
    MD5: 9558BC2660E4B435407C249BD7AF054C

A variant of Adware-DropSpam created the following files:

  • c:\program files\dslifestyle\dslifestyle.exe (266,240 bytes)
    MD5:35A2A972906D842DE01E4F15FCAABEB4
  • c:\program files\dslifestyle\ps.exe (40,960 bytes)
    MD5: 4938F97767215BA4C00B51EFA30FAAB5
  • c:\program files\dslifestyle\setup.exe (71,680 bytes)
    MD5: 9A230CBEA315950A4E3DF7519DD138FC
  • c:\program files\dslifestyle\setup.ini (size & MD5 vary)
  • c:\program files\dslifestyle\html\
    this folder contains several .gif files, names may vary

Registry

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \oe_drop_spam="C:\Program Files\DropSpam\oesrv.exe"
  • hkey_current_user\software\dropspam
  • hkey_current_user\software\dropspam\home="C:\Program Files
    \DropSpam\"
  • hkey_current_user\software\microsoft\office\outlook\addins
    \ewwotb.addin.1
  • hkey_local_machine\software\classes\ansmtp.masssender.1
    ="MassSender Class"
  • hkey_local_machine\software\classes\ansmtp.masssender="MassSender
    Class"
  • hkey_local_machine\software\classes\ansmtp.obj.1="OBJ Class"
  • hkey_local_machine\software\classes\ansmtp.obj="OBJ Class"
  • hkey_local_machine\software\classes\appid\{54ac0313-c709-4f55
    -a430-ec7e89f74665}="oesrv"
  • hkey_local_machine\software\classes\appid\oesrv.exe\appid
    ="{54AC0313-C709-4F55-A430-EC7E89F74665}"
  • hkey_local_machine\software\classes\appid\oesrv.exe
  • hkey_local_machine\software\classes\clsid\{1d95d4b4-f3de-4bde
    -af1d-219b23b58986}="OERebar Class"
  • hkey_local_machine\software\classes\clsid\{253664fb-edfc-4ac6
    -bd69-b322f466aeed}="OBJ Class"
  • hkey_local_machine\software\classes\clsid\{2dea8791-c2b7-48e1
    -8992-8e8e6a6fe789}="Drop Spam Toolbar"
  • hkey_local_machine\software\classes\clsid\{3058b2ea-a146-451a
    -916a-a5dcce7fa0b7}="DropSpam"
  • hkey_local_machine\software\classes\clsid\{5d50d513-e136-4f9f
    -b610-c7805e5f2491}="PopCounter Class"
  • hkey_local_machine\software\classes\clsid\{887a577b-406b-48ff
    -80cb-70752bfcd7b4}="MassSender Class"
  • hkey_local_machine\software\classes\clsid\{88b79166-13ab-4d04
    -aee8-7ab1cde75d7e}="OEInterface Class"
  • hkey_local_machine\software\classes\ewwie.band.1="Drop Spam
    Toolbar"
  • hkey_local_machine\software\classes\ewwie.band="Drop Spam Toolbar"
  • hkey_local_machine\software\classes\ewwie.popcounter.1
    ="PopCounter Class"
  • hkey_local_machine\software\classes\ewwie.popcounter="PopCounter
    Class"
  • hkey_local_machine\software\classes\ewwotb.addin.1="DropSpam"
  • hkey_local_machine\software\classes\ewwotb.addin="DropSpam"
  • hkey_local_machine\software\classes\interface\{1e98666f-6260-42c9
    -b846-32b20fdefe7b}="IMassSender"
  • hkey_local_machine\software\classes\interface\{1fa6a0f9-705d-4c47
    -b67c-f12d5f171470}="IBand"
  • hkey_local_machine\software\classes\interface\{34dae02f-aac8-4a32
    -a188-7444bcdae162}="IAddin"
  • hkey_local_machine\software\classes\interface\{4cd72ddb-061e-4366
    -8a47-babde2dcdba0}="IPopCounter"
  • hkey_local_machine\software\classes\interface\{68b8dcdb-efa4-420a
    -bb8a-71b9892a2063}="IOBJ"
  • hkey_local_machine\software\classes\interface\{a3080819-9a46-4acf
    -aa24-b34d59715c5e}="IOEInterface"
  • hkey_local_machine\software\classes\interface\{a5f6c90c-abe4-4c57
    -a421-8c5a202aa9f8}="_IEventThreadObjEvents"
  • hkey_local_machine\software\classes\interface\{a7c16b8f-9eea-4e6b
    -abf8-34e492e14019}="IOERebar"
  • hkey_local_machine\software\classes\interface\{b13281cf-8778-4c98
    -ae23-abba4637a33d}="_IMassSenderEvents"
  • hkey_local_machine\software\classes\oehk.oerebar.1="OERebar Class"
  • hkey_local_machine\software\classes\oehk.oerebar="OERebar Class"
  • hkey_local_machine\software\classes\oesrv.oeinterface.1
    ="OEInterface Class"
  • hkey_local_machine\software\classes\oesrv.oeinterface
    ="OEInterface Class"
  • hkey_local_machine\software\classes\typelib\{8220059c-d959-4f27
    -b559-179a8c5efdc1}
  • hkey_local_machine\software\classes\typelib\{9ca78f1b-ee6b-4fd0
    -84e0-794d58a51496}
  • hkey_local_machine\software\classes\typelib\{cc1074c2-0ca2-408e
    -81f9-ca8ad68d31a9}
  • hkey_local_machine\software\classes\typelib\{de6317f7-6ef0-45c2
    -88d1-8e09415817f1}
  • hkey_local_machine\software\classes\typelib\{f45e6252-3fb8-4876
    -b185-cdc91f42165d}
  • hkey_local_machine\software\microsoft\internet explorer\toolbar
    \{2dea8791-c2b7-48e1-8992-8e8e6a6fe789}=
  • hkey_local_machine\software\microsoft\internet explorer
    \extensions\{b6e649fa-5461-40d7-ab4d-54fc3c8db767}="Drop Spam
    Toolbar"
  • hkey_local_machine\software\microsoft\windows\currentversion
    \explorer\browser helper objects\{2dea8791-c2b7-48e1-8992
    -8e8e6a6fe789}
  • hkey_local_machine\software\microsoft\windows\currentversion
    \uninstall\drop spam
  • hkey_local_machine\software\microsoft\windows\currentversion
    \uninstall\internet explorer toolbar - dropspam

