Limited Time!
Totally FREE Web Design!
Click here!

Parasite: Hyperlinker

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Hyperlinker is link-adding adware comprising an Internet Browser Helper Object (BHO) and HTML filter called lmf32v.dll, stored in the System32 folder, and an updater task LMU.exe in the Windows folder. The controlling server is www.serverlogic3.com.

Hyperlinker is controlled by Vertical Theories (verticaltheories.com), the same people as Integrated Ventures (integrated-ventures.com), behind the PowerStrip parasite.

Also known as

LinkMaker (internal name).

Distribution

Bundled with other software. Known to beinstalled with no notice by at least one game from Longbow Digital Arts.

What it does

Advertising

Yes. When targeted words are seen on the page being viewed, Hyperlinker adds its own double-underlined advertising links to the words, and may contact the controlling server to request a pop-up advert.

The links are added to the page by the IE HTML filter, so saving the page will result in any bogus advertising links being saved. If a webmaster uploads this altered version of the file the links will remain, so seeing just one page with spurious links to www.serverlogic3.com does not necessarily mean you have the software installed.

Privacy violation

No. URLs are not passed back to the controlling server and only a session cookie is currently used, which would not be enough to track search engine usage patterns.

Security issues

Yes. The updater process LMU.exe can be instructed to download and silently execute arbitrary unsigned code when it periosically checks in at one of its update servers. Known update servers include www.danetport.com, www.infport.com, www.srfgate.com and www.webnetinfo.net; other suspected servers are net-check.net, nextern.net, ddupdates.com, chk-web.com, dnsstat.com and newinf.net.

Stability problems

Yes. The filter has some silly side effects such as turning blank pages into the letter ÿ, and putting links in places where links can’t go such as <title> elements. In certain unlucky situations this could break web applications that rely on scripting.

Removal

There is a ‘Hyperlinker’ entry in the Control Panel’s Add/Remove Programs list. It removes the BHO/filter DLL but leaves the backdoor updater behind, which might well reinstall the software later. The manual instructions given on the serverlogic3 web site also fail to remove this. See the section below on editing the registry for how to get rid of it.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u lmf32v.dll

Next, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, right-click the entry ‘lmu’ pointing to LMU.exe.

After restarting the computer you should be able to delete the LMU.exe file from the Windows folder, and the lmf32v.dll file from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me).

You can also delete the keys HKEY_CURRENT_USER\Software\LM and HKEY_CURRENT_USER\Software\LMU in the registry to clean up if you like.