Checkin is a very intrusive adware/downloader that hiddenly downloads and activates executable files on users' computers. Such actions are considered malicious and that is why detection for Checkin components was added.
To completely remove Checkin adware/downloader it is enough to delete TTPS.EXE, OWMNGR.EXE and SBSRCH_V22.DLL files from a hard drive. To restore the default Internet Explorer's search engine it is enough to run the BACKUP.REG file.
Both Checkin variants were discovered by our customers in their Windows System folders. These files were causing suspicious activity and they re-appeared after being deleted. None of our customers knew how these adware components were installed on their systems, so we suspected that the makers of Checkin used trojan-like techniques to drop their software on our customers' computers.
Currently there exist 2 variants of Checkin. The A variant of Checkin has the file name SysReg.exe and the B variant's file name is OWMngr.exe. Both variants create startup keys for their files in System Registry to ensure that they are activated during all Windows sessions. Upon installation Checkin creates a file named BACKUP.REG. It is a Registry backup file that restores the default search engine of Internet Explorer. The WINFGNET.DAT file which is also a part of Checkin adware/downloader contains encrypted data that is used by the plugin. Additionally Checkin drops the HOSTS file with its own host list.
The Checkin.B variant is hiddenly dropped and activated by the file named TTPS.EXE located either in Temporary Internet Files or Windows System folders. This TTPS.EXE file is re-created every time it is deleted by a user. After an investigation we found out that the file is being hiddenly downloaded and activated by the SBSRCH_V22.DLL file which is customized search plugin for Internet Explorer.
Being active, both Checkin variants connect to several servers and can try to download and activate executable filese. The executable file is downloaded as Update.exe. Also both variants show advertisment popups when a user visits specific websites.
The Checkin.A variant connects to 'tp.searchseekfind.com' website and sends unique user's ID, connection type and its version there. The Checkin.B variant does the same, but connects to a different site: 'ads.onwebmedia.com'. No personal information is sent out, but with this method it is still possible to track down computer users.
F-Secure Virus Research Team wants to thank all our customers who assisted in our investigation of Checkin case.
Description Created: F-Secure Anti-Virus Research Team; F-Secue Corp.; June 4th-17th, 2003