A variant of Adware-DropSpam created these registry entries:

  • hkey_local_machine\software\microsoft\windows\currentversion
    \uninstall\lifestyle . dropspam
  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \dropspam lifestyle=""C:\Program Files\dslifestyle
    \dslifestyle.exe""

The following registry keys are modified:

  • hkey_current_user\software\microsoft\search assistant
    \defaultsearchurl="http://sidesearch.dropspam.com
    /search.cgi?source=side&query="
  • hkey_current_user\software\microsoft\internet explorer\main\start
    page="http://my.dropspam.com/"
  • hkey_current_user\software\microsoft\internet explorer\main
    \search page="http://sidesearch.dropspam.com/sidesearch.htm"
  • hkey_current_user\software\microsoft\internet explorer\main
    \search bar="http://sidesearch.dropspam.com/sidesearch.htm"
  • hkey_current_user\software\microsoft\windows\currentversion
    \internet settings\zonemap\\proxybypass="1"
  • hkey_current_user\software\microsoft\windows\currentversion
    \internet settings\zonemap\\intranetname="1"
  • hkey_current_user\software\microsoft\windows\currentversion
    \internet settings\zonemap\\uncasintranet="1"
  • hkey_local_machine\software\microsoft\internet explorer\main
    \search page="http://sidesearch.dropspam.com/sidesearch.htm"
  • hkey_local_machine\software\microsoft\internet explorer\search
    \searchassistant="http://sidesearch.dropspam.com/sidesearch.htm"

Network Impact

Additional overhead in bandwidth due to download of additional PUP components.

