| WurldMedia/bpboh:
first variant released with early Preview
Releases. You have this variant if there
is a file called "bpboh.dll"
in your Windows directory. Presumbly
the name should have been 'bpbho' (Buyers'
Port Browser Helper Object), but someone
made a typo. There will also be a 'rdxrNNNN.de'
file containing an encoded target list.
(NNNN is some numbers, looks like a
date.)
WurldMedia/mbho: installs
'mbho.dll' and the 'rdxr' data file
in the System directory instead of
the Windows directory. Installer is
not so stealthy and includes an option
to prompt the user before redirecting
a merchant site. However, if "enable"
(the default option) is chosen on
any of these prompts, it will be silent
again forever.
WurldMedia/MSCStat: in this
variant you get a 'MSCStat.exe' system
tray program in the System directory,
with an 'msc(numbers).de' file and
'ad(numbers).de.xml' as well as the
files from the mbho variant. WurldMedia/MSCStat2:
the MSCStat.exe file is renamed MSCStat2,
and there is finally an entry in Add/Remove
Programs, which disables the software
(though it leaves behind the files
and some registry entries).
WurldMedia/MShop, WurldMedia/MPohs
and WurldMedia/MDef have new
IDs and filenames: m030106shop.dll,
m030206pohs.dll and mdefshop.dll,
respectively.
WurldMedia/Mo and WurldMedia/Moaa.
The BHO is renamed mo030414s.dll or
moaa030425s.dll and has new ID; the
mscstat process is renamed mostat.exe
and there is a configuration program
called moconfig.exe.
WurldMedia/TChk is bundled
with the Mo and Moaa variants. It
checks for the existance of the WurldMedia
BHO, and, if it finds it missing,
it contacts its controlling server
xnef.com which direct TChk to reinstall
the software. WurldMedia/TChk tries
to escape detection by using a completely
random filename and ID
|
Spyware Information
