Limited Time!
Totally FREE Web Design!
Click here!

Parasite: MediaTickets

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

MediaTickets is an ActiveX downloader control written and distributed by ClickSpring LLC.

The software it installs typically includes ClickSpring’s own PurityScan/M2 parasites, and may also include other third-party parasites such as:

• HuntBar/WinTools
• WildMedia/Midaddle

Variants

MediaTickets/MT: uses the filename ‘MediaTicketsInstaller.ocx’; main site mediatickets.net/lsass.org, distribution server mt-download.com, controlling server legend.psdtools.com.

MediaTickets/CC: uses the filename ‘MediaTicketsInstaller.ocx’; main site codeccash.com, distribution server from cc-download.com, controlling server fp.clickspring.net.

MediaTickets/GC: filename ‘ActiveXStub.ocx’; servers getcodecs.com.

MediaTickets/BuddyLinks: uses the name ‘ShellInstaller.ocx’; distributed from download.buddylinks.net. Includes a ‘viral marketing’ program that sends messages to all contacts in a user’s AIM address book, advertising the pages that try to download the software.

Also known as

MediaTickets/MT is detected as ADW_STUFF.A by Trend anti-virus.

Distribution

MediaTickets is distributed by misleading ActiveX drive-by-downloads on third-party web sites signed up by ClickSpring’ companies ucbill.com and topcontentcash.com. MediaTickets is also installed by IE security hole exploits, including many related to CoolWebSearch.

MT variant: installed using an ‘aggressive installer’, which tries to trick the user into accepting the download by repeatedly opening a misleading error message when it is refused.

CC variant: as MT, but also claims to be a ‘VideoC codec’, required to view a video displayed in a player-like interface on the page. (It actually contains nothing of the sort; the video is played using a standard embedded Windows Media Player control.)

GC variant: a similar ruse to CC, digitally signed under the bogus company name ‘View Video Codec’. This time it does bundle a codec along with the unwanted code: an ancient and buggy build of the open-source XviD codec.

BuddyLinks variant: installed by ActiveX drive-by-download on pages at buddylinks.net hosting the Flash game ‘Night Raptor’, and by a fake ‘Osama bin Laden captured’ news story at wgutv.com (this version falsely describes itself as a ‘News Player Applet’).

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. Once the ActiveX control has been used once it stays on the system, and can be activated again from any web page without prompting, at which point it will again download and install all its bundled software.

The BuddyLinks variant can also independently download and execute arbitrary code from its controlling server psdtools.com.

Stability problems

None known.

Removal

Open the Downloaded Program Files folder (which you can find inside the Windows folder). Right-click and remove the entry named ‘MediaTicketsInstaller Control’ (MT, CC variants), ‘{16556DE0-D692-494C-A8E7-7FAD0E2931D9}’ (GC variant) or ’ShellInstaller Control’ (BuddyLinks variant).

For the BuddyLinks variant you should also remove the ’viral marketing’ component to stop it sending Instant Messages in your name. Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. On the right-hand-side, right-click and delete the entries named ‘PSD Tools Channel’ and ‘BLMessagingIntegration’.