Symptoms

N/A This is not a virus or Trojan.

Method of Infection

N/A This is not a virus or a Trojan.

Variants

Variants

    N/A

All Information

Overview -

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Characteristics

Characteristics -

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

This is not a virus or a Trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that redirects home and default search pages, establishes email proxies, and may download and install additional advertising applications/components.

This software establishes an email proxy on the host system. It reconfigures many popular mail clients (Outlook, Outlook Express, etc.) to send mail to dropspam.com servers instead of the user's normal mail server. The user's account information for their original mail server is collected from the local system and sent to dropspam.com so that the redirected mail can be sent on through the user's original server and account. Some variants of this software include an Internet Explorer toolbar, while others run only as a separate application (in some cases an icon is present in the system tray). Depending on the version/variant, redirection of the user's browser home and search pages may be included. The software has also been observed attempting to download and install other known PUPs (Adware-BB and Spyware-WebHancer ).

Depending on the variant, the application may display a license agreement when installed. However, even when canceling the dialog displaying the agreement the software remained installed on the system (i.e. the license agreement was only displayed after installation had already occurred).

Privacy

A privacy policy is not displayed during installation. A policy can be accessed on the DropSpam website: http://www.dropspam.com/privacy.html

The software transmits email account information to the DropSpam servers during installation and the email proxy established passes all email through DropSpam servers.

System Changes

Files Added

  • %WINDIR% \ewwsetup.exe (779,036 bytes)
    MD5: FBE4439576DE62A51DF2431432812271
  • %WINDIR% \uninstalltb.exe (40,960 bytes)
    MD5: AD81ECD93282A07CF04AC8906834ED1C
  • c:\documents and settings\%USER% \local settings\temp
    \_tix.log
  • c:\documents and settings\%USER% \application data
    \microsoft\addins\ewwotb.dll (167,936 bytes)
    MD5: 31E5E21B6FD8908F4AEC5A2FEE97B3E9
  • c:\program files\dropspam\setup.exe (71,168 bytes)
    MD5: F9EC6ABD080C000E6DE728FB8048708B
  • c:\program files\dropspam\oehk.dll (196,608 bytes)
    MD5: D232879EE8630A7DA09AA5D4C159643E
  • c:\program files\dropspam\ansmtp.dll (389,120 bytes)
    MD5: E72DDC50ABFF8834037046E125965997
  • c:\program files\dropspam\ewwie.dll (167,936 bytes)
    MD5: BC100BE312EC64FDCD7BF0D11080A394
  • c:\program files\dropspam\_setupx.dll (15,872 bytes)
  • c:\program files\dropspam\uninstalltb.exe (40,960 bytes)
    MD5: AD81ECD93282A07CF04AC8906834ED1C
  • c:\program files\dropspam\passworddll.dll (62,976 bytes)
    MD5: EE5031FD5D37DD160AAD6FC4CE1B852C
  • c:\program files\dropspam\eww.exe (311,296 bytes)
    MD5: 11ED8A778C6E91F0F357D5B107155AA6
  • c:\program files\dropspam\setup.ini (size & MD5 vary)
  • c:\program files\dropspam\oesrv.exe (155,648 bytes)
    MD5: 9558BC2660E4B435407C249BD7AF054C

A variant of Adware-DropSpam created the following files:

  • c:\program files\dslifestyle\dslifestyle.exe (266,240 bytes)
    MD5:35A2A972906D842DE01E4F15FCAABEB4
  • c:\program files\dslifestyle\ps.exe (40,960 bytes)
    MD5: 4938F97767215BA4C00B51EFA30FAAB5
  • c:\program files\dslifestyle\setup.exe (71,680 bytes)
    MD5: 9A230CBEA315950A4E3DF7519DD138FC
  • c:\program files\dslifestyle\setup.ini (size & MD5 vary)
  • c:\program files\dslifestyle\html\
    this folder contains several .gif files, names may vary

