Classification

Category :

Malware

Type :

-

Aliases :

Checkin, TrojanDownloader.Win32.Checkin, TrojanDownloader.Win32.Checkin.b, TrojanDropper.Win32.Checkin

Summary

Checkin is a very intrusive adware/downloader that hiddenly downloads and activates executable files on users' computers. Such actions are considered malicious and that is why detection for Checkin components was added.

Removal

To completely remove Checkin adware/downloader it is enough to delete TTPS.EXE, OWMNGR.EXE and SBSRCH_V22.DLL files from a hard drive. To restore the default Internet Explorer's search engine it is enough to run the BACKUP.REG file.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Both Checkin variants were discovered by our customers in their Windows System folders. These files were causing suspicious activity and they re-appeared after being deleted. None of our customers knew how these adware components were installed on their systems, so we suspected that the makers of Checkin used trojan-like techniques to drop their software on our customers' computers.

Currently there exist 2 variants of Checkin. The A variant of Checkin has the file name SysReg.exe and the B variant's file name is OWMngr.exe. Both variants create startup keys for their files in System Registry to ensure that they are activated during all Windows sessions. Upon installation Checkin creates a file named BACKUP.REG. It is a Registry backup file that restores the default search engine of Internet Explorer. The WINFGNET.DAT file which is also a part of Checkin adware/downloader contains encrypted data that is used by the plugin. Additionally Checkin drops the HOSTS file with its own host list.

The Checkin.B variant is hiddenly dropped and activated by the file named TTPS.EXE located either in Temporary Internet Files or Windows System folders. This TTPS.EXE file is re-created every time it is deleted by a user. After an investigation we found out that the file is being hiddenly downloaded and activated by the SBSRCH_V22.DLL file which is customized search plugin for Internet Explorer.

Being active, both Checkin variants connect to several servers and can try to download and activate executable filese. The executable file is downloaded as Update.exe. Also both variants show advertisment popups when a user visits specific websites.

The Checkin.A variant connects to 'tp.searchseekfind.com' website and sends unique user's ID, connection type and its version there. The Checkin.B variant does the same, but connects to a different site: 'ads.onwebmedia.com'. No personal information is sent out, but with this method it is still possible to track down computer users.

F-Secure Virus Research Team wants to thank all our customers who assisted in our investigation of Checkin case.