1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Spyware Descriptions
  6. Adware:W32/DuDu

Adware:W32/DuDu

Name : Adware:W32/DuDu
Category:Spyware
Type:Adware
Platform:W32

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Details


Registry Modifications
Creates these keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\sharehelper
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dmbar.dmbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dmbar.dmbar.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{16358834-52FC-4981-9A79-BFECE7C08CD3}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A2FF9B4-C31C-4BE8-86D4-4443B7411FE5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\71C455D361DEA8443BECF6CB15FF7B50
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5DB62E375A896F6408081040C15B769B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C9377D3-D823-46A6-A8AC-B3913F9B6CA2}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{25649A6A-637D-4416-9D03-98146330492A}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1FCA37BA-7259-4BF1-878B-A39FA83BFBBB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\5DB62E375A896F6408081040C15B769B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D554C17-ED16-448A-B3CE-6FBC51FFB705}


Additional Details

The online installer for the DuDu Accelerator is a downloader agent, retrieving its setup binary installer from a remote site. An adware program may be bundled with the DuDu accelerator installer. Alternatively, some installers retrieve a second installer, which delivers the adware program to the system.

The adware program may be known by a variety of names, such as Desktop-Media and IE-Bar.


Installation

When the retrieved DUDU Accelerator installer is dropped onto the system and executed by a freeware or shareware application, the following files are dropped:

  • \%UserProfile%\Local Settings\Temp\remotesetup.exe  - DuDu Accelerator downloader installer
  • \%UserProfile%\Local Settings\Temp\dddsetup.exe - destination file of the binary to be downloaded
  • \%UserProfile%\Local Settings\Temp\dddsetup.ini - initialization file
  • \%AllUsersProfile%\Application Data\DuDu
  • \%AllUsersProfile%\Application Data\DuDu\DddOEM
  • \%AllUsersProfile%\Application Data\DuDu\DddOEM\OemData.dat - data file
Where %UserProfile% refers to the current user's profile folder, the default installation pathway being "C:\Documents and Settings\[CURRENT USER]" (Windows NT/2000/XP).

In addition, the following file is dropped:
  • \%WINDIR%\Tasks\DDD_Install_Program.job  - Windows task job that launches every hour

Where %WINDIR% refers to the Windows folder, the default installation pathway being "C:\Windows" (Windows 95/98/Me/XP) or "C:\Winnt" (Windows NT/2000).

This installer will then install the DuDu Accelerator program, with the extra adware program, by dropping the following files:

  • \%Program Files%\%AdwareProgramFolder%
  • \%Program Files%\%AdwareProgramFolder%\Cast
  • \%Program Files%\%AdwareProgramFolder%\Cast\%Version%
  • \%Program Files%\%AdwareProgramFolder%\Cast\%Version%\dmbar.dll
  • \%Program Files%\%AdwareProgramFolder%\Cast\%Version%
  • \%Program Files%\%AdwareProgramFolder%\Cast\%Version%\dmplayer.dll
  • \%Program Files%\%AdwareProgramFolder%\Cast\dmbar.dll
  • \%Program Files%\%AdwareProgramFolder%\Cast\dmipn.dll
  • \%Program Files%\%AdwareProgramFolder%\Cast\dmsched.exe
  • \%Program Files%\%AdwareProgramFolder%\Cast\dmshell.dll
  • \%Program Files%\%AdwareProgramFolder%\Cast\license.txt
  • \%Program Files%\%AdwareProgramFolder%\Cast\UnInstall.exe

Where %ProgramFiles% refers to the program files directory, the default installation pathway being "c:\Program Files";  %AdwareProgramFolder% refers to the program folder used by the adware; and %Version% refers to the folder where it signifies the program version (usually in a 4 digit, 1.2.3.4 format) 

Some of these binary files are also being detected as Adware.Win32.Dm

  • \%AllUsersProfile%\Application Data\Share Helper
  • \%AllUsersProfile%\Application Data\Share Helper\Cast
  • \%AllUsersProfile%\Application Data\Share Helper\Cast\GGS
  • \%AllUsersProfile%\Application Data\Share Helper\Cast\yxssj_2140.inf
  • \%AllUsersProfile%\Start Menu\Programs\Startup\IE-BAR.lnk - autorun

Where %AllUsersProfile% refers to the all user's profile folder, the default installation pathway being "C:\Documents and Settings\All Users" (Windows NT/2000/XP).


Registry

During installation, the program creates the following key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
\%ProgramFiles%\[adware program folder]\Cast\dmshell.dll = 1


Notes

The adware program may contact to the remote site dmcast.com to retrieve a random advertisement. It may also check yahoo.com.cn to confirm if it is connected to the internet.