InterMute - Spyware - Threat Research

An IE browser helper object that detects visits to known sites and redirects them through a third-party server in order to take the affiliate fees. WurldMedia even steals the fees from other webmasters when you use their own links.

Variants

WurldMedia/bpboh: first variant released with early Preview Releases. You have this variant if there is a file called "bpboh.dll" in your Windows directory. Presumbly the name should have been 'bpbho' (Buyers' Port Browser Helper Object), but someone made a typo. There will also be a 'rdxrNNNN.de' file containing an encoded target list. (NNNN is some numbers, looks like a date.)

WurldMedia/mbho: installs 'mbho.dll' and the 'rdxr' data file in the System directory instead of the Windows directory. Installer is not so stealthy and includes an option to prompt the user before redirecting a merchant site. However, if "enable" (the default option) is chosen on any of these prompts, it will be silent again forever.

WurldMedia/MSCStat: in this variant you get an 'MSCStat.exe' system tray program in the System directory, with an 'msc(numbers).de' file and 'ad(numbers).de.xml' as well as the files from the mbho variant. WurldMedia/MSCStat2: the MSCStat.exe file is renamed MSCStat2, and there is finally an entry in Add/Remove Programs, which disables the software (though it leaves behind the files and some registry entries).

WurldMedia/MShop, WurldMedia/MPohs and WurldMedia/MDef have new IDs and filenames: m030106shop.dll, m030206pohs.dll and mdefshop.dll, respectively.

WurldMedia/Mo, WurldMedia/Moaa, WurldMedia/Moz. The BHO is renamed mo030414s.dll, moaa030425s.dll or moz030715s.dll and has a random class ID; the mscstat process is renamed mostat.exe and there is a configuration program called moconfig.exe.

WurldMedia/TChk is bundled with the Mo, Moaa and Moz variants. It checks for the existance of the WurldMedia BHO, and, if it finds it missing, contacts its controlling server xnef.com. At the time of writing this server is not responding, but it is suspected that if it were working it would direct TChk to reinstall the software. WurldMedia/TChk tries to escape detection by using a completely random filename and ID.

Also known as

Morpheus Shopping Club, WURLD Shopping Community, BuyersPort.

Distribution

Bundled with Morpheus.

What it does

Advertising

No.

Privacy violation

Yes. WurldMedia will be informed of visits to any of their targeted sites with referring site information and user-tracking through a unique ID built into the software.

Security issues

Yes, for MSCStat and later. These versions can connect to its controlling servers when IE is first run to download a new version of themselves, allowing arbitrary code to be executed.

Stability problems

The redirect mechanism used by this software breaks the web browser's 'back' button in some variants.

Removal

Later variants of WurldMedia add a "Shopping Community" entry to the Control Panel's Add/Remove Programs option, which should remove the software. (Though it will try quite hard to persuade you not to.)

Manual removal

TChk variant

If you have WurldMedia/TChk, you must remove it before trying to remove any other variant you have. To do this you will have to open the registry (click 'Start', choose 'Run', enter 'regedit') and open the key HKEY_CLASSES_ROOT\Tchk.TChkBHO\CLSID. On the right, the '(Default)' value should hold a class ID, a long string of hexadecimal digits in groups separated with dashes. Note down this ID then delete the entire Tchk.TChkBHO key, as well as Tchk.TChkBHO.1.

Open the key HKEY_CLASSES_ROOT\CLSID and find the subkey with the same name as the class ID you noted. Click the 'InprocServer32' subkey and note down the filename given in the '(Default)' entry. Then delete the key with the class ID for its name. Also delete the entry of the same name from the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.

When you next restart the machine, you should be able to delete the file with the name you noted down.

Other variants

Before you can delete the DLL, you will need to deregister it. Open a DOS command prompt window (from Start->Programs->Accessories) and enter (for the bpboh variant):

cd "%WinDir%\System" 

                      regsvr32 /u ..\bpboh.dll

Or, for Mbho, MSCStat or MSCStat2 variants:

cd "%WinDir%\System" 

                      regsvr32 /u mbho.dll

Or, for the MShop variant:

cd "%WinDir%\System" 

                      regsvr32 /u m030106shop.dll

Or, for the MPohs variant:

cd "%WinDir%\System" 

                      regsvr32 /u m030206pohs.dll

Or, for the MDef variant:

cd "%WinDir%\System" 

                      regsvr32 /u mdefshop.dll

Or, for the Mo variant:

cd "%WinDir%\System" 

                      regsvr32 /u mo030414s.dll

Or, for the Moaa variant:

cd "%WinDir%\System" 

                      regsvr32 /u moaa030425s.dll

Or, for the Moz variant:

cd "%WinDir%\System" 

                      regsvr32 /u moz030715s.dll

After restarting the computer, you should be able to delete the DLL from the System folder (inside the Windows folder, called 'System32' under Windows NT/2000/XP or 'System' under Windows 95/98/Me). In the Bpboh variant it is in the Windows folder instead.

In the Bpboh, Mbho, MSCStat and MSCStat2 variants, you can also delete the 'rdxrNNNNNN' file in the same directory (the extension will be '.dat' for the bpboh variant, or '.de' for the other variants; NNNNNN is a date-like six-digit number).

If you have the MSCStat variant you should delete 'MSCStat.exe', 'adNNNNNN.de.xml' and 'mscNNNNNN.de'. If you have MSCStat2 or later variants, you can remove 'MSCStat2.exe'.

In you have Mo or Moaa variants, you should delete 'mostat.exe', 'moconfig.exe' and 'moz02NNNNNN.de'.

Finally, there is also a key called 'morp' (Mo, Moaa variants) or 'rdxr' (older variants) in the registry key HKEY_LOCAL_MACHINE\Software in the registry which you can delete to clean up if you like.