InterMute > Threat Research

WildMedia is a range of parasites controlled and distributed by Wild Media LLC.

The various released versions have different effects, but most include the ability to download updates to themselves, and also and other parasites. Third-party parasites WildMedia variants have been seen to install include:

• NavExcel
• TopText
• InContext (aka AdGoblin, AdsInContext)
• SaveNow/Save
• IEDriver
• BrowserAid/StlbDist
• MemoryWatcher (aka Peper trojan)
• SuperBar
• PurityScan/M2
• AproposMedia/CxtPls
• HuntBar/WinTools
• 404Search
• Promulgate/Basic
• BroadcastPC
• ClearSearch/CSBB

Variants

WildMedia/StatBlaster: first variant, released mid 2003. Described as a program to keep track of sporting statistics, the main ‘StatBlaster.exe’ program simply opens a web page at statblaster.com when run. The updater process is called updatestats.exe, targeted at the controlling server download.statblaster.com. Statblaster lives in nested folders called ‘Media’ inside the Program Files folder.

WildMedia/WinPage: a homepage/error page hijacker targeted at Wild Media search site netspry.com, released around late 2003. Implemented as an Internet Explorer Browser Helper Object (BHO) called WinPage.dll, stored in a ‘Homepage’ folder in Program Files. Versions have been seen with a BHO name of ‘WinPage Blocker’ and ‘CWinPageIEExtension Object’; however this is not the same as the one called ‘WinPage Affiliate’ (see Midaddle).

WildMedia/WinFetcher: this version, around early 2004, consists of the Statblaster updater on its own with no statistics web page launcher. It is moved into the user local Temp folder with a name composed of random letters. More than one WinFetcher instance can be installed at once.

WildMedia/WMService: this is an updater rewritten as a DLL, still called ‘WinFetcher’ internally, but stored as WildApp.dll in the Windows folder. Controlling server is origin.statblaster.com.

WildMedia/Midaddle: a rewritten, smaller but still randomly-named updater EXE is combined with an advert-opening Browser Helper Object, which is also randomly named, and called ‘WinPage Affiliate’ internally. Stored in the user local Temp folder.

WildMedia/Clicks is an update to Midaddle, targeted at yellow-sticky.com, changing the BHO name to ‘Search Help’, removing the status bar from the bottom of Internet Explorer windows, and adding a file called WildWinTracker.exe that records initial installation.

Distribution

Installed by other parasites such as ISTbar.

WildMedia/WMService is bundled with downloadable games from sites such as Wild Media's own wildarcade.com, and distributed by ActiveX drive-by download from download.overpro.com.

What it does

Advertising

In the Midaddle and Clicks variants, yes. The BHO spawns both periodical untargeted pop-ups from origin.midaddle.com, and targeted ‘interstitial’ adverts from www.ads234.com. These appear when moving to a new page and have to be stepped through before the new page can be reached.

Privacy violation

In the Midaddle and Clicks variants, yes. The URLs of all web pages visited are passed to the advertising server with a unique ID to allow web usage patterns to be tracked. This includes information entered into forms submitted by the ‘GET’ method, but not ‘POST’ forms or HTTPS (SSL) pages.

Security issues

Yes. Other than the simple WinPage homepage-hijacker, all variants can silently download and execute arbitrary unsigned code as directed by their controlling servers. This has been used to install many other parasites.

Stability problems

The WinPage variant not only locks the home page preference to netspry.com, but also breaks the ability to view HTML files by drag-and-dropping them to IE, displaying netspry.com again every time you try.

The Midaddle and Clicks variants have to check back to their servers for interstitial ads every time a new page is loaded. This slows web navigation down significantly, especially when ads234.com is busy. If it becomes unavailable Internet Explorer may become unusable.

Additionally, Midaddle and Clicks fail to pass on the HTTP ‘Referer’ header to a new page, so sites that (misguidedly) rely on referring page addresses as an access control will cease working when these variants are loaded.