Registry

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \oe_drop_spam="C:\Program Files\DropSpam\oesrv.exe"
  • hkey_current_user\software\dropspam
  • hkey_current_user\software\dropspam\home="C:\Program Files
    \DropSpam\"
  • hkey_current_user\software\microsoft\office\outlook\addins
    \ewwotb.addin.1
  • hkey_local_machine\software\classes\ansmtp.masssender.1
    ="MassSender Class"
  • hkey_local_machine\software\classes\ansmtp.masssender="MassSender
    Class"
  • hkey_local_machine\software\classes\ansmtp.obj.1="OBJ Class"
  • hkey_local_machine\software\classes\ansmtp.obj="OBJ Class"
  • hkey_local_machine\software\classes\appid\{54ac0313-c709-4f55
    -a430-ec7e89f74665}="oesrv"
  • hkey_local_machine\software\classes\appid\oesrv.exe\appid
    ="{54AC0313-C709-4F55-A430-EC7E89F74665}"
  • hkey_local_machine\software\classes\appid\oesrv.exe
  • hkey_local_machine\software\classes\clsid\{1d95d4b4-f3de-4bde
    -af1d-219b23b58986}="OERebar Class"
  • hkey_local_machine\software\classes\clsid\{253664fb-edfc-4ac6
    -bd69-b322f466aeed}="OBJ Class"
  • hkey_local_machine\software\classes\clsid\{2dea8791-c2b7-48e1
    -8992-8e8e6a6fe789}="Drop Spam Toolbar"
  • hkey_local_machine\software\classes\clsid\{3058b2ea-a146-451a
    -916a-a5dcce7fa0b7}="DropSpam"
  • hkey_local_machine\software\classes\clsid\{5d50d513-e136-4f9f
    -b610-c7805e5f2491}="PopCounter Class"
  • hkey_local_machine\software\classes\clsid\{887a577b-406b-48ff
    -80cb-70752bfcd7b4}="MassSender Class"
  • hkey_local_machine\software\classes\clsid\{88b79166-13ab-4d04
    -aee8-7ab1cde75d7e}="OEInterface Class"
  • hkey_local_machine\software\classes\ewwie.band.1="Drop Spam
    Toolbar"
  • hkey_local_machine\software\classes\ewwie.band="Drop Spam Toolbar"
  • hkey_local_machine\software\classes\ewwie.popcounter.1
    ="PopCounter Class"
  • hkey_local_machine\software\classes\ewwie.popcounter="PopCounter
    Class"
  • hkey_local_machine\software\classes\ewwotb.addin.1="DropSpam"
  • hkey_local_machine\software\classes\ewwotb.addin="DropSpam"
  • hkey_local_machine\software\classes\interface\{1e98666f-6260-42c9
    -b846-32b20fdefe7b}="IMassSender"
  • hkey_local_machine\software\classes\interface\{1fa6a0f9-705d-4c47
    -b67c-f12d5f171470}="IBand"
  • hkey_local_machine\software\classes\interface\{34dae02f-aac8-4a32
    -a188-7444bcdae162}="IAddin"
  • hkey_local_machine\software\classes\interface\{4cd72ddb-061e-4366
    -8a47-babde2dcdba0}="IPopCounter"
  • hkey_local_machine\software\classes\interface\{68b8dcdb-efa4-420a
    -bb8a-71b9892a2063}="IOBJ"
  • hkey_local_machine\software\classes\interface\{a3080819-9a46-4acf
    -aa24-b34d59715c5e}="IOEInterface"
  • hkey_local_machine\software\classes\interface\{a5f6c90c-abe4-4c57
    -a421-8c5a202aa9f8}="_IEventThreadObjEvents"
  • hkey_local_machine\software\classes\interface\{a7c16b8f-9eea-4e6b
    -abf8-34e492e14019}="IOERebar"
  • hkey_local_machine\software\classes\interface\{b13281cf-8778-4c98
    -ae23-abba4637a33d}="_IMassSenderEvents"
  • hkey_local_machine\software\classes\oehk.oerebar.1="OERebar Class"
  • hkey_local_machine\software\classes\oehk.oerebar="OERebar Class"
  • hkey_local_machine\software\classes\oesrv.oeinterface.1
    ="OEInterface Class"
  • hkey_local_machine\software\classes\oesrv.oeinterface
    ="OEInterface Class"
  • hkey_local_machine\software\classes\typelib\{8220059c-d959-4f27
    -b559-179a8c5efdc1}
  • hkey_local_machine\software\classes\typelib\{9ca78f1b-ee6b-4fd0
    -84e0-794d58a51496}
  • hkey_local_machine\software\classes\typelib\{cc1074c2-0ca2-408e
    -81f9-ca8ad68d31a9}
  • hkey_local_machine\software\classes\typelib\{de6317f7-6ef0-45c2
    -88d1-8e09415817f1}
  • hkey_local_machine\software\classes\typelib\{f45e6252-3fb8-4876
    -b185-cdc91f42165d}
  • hkey_local_machine\software\microsoft\internet explorer\toolbar
    \{2dea8791-c2b7-48e1-8992-8e8e6a6fe789}=
  • hkey_local_machine\software\microsoft\internet explorer
    \extensions\{b6e649fa-5461-40d7-ab4d-54fc3c8db767}="Drop Spam
    Toolbar"
  • hkey_local_machine\software\microsoft\windows\currentversion
    \explorer\browser helper objects\{2dea8791-c2b7-48e1-8992
    -8e8e6a6fe789}
  • hkey_local_machine\software\microsoft\windows\currentversion
    \uninstall\drop spam
  • hkey_local_machine\software\microsoft\windows\currentversion
    \uninstall\internet explorer toolbar - dropspam

