Limited Time!
Totally FREE Web Design!
Click here!

Parasite: FavoriteMan

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

FavoriteMan is a backdoor downloader implemented as an Internet Explorer Browser Helper Object (BHO) stored in the System32 folder. It periodically connects to its controlling server to download a control text file, which instructs it what software to install and where to download the control file from next.

It also has the facility to add web links to the desktop background and IE Favorites menu as directed by the control file.

FavoriteMan is unusual in that its various variants are used simultaneously by two different groups of companies:

• Razor Media LLC (razormedia.net, n-lite.com), a US marketing company (not known to have anything to do with the ‘Razor Media LLC’ that run US men’s magazine Razor). Razor Media are also reponsible for the DailyWinner, WhileYouSurf and ClickTheButton parasites.
• Vista Interactive Media (vistainteractivemedia.com, mindsetinteractive.com), who are also responsible for the VistaBar and NetPal parasites, and used to control Transponder.

Variants

The filename for FavoriteMan/MMView may be mmviewer_101.dll or mmviewer_102.dll. The filename for FavoriteMan/IMZ is one of the nonsense names associated with lop, such as eelykofrllfrpr.dll.

FavoriteMan DLL files are typically around 100K long, except for the EMesX and Gig variants which are compressed to around 50K using the UPX executable file packer.

The ATPartners variant comprises many minor variations (one for each distributor) which differ only in the name of the control file fetched from f1organizer.

Also known as

NetPal. Mindset Interactive (now Vista) used to call all its software ‘NetPal’, including the NetPal parasite and Transponder, which they previously controlled.

Distribution

The Ss32 variant is installed by SpyAssault, a supposed spyware scanner from Razor Media. The MMView variant is installed by ActiveX drive-by downloads in pop-ups sourced from Mamma Media Solutions (targetnet.com).

The Favorite, F1 and Mpz variants have been bundled with iMesh. The ZZ and Gr02 variants were bunded with Grokster around January and June 2003.

The IMZ variant is installed by the lop/IMZ parasite. The Gig variant is installed by software from TwistedHumor.com. (’Gig’ refers to Gigatech Software, producers of the SuperBar parasite.)

The YsUp variant is installed by ActiveX drive-by download in pop-up adverts served by YesUp Ecommerce Solutions (yesup.net, popinads.com), who also operate the Pugi/WhyPPC parasite.

The Int, Icm and ATPartners variants are installed by downloads from affiliates of addictivetechnologies.com/addictivetechnologies.net/at-games.com, including Vista’s own sites such as 1000funnyvideos.com, screensthemesandmore.com and at-offers.com, and others such as free-windows-games.com.

The ATPartners variant is additionally installed by bundling with other parasites and from affiliate sites using ActiveX drive-by downloads, ‘aggressive’ downloader scripts and IE security hole exploits.

What it does

Advertising

No pop-ups, but adds advertising links to the Desktop background and IE Favorites menu.

Privacy violation

In the Razor Media variants, no.

The Vista variants contain vestigial code that appears to want to read the user e-mail adress stored in Outlook and Outlook Express settings. However this has not been observed to actually work.

Security issues

Yes. The software can and does execute arbitrary unsigned code as directed by its controlling server. FavoriteMan’s aim is to install as much unsolicited commercial software as possible in order to earn commission fees from other parasite vendors.

Unsolicited commercial software seen to be installed by the early Razor Media variants of FavoriteMan (Ofrg, Favorite) includes:

• BargainBuddy/Adp
• ClickTheButton
• DailyWinner
• ezCyberSearch
• IGetNet/v5
• nCase
• NetPal
• NewDotNet
• SideStep
• Transponder/VX2
• Mail.com Alerts (which also installs BargainBuddy/Apuc)
• various homepage hijackers

Software installed by the later Razor Media variants of FavoriteMan (Ss32, MMView) includes:

• AproposMedia/CxtPls
• BroadcastPC (which also installs FlashTrack)
• nCase/180ad
• WhileYouSearch
• ClearStream
• Delfin

Software installed by the Vista variants of FavoriteMan includes at least:

• 2020Search
• AutoStartup
• BargainBuddy
• BrowserAid/BrowserPal
• ClearSearch/Lycos
• ClientMan
• CometCursor/Toolbar
• Enconfidence
• eXactSearch
• FavoriteMan/Favorite
• Hotbar
• HuntBar/WinTools
• IGetNet/v5
• ISTbar/AUpdate
• KeenValue/Incredifind
• MoreResults
• MySearch/MySearch
• nCase
• VistaBar
• ShopAtHomeSelect
• Sidesearch
• TopText
• Transponder/MSView
• TVMedia/BHO
• WeatherBug
• TopMoxie/WebRebates
• Freeze.com Living Waterfalls screensaver (which may also come bundled with WeatherBug, NewDotNet, SaveNow and Forbes.com Business Alerts.
• A1Tech AdsGone popup-killer
• VirtualBouncer/AdDestroyer
• STOPzilla
• eMusic.com 50 free MP3s offer

Stability problems

Yes. FavoriteMan sometimes causes IE to lock up for a variable period of time, occasionally indefinitely, when a new browser process is started. This may be something to do with its trying to contact its servers on startup. Also crashes may occur when very long URLs are used.

Removal

FavoriteMan/F1, ZZ, IMZ, Icm/Int and ATPartners may offer a removal feature: go to Add/Remove Programs in the Control Panel, choose ‘F1’, ‘ZZ’, ‘IMZ’, ‘Netpal Games’ or ‘ATP’ and click ‘Remove’.

Manual removal

The DLL file with the name from the table above can be found in the System32 folder, which is inside the Windows folder, and called just ‘System’ on Windows 95/98/Me. In the case of the IMZ version, look for the nonsense name; if you sort the files to show the newest version it should be reasonably obvious.

Before you can delete the program file, you must deregister it. Open a DOS command prompt window (under Accessories in the [All] Programs menu on the Start button) and enter the commands:

cd "%WinDir%\System"
regsvr32 /u favorite.dll

Change the filename ‘favorite.dll’ to match the filename.

After doing this and restarting the computer you can delete the file. You can also delete the data file named in the table above, which should be found in the same folder.

To clean up, you can also open the registry (click ‘Start’ choose ‘Run’, enter ‘regedit’) and select the key HKEY_CURRENT_USER\Software\Microsoft\Windows, then delete the entries named ‘Counter’, ‘Server’ and ‘Object’. on the right.