Limited Time!
Totally FREE Web Design!
Click here!

Parasite: Transponder

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Transponder is an Internet Explorer Browser Helper Object (BHO) stored in the Windows folder under various filenames. It monitors web pages requested and data entered into forms, sends this information to its controlling server, and opens pop-ups based on it, redirecting through its advertising servers (currently xadsj-o.offeroptimizer.com/xlime.offeroptimizer.com, previously cliks.org).

Transponder is operated by DirectRevenue (direct-revenue.com), aka ThinkingMedia (thinkingmedia.net). The software was previously operated by Mindset Interactive (mindseti.com), now Vista Interactive Media (vistainteractivemedia.com), who no longer directly control Transponder but do operate VistaBar and FavoriteMan and also operated NetPal.

Transponder advertising sales may be marketed under the names Best Offers (bestoffers.bz), and promoted along with other parasite-based marketing by Soho Digital (sohodigital.net), who are now owned by DirectRevenue. The targeted advertising sold by Aadcom (addcom.com), OnAdSolutions (onadsolutions.com) and AdPowerZone (adpowerzone.com) was also served by Transponder.

Variants

Transponder/Blackstone is the original version, controlled by the HTTPS server sputnik.blackstonedata.net. Its filename is IEHelper.dll, though this is a generic name that is also used by some other programs.

Transponder/VX2 is an update controlled by sputnik.vx2.cc. Note: Transponder/VX2 is not connected to the Look2Me parasite. However, Ad-Aware will detect Look2Me/V3 files as “VX2”, and its ‘VX2Finder’ plug-in is in fact aimed at Look2Me, not VX2.

Transponder/TPS108 is an update of VX2, controlled by transctl.vx2.cc (tps108.org) and and distributed by porn sites from Webdream (aka TrafficStandard, Digital Rooster). Transponder/SiteHlpr is a complete recode of the TPS108 functionality by Webdream. Controlling server www.bc777.com, typically opens ads from www.n69.com.

Transponder/MSView is a significantly-rewritten version, now distributed under the name “Better Internet” (abetterinternet.com). SSL (HTTPS) is no longer used, and local proxy settings are ignored. Filename MSView.dll, controlling server collect.tps108.org, distribution server msview.cc.

Transponder/Twaintec (filename twaintec.dll, controlling server twain-tech.com), Transponder/Host (filename host.dll, controlling server cr.stop-popup-ads-now.com) and Transponder/BI (filename bi.dll, controlling server cr.stop-popup-ads-now.com) are updates based on the MSView code, released around mid 2003 in downloads from BetterInternet properties. The names of registry entries in the main settings key are now slightly obfuscated with numbers.

Transponder/mxTarget (filename mxTarget.dll, controlling server master.mx-targeting.com), Transponder/MultiMPP (filename multimpp.dll, controlling server pp.multimpp.com), Transponder/LocalNRD (filename LocalNRD.dll, controlling server drk.localnrd.com) and Transponder/VoiceIP (filename VoiceIP.dll, controlling server s.freephone.cc) are further updates released early-to-mid 2004.

Transponder/BTGrab: filename BTGrab.dll, controlling server btg.btgrab.com. Transponder/ZServ: filename ZServ.dll, controlling server zsr.zserv.biz. Released around November-December 2004. The main registry settings move from the HKEY_LOCAL_MACHINE hive to HKEY_CURRENT_USER.

Transponder/Pynix: filename Pynix.dll, controlling server pyn.pynix.com. Transponder/DLMax: filename dlmax.dll, controlling server dlm.dlmax.biz. Released around January 2005.

Transponder/Ceres: filename Ceres.dll, controlling server master.mx-targeting.com. Transponder/sPeer (Solid Peer): filename speer.dll, controlling server master.mx-targeting.com. Released around December 2004. Instead of using Internet Explorer to show the pop-ups, there is now a separate advert-window process Buddy.exe, saved into the Windows folder and run every time a pop-up is opened. Such pop-ups show a distinctive icon in the window title bar . (This icon was included in the BTGrab/ZServ/Pynix variants, but remained unused.)

Transponder/Stub: an executable process set to run on Windows startup that reinstalls/updates the main Transponder software if it is removed. Sometimes installed by Transponder variants since MSView, and originally derived from the IPInsight/Sentry stub code. Stored in the Windows folder, the filename varies by installer. Filenames seen so far include belt.exe, susp.exe, satmat.exe, alchem.exe, conscorr.exe and farmmext.exe (with corresponding web sites clickalchemy.com, conscorr.com and farmmext.com).