The Clicks variant also breaks the IE status bar by removing it every time a new page is visited — presumably to hide the incriminating message that the browser is connecting to ads234.com.

Removal

The StatBlaster variant should be removable from the Control Panel's Add/Remove Programs features.

The Midaddle variant may sometimes provide a “Midaddle” entry in the Control Panel's Add/Remove Programs feature. When it works it removes the program files, but does leave some mess in the registry (pointers to now non-existant files).

Manual removal

Statblaster variant

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. In the right-hand pane, right-click and delete the ‘UpdateStats’ entry pointing at ‘Program Files\Media\Media\UpdateStats.exe’.

You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\StatBlaster to clean up.

Reboot the computer and you should be able to delete the ‘Media’ folder inside Program Files, and the StatBlaster desktop icon if you still have it.

WinPage variant

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. Right-click the subkey named {12DF6E3E-6272-4AE8-880B-2158D60791C0} and delete it. You can also delete the key HKEY_CLASSES_ROOT\CLSID\{12DF6E3E-6272-4AE8-880B-2158D60791C0}.

Reboot the computer and you should be able to delete the ‘Homepage’ folder inside Program Files. Then set your home page back to what it should be in Internet Options.

WinFetcher variant

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, look for at least one entry with a short nonsensical name composed of upper- and lower-case letters, pointing to an executable file of the same name inside the user local Temp folder. There may be more than one; delete any such entries you find.

If you are unsure, open the Temp folder (on Windows 95/98/Me this is inside the Windows folder; on Windows 2000/XP/2003 it's in Local Settings in your user folder inside Documents and Settings; on NT it's in Profiles; to get to it quickly just type ‘%Temp%’ into an explorer address bar) and look at the suspicious file. WildMedia/WinFetcher files are typically around 229KB in length, with empty Version information in Properties, and if loaded into a text editor can be checked for the string ‘statblaster.com’.

Reboot the computer and you should be able to delete these files. (In any case, it is a good idea to keep your Temp folder empty.)

WMService variant

Open a Command Prompt window (from the Accessories submenu of the main Programs menu on the Start button; called DOS Prompt in Windows 95/98/Me) and enter the following commands:

You should then be able to delete the file WildApp.dll in the Windows folder.

Typically, WMService will at least have installed a WinFetcher variant, so check for that too.

Midaddle and Clicks variants

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and open the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. Right-click the subkey named {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} and delete it. Open the key HKEY_CLASSES_ROOT\CLSID\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} and select the subkey InprocServer32. Look at the ‘(Default)’ value on the right to find out the filename of the active BHO. It will probably be a nonsensical random selection of letters and numbers, or possibly a single letter. Remember this name and delete the key HKEY_CLASSES_ROOT\CLSID\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}.

Select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, look for an entry with another nonsensical name composed of letters and number, pointing to an executable file of the same name inside the user local Temp folder. There might be more than one; delete any such entries you find.

If you are unsure, open the Temp folder (on Windows 95/98/Me this is inside the Windows folder; on Windows 2000/XP/2003 it's in Local Settings in your user folder inside Documents and Settings; on NT it's in Profiles; to get to it quickly just type ‘%Temp%’ into an explorer address bar) and look at the suspicious file. WildMedia/Midaddle and /Clicks EXEs are typically about 110KB long, and if loaded into a text area can be found to contain the string ‘midaddle.com’ somewhere.

Reboot the computer and you should be able to delete the DLL and the EXE file or files whose names you found in the registry. There may also be other similarly-random-named DLLs from earlier versions of the, about 117KB long, with an Internal Name of ‘midaddle.dll’ (Midaddle variant) or ‘clicks.dll’ (Clicks variant) in the Version tab of their Properties. For the Clicks variant, you can also delete the WildWinTracker.exe file.

(In any case, it is a good idea to keep your Temp folder empty.)

To clean up, you can delete the ‘Midaddle’ folder inside the Common Files folder in Program Files.