Parasite: nCase

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

nCase (your capitalisation may vary — nCASE, n-CASE, etc.) is popup-opening adware from 180Solutions.

nCase consists of a main process EXE, run on Windows startup through a registry Run entry, spawning ads dependent on browser usage, and a helper DLL used by the process. There’s also a data file containing the list of keywords and URLs that the adware will target, and a log of actions taken by the software.

Later variants of nCase are aware of the FlashTrack parasite and will disable it if it is running, to stop it showing competing adverts.

Variants

The main part of the software exists in many variants with different filenames:

process	helper	keywords	actionurls	geourls	log
nc variant
msbb.exe	ncmyb.dll	kyf.dat	(not used)	(not used)	fiz1
rnd variant
(random).exe	(random).dll	(random).dat	(not used)	(not used)	(random).log
msbb variant
msbb.exe	msbbhook.dll	msbb_kyf.dat	msbbau.dat	msbb_gdf.dat	msbb.log
saie variant
saie.exe	saiehook.dll	saie_kyf.dat	saieau.dat	saie_gdf.dat	saie.log
sais variant
sais.exe	saishook.dll	sais_kyf.dat	saisau.dat	sais_gdf.dat	sais.log
salm variant
salm.exe	salmhook.dll	salm_kyf.dat	salmau.dat	salm_gdf.dat	salm.log
saap variant
saap.exe	saaphook.dll	saap_kyf.dat	saapau.dat	saap_gdf.dat	saap.log
sain variant
sain.exe	sainhook.dll	sain_kyf.dat	sainau.dat	sain_gdf.dat	sain.log
180ax variant
180ax.exe	180axhook.dll	180ax_kyf.dat	180axau.dat	180ax_gdf.dat	180ax.log
180adsolution variant
180adsolution.exe	180adsolutionhook.dll	180adsolution_kyf.dat	180adsolutionau.dat	180adsolution_gdf.dat	180adsolution.log
Zango variant
zango.exe	zangohook.dll	zango_kyf.dat	zangoau.dat	zango_gdf.dat	zango.log

nCase/nc was the original variant. nCase/rnd was a version installed using random (and not all the same) filenames in the System folder.

The other variants use different filenames but are otherwise based on the same code; they can download the same updates and have existed in different versions in parallel. Over the course of development, features have been added to these variants through their self-updating mechanism:

An extra .EXE, stored in the Windows folder with a random name (3-9 letters long). This process, known as nCase/Alert, runs at Windows startup and checks the main nCase software. If it find the software missing, it offers to reinstall it, or uninstall properly. (The uninstall here does work, rather better than the ‘official’ uninstall.)
Ability to detect and remove the FlashTrack parasite (/FtApp and /Flt variants), to prevent it showing competing adverts.
An additional list of sites (‘actionurls’) to subject to further monitoring. May be used to track shopping sites on which on-line purchases are made.
An additional list of sites (‘geourls’) which use forms including locations (city, state, ZIP code). Used to try to track where the user is physically based.

nCase/Zango is promoted under the name Zango as the more customer-friendly face of nCase. However, besides altered filenames, the software behaves just the same.

nCase/Inst is an ActiveX drive-by installer control for nCase variants. nCase/Inst appeared around March 2003 with the variant nCase/Inst/nc, loading the nc variant. nCase/Inst/Zango loads the Zango variant, and nCase/Inst/180sa loads one of the other variants (msbb to 180adsolution).

Also known as

Boomerang, the internal project name associated with the variants msbb to 180adsolution.

Distribution

Bundled with a large range of applications, particularly file-sharing programs and downloadable games.

Also installed by ActiveX drive-by downloads in adverts inserted on some free web hosting services, and bundled with programs installed by ActiveX drive-by download in adverts (eg. an ‘Error Patch’ application that does nothing other than load n-Case).

Also installed by the FavoriteMan, BookedSpace, NeoToolbar, InternetOptimizer, Roimoi and ISTbar parasites, and by IE security holes exploited by CoolWebSearch.

Promoted to webmasters through unsolicited mail from metricsdirect.com, who also sell advertising on the nCase parasite.

What it does

Advertising

Yes. Looks for known URLs and keywords in URLs, and opens targeted pop-up advertisements based on them from tv.180solutions.com (previously bis.180solutions.com). Also opens non-targeted pop-up adverts at arbitrary times during IE usage. Can add shortcut icons to the Start menu and Desktop if directed to by its controlling servers.