Transponder/Caller: an executable process set to run on Windows startup that reinstalls/updates the main Transponder software from static.callinghome.biz if it is removed. Sometimes installed by Transponder variants since mxTarget. Stored in the System32 folder (inside the Windows folder, called just ‘System’ on Windows 95/98/Me with a random name.

Transponder/Thinstaller: the installer executable used by variants of Transponder since mxTarget, as well as the FavoriteMan parasite. Thinstaller drops the software on the target machine as directed by its controlling servers on initial installation, re-installation and updates. It also reports back information on the victim computer, and can be commanded to remove running and installed programs. This has been used to remove competitor parasites in the past, in particular InternetOptimizer.

Also known as

NetPal. Mindset used to call all its software ‘NetPal’, including the NetPal parasite and FavoriteMan.

Transponder/VX2 has the internal name RespondMiter and codename Sputnik.

IPInsight/Ipinsigt is another parasite adapted from the Transponder/VX2 codebase.

Distribution

The Blackstone variant was installed with all downloadable software from Mindset Interactive.

The VX2 variant was stealth-installed by version 0.608W of the AudioGalaxy Satellite up until some time in November 2001 (when after public outcry it was removed. AudioGalaxy claim the software had been a unchecked bundle from a third party; Mindset’s financial records including substantial payment to AudioGalaxy would imply otherwise).

Transponder/TPS108 and /SiteHlpr are loaded by to porn sites run by WebDream, misleadingly described as a viewer for adult video content. It might also be installed by porn-related pop-up ads through a security hole in Internet Explorer. TPS108 is also installed by vCatch KazBlock.

Transponder/Host is distributed by stop-popup-ads-now.com under the pretence that it is a pop-up advertisement killer. Both Transponder/Host and Transponder/BI are installed by ActiveX drive-by download on pop-up adverts under a variety of names, eg. ‘Internet Accelerator’, ‘NetTurbo’, ‘Clean Get-away’.

Transponder/TwainTec is installed by other parasites and Internet Explorer security hole exploits in pop-up ads.

Transponder/VoiceIp is installed by FreePhone (a version of the FlashTalk VoIP client with extra bundled Transponder).

Many variants of Transponder have been installed by the related FavoriteMan.

What it does

Advertising

Yes. Transponder opens pop-up adverts depending on targeted URLs being browsed, targeted terms being entrered into forms (this is aimed at search engines), and how much browsing is being done - the software tries to hide by not opening adverts when little is happening.

Privacy violation

Yes. Transponder reports back to its servers with URLs visited and information entered into web forms, with a unique ID allowing web usage to be tracked.

The Thinstaller dropper program also reports back to its controlling server with a lot of leaked information, some of it sensitive and tied to the tracking ID. As well as the version of Windows installed, the unique product ID (as used for Windows XP activation) is sent back, along with the name and MAC address of the network connection, a full list of running processes, the contents of some registry trees, and whether some targeted programs are installed (including competitor parasites, anti-spyware and anti-virus software).

Older variants report back a smaller quantity of computer configuration and installed oftware information, and may try to sniff e-mail addresses from Outlook Express.

Security issues

Yes. Can silently download and execute arbitrary unsigned software from its controlling servers, as a self-updating feature.

Stability problems

In earlier variants, IE crashes (hanging up, window does not respond or redraw) when Transponder’s controlling servers are not contactable.

Removal

Contrary to the continual claims at Transponder group web sites there has never been an option to remove the software in the standard Add/Remove Programs Control Panel item. Some uninstallation instructions also erroneously (deliberately?) quote an uninstallation command of ‘regsvr32’ without the ‘/u’ option - executing this command will reinstall the software, not uninstall it.

MyPCTuneUp.com offers a removal service for parasites controlled by DirectRevenue, including Transponder, IPInsight and GrandStreet. However, it runs using Thinstaller so will again leak potentially sensitive information when run.

Manual removal

Caller variant

Newer variants of Transponder may install a randomly-named reloader process to stop them being deleted. This should be taken care of before the main program is removed.

Open the registry (Start->Run->regedit) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, one of the entries will have a name comprising 10-14 random lower case letters, pointing to a random (different) 6-to-8-letter .exe file in the System32 folder. If it is not clear, you can check by opening the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me) and opening the right-click-Properties dialogue box. On the ‘Version’ tab the ‘Company name’ will be callinghome.biz.

Delete this entry, reboot Windows and you should be able to delete the random file in the System32 folder. You can also open the registry (Start->Run->regedit) and delete the key HKEY_LOCAL_MACHINE\Software\Vendor\Xml to clean up if you wish.

Stub variant

Newer variants of Transponder may install a Stub reloader process to stop them being deleted. This should be taken care of before the main program is removed.

