Spybot - Details on Infections Detected on 2008-09-09

Company: Coupons, Inc.
Product: CouponBar
Threat: Adware

Company URL:
http://www.coupons.com
Company product URL:
http://www.coupons.com/
Company privacy URL:
www.coupons.com/corp/source/u_privacypolicy.asp?vf=y_

Functionality
Install a tool which provides "Over $100 in printable coupons right from your browser. Keep informed of the latest offers. Contains no adware or spyware. Coupons from companies like General Mills, Kimberly Clark, Nestle, and Johnson & Johnson."

Description
The downloaded file installs a toolbar and a Browser helper object (BHO). The BHO connects to coupons.com at every Internet Explorer startup in order to download latest updates. The toolbar displays bonus vouchers which can be printed or used online. When uninstalled, nearly all the files and registry entries remain on the system.

Privacy Statement
[...]Coupons, Inc. uses the information that we collect to operate, maintain, and provide to you all of the coupons and promotional offerings found on the Sites and for other non-marketing or administrative purposes such as notifying you of major service updates or for customer service purposes. Coupons, Inc. uses all of the information that we collect from our Consumers to understand the usage trends and preferences, to improve the way the Sites work and look, to improve our marketing and promotional efforts, and to create new features and functionality. Coupons, Inc. uses "automatically collected" data to (a) process and record coupon printing and redemption activity; (b) store information so that you will not have to re-enter it during your visit or the next time you use the Sites; (c) provide custom, personalized coupon promotions, advertisements, content, and information; (d) monitor the effectiveness of marketing campaigns; and (e) monitor aggregate usage metrics such as total number of visitors and pages viewed. [...]
Coupons, Inc. discloses "automatically collected" data (such as coupon print and redeem activity) to its Clients and third-party ad servers and advertisers. These third parties may match this data with information that they have previously collected about you under their own privacy policies, which you should consult on a regular basis. [...]

Company:
Product: Delf.Spool.cn
Threat: Trojan

Functionality
Supposed to be the Windows file spoolsv.exe

Description
This trojan horse replaces the orignal spoolsv.exe with its own to get started by the system and run in background. Variants may also connect to a chinese website in background. After fixing with Spybot-S&D please restore the original spoolsv.exe from the c:\windows\system32\dllcache folder to the c:\windows\system32 folder.

Company: PremiumSearch , Inc.
Product: PremiumSearch
Threat: Trojan

Functionality
Supposed to be a legit search site.

Description
This trojan horse gets installed in background, it registers itself to the system start and winlogon. It has multiple exe files and dlls with variable names running in background which protect each other and connect to the internet in background. The hosts file gets hijacked and all search sites for example from yahoo, google and msn are getting redirected to PremiumSearch. The computer gets slowed down and the security settings get compromised. The trojan horse also uses rootkit functionality to hide some of its parts. Removal of this trojan horse will require a reboot. After the reboot the explorer may not start anymore, this will require to open Spybot via the taskmanager and fix the remaining parts of PremiumSearch.

Company:
Product: Virtumonde
Threat: Trojan

Description
Virtumonde copies itself to the system folder and creates a BHO. Virtumonde connects to malicious websites in background. It also adds a randomly named dll to the Winlogon Notify, which will make it very resistable to removal. Removal requires the computer to be disconnected from the internet and restarted after first scan and fixing session. If you need help with removal please contact Team Spybot S&D via forums or email.

Company:
Product: Win32.Winlagons.co
Threat: Trojan

Description
Win32.Winlagons.co