allentech.net

Home > Browser Parasites > Parasite Database > MoneyTree

About Us

Online Stores

TQ Support

Web Services

Database Help

Tech Links

Projects

Online Manual

Browser Parasites

Privacy Policy

Contact us

Send Page

Limited Time!
Totally FREE Web Design!
Click here!

Blue Host

Parasite: MoneyTree

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

MoneyTree is an ActiveX control used to download premium-rate diallers, generally for porn sites.

Note: this parasite is not connected to the financial software company called MoneyTree Software.

Variants

MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder.

MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder.

MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.

MoneyTree/MultiDist: installs MulDist.ocx and MulDist.inf in the Downloaded Program Files folder.

MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizer parasite.

Also known as

MoneyTree/NSUpdate is known as All-In-One Telcom by Spybot Search and Destroy; the NSLite variant by Ad-Aware 6 as Proclaim Telcom. Both names come from the company names given in the file’s digital signature.

Distribution

Loaded by ActiveX drive-by-download in pages operated by mtree (domains such as mtreexxx.nl), which are often redirected to by pop-up adverts, 404 pages at porn hosts and misspelled domains.

mtree also often use direct EXE file downloads to distribute the same diallers; this does not leave an ActiveX control loaded as is not detected by the script at this site.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. With the control installed, any web page may download and execute arbitrary unsigned code from one of mtree’s servers.

Stability problems

No.

Removal

Open the ‘Downloaded Program Files’ folder (which can be found in the Windows folder), and delete the entry for ‘NSUpdateLiteCtrl Class’ (NSUpdate variant), ‘NSLiteUpdateCtrl Class’ (NSLitevariant), ‘MoneyTree Dialer’ (UniDist variant), ‘MultiDist’ (MultiDist variant), or ‘Software Update Manager’ (DyFuCA variant).

Links

Sophos anti-virus classifies the DyFuCA variant as Dial/DyFuCA-A.

* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.

For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.

Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!

webmaster@allentech.net
Tech Bench
Web Analytics by My-OLAP!

Top