Pop-ups opened by nCase may also set affiliate cookies, having the effect of redirecting any affiliate fees earnt when you shop on-line, either directly to 180Solutions, or to their advertisers. In June 2004, pop-ups opened by nCase were seen that included IE security hole exploits to load the ILookup/Dec parasite.

Privacy violation

Yes. The URL or keyword is passed with a unique identifier to nCase’s advertising server when a targeted advert is shown, allowing web usage to be tracked across sites.

Some nc variants also seem to try to read an e-mail address, real name and ZIP code to associate with the unique identifier, from applications’ data in the registry:

Outlook Express mail accounts
Outlook user info
AOL Instant Messenger accounts
Windows location
RealPlayer location
Windows Fax headers
eFax.com headers
Acrobat user info
Netscape user info
MS Comic Chat registration
GameSpy registration
NetFerret registration

This ability seems to have been removed again from the later variants.

Security issues

Yes. nCase can download and execute arbitrary unsigned code from download.180solutions.com, as directed by its controlling server config.180solutions.com, as an update feature.

The Inst variant ActiveX controls can also be used on any web page to reinstall the main software if it has been removed.

Additionally some pop-ups spawned by nCase in the past have included Internet Explorer security exploits, loading further parasites.

Stability problems

May cause an error message such as "msbb.exe file is linked to the missing export wininet.dll" on older systems without a WinInet library. Can also cause IE to be a bit slow to start up, and some versions are reported to generate page fault errors.

Removal

nCase/msbb and rnd may include two uninstallers (if any), named ‘Insterstitial ad delivery by n-Case’ and ‘PAD lookups by n-Case’. Both have to be used before the software is removed; both require internet access and simply attempt to download further uninstallers which also require internet access, and sometimes still don’t work. Manual removal will probably be faster than this rigmarole.

The other variants have at most one installer, ‘Uninstall 180Search Assistant’ or ‘Zango’. This also requires internet access, and requires several stages of confirmation pages fetched from 180solutions’s site, but does remove the software without a further download.

All uninstallers leave the nCase/Inst control in place, allowing nCase to be reinstalled without prompting. To remove this, open the Downloaded Program Files folder (inside the Windows folder) and delete the entry ‘nCaseInstaller Class’ (nCase/Inst/nc variant), ‘180SAInstaller Class’ (nCase/Inst/180SA variant) or ‘ZangoInstaller Class’ (nCase/Inst/Zango variant).

Manual removal

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and right-click the entry on the right with the name ‘msbb’ (nc and msbb variants), ‘saie’, ‘saie’, ‘sais’, ‘salm’, ‘saap’, ‘sain’, ‘180ax’, ‘180adsolution’, ‘zango’, or in the case of the rnd variant, a random name 3-9 lower-case letters long pointing at a .exe file of the same name.

Delete this entry, noting the filename it was pointed at. nCase can be installed in any location on the hard disc, depending on the whim of the installer. Common locations include in a folder in Program Files named ‘nCase’, ‘n-Case’, ‘MSBB’, ‘180Solutions’ and ‘180Search Assistant’, along with the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me), the Temp folder (inside the user profile Local Settings folder in Documents and Settings, or directly in the Windows folder in Windows 95/98/Me) and the Application Data folder (inside the user profile folder or the Windows folder in 95/98/Me). It can also often be found inside the Program Files folder of another program that installed it.

For the Alert variant, also check the Run key for an entry with a random upper-case name 3-6 letters long pointing to a .exe file of the same name in the Windows folder. Note the name and delete the entry if there is one.

Restart the computer and you should be able to delete the files whose names you noted. You can also remove files using the names in the table above, stored in the same folders as the main executable, and the empty temporary folder named ‘FLEOK’, along with any icon (.ico) files nCase has downloaded to put onto the desktop.

To clean up, you can also delete the registry keys in HKEY_CURRENT_USER\Software and HKEY_LOCAL_MACHINE\Software with the name ‘msbb’ (nc, rnd, msbb variants), ‘saie’, ‘sais’, ‘salm’, ‘saap’, ‘sain’, ‘180solutions’ or ‘zango’ and, if present, the uninstall key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall called ‘nCASE’, ‘msbb’ or ‘zango’.

* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.

For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.

Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!