Checkin is a very intrusive adware/downloader that hiddenly
downloads and activates executable files on users' computers.
Such actions are considered malicious and that is why detection
for Checkin components was added.
Both Checkin variants were discovered by our customers in their
Windows System folders. These files were causing suspicious
activity and they re-appeared after being deleted. None of our
customers knew how these adware components were installed on
their systems, so we suspected that the makers of Checkin used
trojan-like techniques to drop their software on our customers'
computers.
Currently there exist 2 variants of Checkin. The A variant of
Checkin has the file name SysReg.exe and the B variant's file
name is OWMngr.exe. Both variants create startup keys for their
files in System Registry to ensure that they are activated during
all Windows sessions. Upon installation Checkin creates a file
named BACKUP.REG. It is a Registry backup file that restores the
default search engine of Internet Explorer. The WINFGNET.DAT file
which is also a part of Checkin adware/downloader contains
encrypted data that is used by the plugin. Additionally Checkin
drops the HOSTS file with its own host list.
The Checkin.B variant is hiddenly dropped and activated by the
file named TTPS.EXE located either in Temporary Internet Files or
Windows System folders. This TTPS.EXE file is re-created every
time it is deleted by a user. After an investigation we found out
that the file is being hiddenly downloaded and activated by the
SBSRCH_V22.DLL file which is customized search plugin for
Internet Explorer.
Being active, both Checkin variants connect to several servers
and can try to download and activate executable filese. The
executable file is downloaded as Update.exe. Also both variants
show advertisment popups when a user visits specific websites.
The Checkin.A variant connects to 'tp.searchseekfind.com' website
and sends unique user's ID, connection type and its version
there. The Checkin.B variant does the same, but connects to a
different site: 'ads.onwebmedia.com'. No personal information is
sent out, but with this method it is still possible to track down
computer users.
To completely remove Checkin adware/downloader it is enough to
delete TTPS.EXE, OWMNGR.EXE and SBSRCH_V22.DLL files from a hard
drive. To restore the default Internet Explorer's search engine
it is enough to run the BACKUP.REG file.
F-Secure Virus Research Team wants to thank all our customers who
assisted in our investigation of Checkin case.
[Description: F-Secure Anti-Virus Research Team; F-Secue Corp.; June 4th-17th, 2003]