A variant of Adware-DropSpam created these registry entries:

  • hkey_local_machine\software\microsoft\windows\currentversion
    \uninstall\lifestyle . dropspam
  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \dropspam lifestyle=""C:\Program Files\dslifestyle
    \dslifestyle.exe""

The following registry keys are modified:

  • hkey_current_user\software\microsoft\search assistant
    \defaultsearchurl="http://sidesearch.dropspam.com
    /search.cgi?source=side&query="
  • hkey_current_user\software\microsoft\internet explorer\main\start
    page="http://my.dropspam.com/"
  • hkey_current_user\software\microsoft\internet explorer\main
    \search page="http://sidesearch.dropspam.com/sidesearch.htm"
  • hkey_current_user\software\microsoft\internet explorer\main
    \search bar="http://sidesearch.dropspam.com/sidesearch.htm"
  • hkey_current_user\software\microsoft\windows\currentversion
    \internet settings\zonemap\\proxybypass="1"
  • hkey_current_user\software\microsoft\windows\currentversion
    \internet settings\zonemap\\intranetname="1"
  • hkey_current_user\software\microsoft\windows\currentversion
    \internet settings\zonemap\\uncasintranet="1"
  • hkey_local_machine\software\microsoft\internet explorer\main
    \search page="http://sidesearch.dropspam.com/sidesearch.htm"
  • hkey_local_machine\software\microsoft\internet explorer\search
    \searchassistant="http://sidesearch.dropspam.com/sidesearch.htm"

Network Impact

Additional overhead in bandwidth due to download of additional PUP components.

Symptoms

Symptoms -

N/A This is not a virus or Trojan.

Method of Infection

Method of Infection -

N/A This is not a virus or a Trojan.

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A