Open the registry (Start->Run->regedit) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right delete the ‘susp’, ‘alchem’, ‘satmat’, ‘conscorr’ or ‘farmmext’ entry. Reboot Windows and delete the .exe file of the same name from the Windows folder.

All variants

The Transponder DLL lives in the Windows folder. Before it can be deleted, it must be deregistered. Open a Command Prompt window (from Start->Programs->Accessories; called DOS prompt on Windows 95/98/Me) and enter the following commands, for the Blackstone variant:

cd "%WinDir%\System"
regsvr32 /u ..\IEHelper.dll

Or, for the VX2 variant:

cd "%WinDir%\System"
regsvr32 /u ..\VX2.dll

Or, for the TPS108 variant:

cd "%WinDir%\System"
regsvr32 /u ..\TPS108.dll

Or, for the SiteHlpr variant:

cd "%WinDir%\System"
regsvr32 /u ..\SiteHlpr.dll

Or, for the MSView variant:

cd "%WinDir%\System"
regsvr32 /u ..\MSView.dll

Or, for the Twaintec variant:

cd "%WinDir%\System"
regsvr32 /u ..\twaintec.dll

Or, for the Host variant:

cd "%WinDir%\System"
regsvr32 /u ..\host.dll

Or, for the BI variant:

cd "%WinDir%\System"
regsvr32 /u ..\BI.dll

Or, for the mxTarget variant:

cd "%WinDir%\System"
regsvr32 /u ..\mxTarget.dll

Or, for the MultiMPP variant:

cd "%WinDir%\System"
regsvr32 /u ..\MultiMPP.dll

Or, for the LocalNRD variant:

cd "%WinDir%\System"
regsvr32 /u ..\LocalNRD.dll

Or, for the VoiceIP variant:

cd "%WinDir%\System"
regsvr32 /u ..\VoiceIP.dll

Or, for the BTGrab variant:

cd "%WinDir%\System"
regsvr32 /u ..\BTGrab.dll

Or, for the ZServ variant:

cd "%WinDir%\System"
regsvr32 /u ..\ZServ.dll

Or, for the Pynix variant:

cd "%WinDir%\System"
regsvr32 /u ..\Pynix.dll

Or, for the DLMax variant:

cd "%WinDir%\System"
regsvr32 /u ..\dlmax.dll

Or, for the Ceres variant:

cd "%WinDir%\System"
regsvr32 /u ..\Ceres.dll

Or, for the sPeer variant:

cd "%WinDir%\System"
regsvr32 /u ..\sPeer.dll

After doing this and restarting the computer you can delete the DLL file from the Windows folder. In the MSView variant you can also delete MSView.ini in the same place; in the Blackstone variant domlst.cch can be deleted. In the Ceres and sPeer variants you can also delete the Buddy.exe file.

There may also be various leftover installer files left in the Windows folder which can be deleted to clean up. Known filenames include MSVprep.exe, hostprep.exe, biprep.exe, bi_prob.exe, mx_prob.exe, tt_prob.exe, susp_reco.exe, ln_reco.exe, randreco.exe, intlreco.exe, mm_reco.exe, stmtreco.exe, tt_reco.exe, thnall1*.exe polall1*.exe and polmx#.exe.

In the TPS108 variant there may be a tps108.html file in the root of the C:\ drive; in the SiteHlpr variant it may be called bc777.html. These can be deleted to clean up.

If you want, you can also remove Transponder’s settings. Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’ and open the key HKEY_LOCAL_MACHINE\Software (for variants up to VoiceIP) or HKEY_CURRENT_USER\Software (for variants from BTGrab onwards).

Delete the subkey titled ‘Transponder’ (Blackstone variant), ‘RespondMiter’ (VX2 variant), ‘TPS108’ (TPS108 variant), ‘SiteHlpr’ (SiteHlpr variant), ‘MSView’ (MSView variant), ‘Twaintec’ (Twaintec variant), ‘DHost’ (Host variant), ‘DBi’ (BI variant), ‘Mxtarget’ (mxTarget variant), ‘Multimpp’ (MultiMPP variant), ‘LocalNRD’ (LocalNRD variant), ‘VoiceIP’ (VoiceIP variant), ‘BTGrab’ (BTGrab variant), ‘ZServ’ (ZServ variant), ‘Pynix’ (Pynix variant), ‘DLMax’ (dlmax variant), ‘Ceres’ (Ceres variant) or ‘sPeer’ (sPeer variant).

Links

Counterexploitation covers the earlier Transponder releases in-depth.

Webhelper investigates the Transponder companies.