Home
Terms & Definitions
Parasites List
Categories
Threat Level
Contact Us
Spyware Information
Name: ClientMan
Threat Level:
Category: Generic Malware
Aliases: iPend, as one of the components refers to itself.
Variants: ClientMan/Helper is the earliest known variant. It includes two IE Browser Helper Objects - a 'browserhelper' and a 'trackurl' DLL, used to add yellow advertising links to pages - along with various other processes.

ClientMan/Tagger is a newer update that can be loaded by browserhelper. The 'browserhelper' DLL is replaced by a 'taggerbho' one, and there is a new 'searchrep' DLL which redirects search engine usage, plus new EXE files 'fixtitle' and 'getbuys'.

ClientMan/2in1 is the latest update. The taggerbho is replaced with a '2in1' DLL; the yellow links are no longer added to the page. Instead, all address bar searches, unknown domains and web server error pages are redirected (currently to searchassistant.net) by the new 'dnsrep' DLL, and pop-up adverts are opened at regular intervals by the new 'urlcli' DLL. (At the time of writing, these are spawned from popupsponsor.com and popuptraffic.com, and are closed immediately after opening, in order to con affiliate fees from these companies.) Additionally there are new 'gstylebho' and 'msvrfy' DLLs.


Spyware Characteristics
Description: ClientMan is a wide-ranging advertising parasite. The various versions released may add advertising links to web pages, open popup adverts, and redirect search engine results, address bar searches and error pages.
Causes webpages in Internet Explorer to have highlighted keywords, linked to pay-per-click search engines.
Details yet unknown.
Seems related to odysseusmarketing.com

It first reported as suspicious, it became clear soon that it will pass the ZoneAlarm firewall without user consent. When it tries to connect to the Internet, and ZoneAlarm displays it's dialog whether the program should be allowed to connect or not, ClientMan will auto-click the 'Yes' button after checking the 'Always' checkbox. This way, it grants itself Internet Access without the user even noticing more than a short flash of the ZA dialog.

Properties:
  • Stays resident in background.
  • Stealth: hides itself from user.
  • Show advertisements.
  • Makes changes to browser settings.
  • Connects to the internet by itself.

What it does?
Advertising: Yes,. Makes all targeted words in all web pages links with a yellow background, pointing to ClientMan's server odysseusmarketing.com. This may redirect to a search results site such as 1stblaze.com or epilot.com.

Periodically opens pop-up advertising from odysseusmarketing.com, which may redirect to popupmarketing.com.

The Tagger variant redirects use of known search engines (at the time of writing, Google and Yahoo only) to firstbookmark.com; the address bar will still show the address of the original search engine, but the content of the page will be overwritten with results from firstbookmark.com (which are currently sourced from 123search.com).

Privacy violation: Suspected, ClientMan gathers a list of running processes along with any user details it can get from:
  • Outlook Express mail accounts
  • Windows/MSN Messenger accounts
  • AOL Instant Messenger (AIM) accounts
  • ICQ accounts
  • Yahoo Pager accounts
  • Speedbit Download Accelerator software registration
  • Zone Alarm software registration
  • Creative SoundBlaster software registration
  • Windows dialling location.
ClientMan has been observed sending unknown data to its servers at ipend.datastorm.biz; it is suspected this may be an encoded version of this information.
Security issues: Yes, ClientMan can silently download and execute arbitrary unsigned code from its controlling server as an update feature.
Stability problems: Yes, At least on WinXP/IE6 (probably other versions too), ClientMan/Helper and ClientMan/Tagger caused crashes at seemingly random intervals whilst IE windows were open; ClientMan/2in1 made IE hang every time a targeted search engine was used.

Method of infection
Bundled with some versions of Grokster from late March 2003.

Removal Instructions
bulletproofsoft.com "Spyware Remover" is the best tool for the removal of this spyware.

Links
Site: http://www.odysseusmarketing.com/