FunWebProducts - September 3, 2006

I ran Spybot Search & Destroy 1.4 on a sytem, Charlene, on September 3, 2006. Spybot found FunWeb and FunWebProducts. For FunWebProducts, it reported the following information:
Company: Focus Interactive, Inc.
Product: FunWebProducts
Threat: Trojan

Functionality
FunWebProducts is supposed to install funny icons or smileys.

Description
This trojan does install the described items and a lot of more [sic] applications the user did not ask for.
It is also detected as trojans by various antivirus scanners because it does not clearly state what it brings along.

Privacy Statement
We do not collect any personally identifiable information (such as names or email addresses) about users of the Software or the Web Sites ("you"), unless you specifically decide to provide such information (such as by emailing a help request to us or when registering to use the My Info feature, as described below). We do not sell, rent or tade any personally identifiable information you provide when using the Software or the Web Sites.

When you visit the Web Sites, we may place a small text file-called a "cookie"-on your computer that allows us to identify your Web browser. We use cookies to improve the quality of our service, and to store your preferences and settings. Importantly, a cookie does not allow us to obtain any personally identifiable information (such as your real name or address) unless you have specifically provided such information when using the Web Sites or the Software.

We also capture your source IP address which is a standard practice for most internet sites. We in no way associate your IP address with any cookies and do not use your IP address in conjunction with any personally identifiable information.

If any of the Web Sites or the Software is ever sold or all or substantially all of the assets relating to a Web Site or the Software are transferred to another entity, we may transfer all information provided by or collected from you, including personally identifiable information, in order to ensure continuity of your service.

For a complete listing of the registry keys, etc. for all of the malware Spybot found on the system, see Search results from Spybot - Search & Destroy 9/3/2006 6:56:08 PM.

I found a FunWebProducts folder under C:\Program Files. Within that folder were two subfolders: ScreenSaver and Shared. The ScreenSaver directory had only an Images directory beneath it and that directory was empty. The Shared directory had one file in it, 0DE1CE0C.dat, which was dated April 3, 2006 and a Cache directory. The Cache directory had the following 4 HTML files within it: 

09/03/2006  06:39 PM           107,229 CursorManiaBtn.html
08/25/2006  08:52 AM            58,071 FunBuddyIconBtn.html
08/24/2006  05:08 PM            19,131 MyFunCardsIMBtn.html
02/21/2006  03:06 PM             1,407 res100.html
09/03/2006  06:39 PM           400,089 SmileyCentralBtn.html

Zip file of contents of FunWebProducts folder

The FunWebProducts directory had a creation timestamp of Tuesday, February 21, 2006, 3:01:21 PM. When I looked under Add or Remove Programs for any references to "FunWeb" or "FunWebProducts", I found none, but I did see My Web Search (Smiley Central). Spybot also reported it found MyWay.MyWebSearch and MyWebSearch. It did not have any information on those products. I did find a C:\Program Files\MyWebSearch directory. It had a creation timestamp of Tuesday, February 21, 2006, 3:01:16 PM, so apparently came along with FunWebProducts.

Zip file of contents of MyWebSearch folder

The only other items Spybot found, aside from FunWeb, FunWebProducts, MyWay.MyWebSearch, and MyWebSearch, which all seem to be related, were advertising cookies, which are relatively innocuous. It also reported "Windows Security Center.AntiVirusOverride", but I had set that registry key for Symantec AntiVirus Corporate Edition 8.0. So all of the malware on the system apparently came with FunWebProducts.

When I switched Spybot to "advanced mode" and looked for BHOs under Tools, I saw "MyWebSearch Search Assistant BHO" and "mwsBar BHO" labelled as malware (a white "X" in a red octagon). They were the only two labelled as malware (see Spybot BHO Report) The creation date for both was listed as 7/19/2006, but they may have been updated since the malware was first installed.

Spybot BHOs found on 9/3/2006

If you export the BHO information to a file in Spybot, you will see references to Doxdesk's parasite information page on MySearch at http://www.doxdesk.com/parasite/MySearch.html. Unfortunately, the parasite database on that website, which was an excellent source of information on malware, has been taken down. The Internet Archive, aka the "Wayback Machine", has archived copies of the Doxdesk MySearch webpage at http://web.archive.org/web/*/http://www.doxdesk.com/parasite/MySearch.html . The last time that page was archived was November 29, 2004. I've also stored an archived copy of the page at MySearch. That webpage indicates that MySearch is linked to iWon.com, which is also linked to the Aornum parasite.

The FunWebProducts adware is apparently bundled with a number of "free" products offered by iWon, including Smiley Central, PopSwatter, My Mail Signature, My Mail Stationery, My Mail Stamp, and Cursor Mania. The last product is a cursor chooser while the others are touted as enhancements for email. The user had a rose cursor on the system. Perhaps that was from Cursor Mania. When I had Spybot remove the malware it found, the cursor was back to the default one when I logged into the user's account afterwards.

I had Spybot remove all of the malware it found and the advertising cookies as well.

References:

  1. doxdesk.com: parasite:MySearch
    Archived copy from Doxdesk.com
    November 29, 2004
  2. No fun with FunWebProducts
    Web Applications Newsletter by Mark Gibbs, Network World
    December 10, 2003

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Sunday September 3, 2006