Parasite: ClientMan

This record last updated Tue Sep 20 2005 03:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

ClientMan is a wide-ranging advertising parasite. The various versions released may add advertising links to web pages, open popup adverts, and redirect search engine results, address bar searches and error pages.

Variants

ClientMan/Helper is the earliest known variant. It includes two IE Browser Helper Objects - a ‘browserhelper’ and a ‘trackurl’ DLL, used to add yellow advertising links to pages - along with various other processes. It is not detected by the script at this site, for tedious technical reasons.

ClientMan/Tagger is a newer update that can be loaded by browserhelper. The ‘browserhelper’ DLL is replaced by a ‘taggerbho’ one, and there is a new ‘searchrep’ DLL which redirects search engine usage, plus new EXE files ‘fixtitle’ and ‘getbuys’.

ClientMan/2in1 is the latest update. The taggerbho is replaced with a ‘2in1’ DLL; the yellow links are no longer added to the page. Instead, all address bar searches, unknown domains and web server error pages are redirected (currently to searchassistant.net) by the new ‘dnsrep’ DLL, and pop-up adverts are opened at regular intervals by the new ‘urlcli’ DLL. (At the time of writing, these are spawned from popupsponsor.com and popuptraffic.com, and are closed immediately after opening, in order to con affiliate fees from these companies.) Additionally there are new ‘gstylebho’ and ‘msvrfy’ DLLs.

Also known as

iPend, as one of the components refers to itself.

Distribution

Bundled with some versions of Grokster from late March 2003. Installed by the FavoriteMan parasite.

What it does

Advertising

Yes. Makes all targeted words in all web pages links with a yellow background, pointing to ClientMan’s server odysseusmarketing.com. This may redirect to a search results site such as 1stblaze.com or epilot.com.

Periodically opens pop-up advertising from odysseusmarketing.com, which may redirect to popupmarketing.com.

The Tagger variant redirects use of known search engines (at the time of writing, Google and Yahoo only) to firstbookmark.com; the address bar will still show the address of the original search engine, but the content of the page will be overwritten with results from firstbookmark.com (which are currently sourced from 123search.com).

Privacy issues

Suspected. ClientMan gathers a list of running processes along with any user details it can get from:

• Outlook Express mail accounts
• Windows/MSN Messenger accounts
• AOL Instant Messenger (AIM) accounts
• ICQ accounts
• Yahoo Pager accounts
• Speedbit Download Accelerator software registration
• Zone Alarm software registration
• Creative SoundBlaster software registration
• Windows dialling location

ClientMan has been observed sending unknown data to its servers at ipend.datastorm.biz; it is suspected this may be an encoded version of this information.

Security issues

Yes. ClientMan can silently download and execute arbitrary unsigned code from its controlling server as an update feature.

Stability problems

Yes. At least on WinXP/IE6 (probably other versions too), ClientMan/Helper and ClientMan/Tagger caused crashes at seemingly random intervals whilst IE windows were open; ClientMan/2in1 made IE hang every time a targeted search engine was used.

Removal

There may be an entry in the Control Panel’s Add/Remove Programs list for ‘mscman’. Try selecting this and clicking ‘Remove’ if it is there.

Spybot Search & Destroy update 2003-03-26 and Ad-Aware reflist 07.04.2003 can remove at least ClientMan/Helper.

Manual Removal

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key Software\Microsoft\Windows\CurrentVersion\Run, inside HKEY_LOCAL_MACHINE (for ClientMan/Helper and ClientMan/Tagger) or HKEY_CURRENT_USER (for ClientMan/2in1). On the right, right-click the entry ‘ClientMan’ or ‘ClientMan1’ and choose ‘Delete’.

Now open the ‘run’ folder inside ‘ClientMan’ in the Program Files folder, and note the names of the DLLs. If you have the Helper variant, you should see ‘browserhelperX.dll’ and ‘trackurlX.dll’, where X is a random eight-digit hexadecimal value. If you have the Tagger variant, you should have ‘taggerbhoX.dll’, ‘trackurlX.dll’ and ‘searchrepX.dll’. In either variant, you may have further leftover DLLs from previous updates.

Open a DOS command prompt window (from Start->Programs->Accessories). Enter the following commands in the DOS window, for the Helper variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClientMan\run\browserhelperX.dll"
regsvr32 /u "\Program Files\ClientMan\run\trackurlX.dll"

Or, for the Tagger variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClientMan\run\taggerbhoX.dll"
regsvr32 /u "\Program Files\ClientMan\run\trackurlX.dll"
regsvr32 /u "\Program Files\ClientMan\run\searchrepX.dll"

Or, for the 2in1 variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ClientMan\run\urlcliX.dll"
regsvr32 /u "\Program Files\ClientMan\run\trackurlX.dll"
regsvr32 /u "\Program Files\ClientMan\run\searchrepX.dll"
regsvr32 /u "\Program Files\ClientMan\run\msvrfyX.dll"
regsvr32 /u "\Program Files\ClientMan\run\gstylebhoX.dll"
regsvr32 /u "\Program Files\ClientMan\run\dnsrepX.dll"
regsvr32 /u "\Program Files\ClientMan\run\2in1X.dll"

Replace the ‘X’ in these commands with the random letters and numbers you see in the filenames in the folder view. If there’s more than one file with the same name but a different set of numebrs you can use either, it doesn’t matter. Tip: if you drag the DLL file from the folder view into the DOS command prompt window, it will put the filename in for you, so you don’t have to type it out.

Users of non-English versions of Windows may also need to replace the name ‘Program Files’ with the name of the Program Files folder on their operating system. Tip: if you drag the file in question into the DOS command prompt window, its full name will be inserted for you. Remember to include the space after ‘/u’ before dragging in a file if you do this.

Now restart the computer and you should be able to delete the entire ‘ClientMan’ folder inside Program Files. You can also delete the ‘words.lst’ file inside the Windows folder and the ‘cachelut.dat’ file which you may find inside the Windows folder or inside the Internet Explorer folder in Program Files. Finally, to clean up, you can delete the registry keys ‘HKEY_CURRENT_USER\Software\CliMan’ and ‘HKEY_CURRENT_USER\Software\iPend’, if you wish.

Links

Odysseus Marketing is operated by one Walt Rines, who also ran the major spam-sending company ‘Quantum Communications’. The software claims to be written by development company Nostrum India.