kuro5hin.org || technology and culture, from the trenches

kuro5hin.org || technology and culture, from the trenches I intercepted an attempted auto-downloading (java?) executable off of MSNBC's site. The redirect came from msn.com. The filename was 'ADSAdClient31.0170610', and a quick cull of the binary data reveals several things you can look for to see if your system has been infected with what I suspect to be yet another MS spyware program. Naturally, there is nothing in Microsoft's knowledge base about this.



For now, I'm calling it "Microsoft Ad Client 3.1", after a text string I found in it. It appears to have been released "Feb 3 2000 18:18:01". It appears to be a java module which allows advertiser(s) to create popup windows at specified intervals after viewing the website in question. It may also attempt to gain additional permissions - it has networking code and local file I/O calls in it. I do not have the tools or ability to reverse engineer a compiled java app, however, so I have to guess based on the text strings in the file. I believe the only reason I got to download this file was because the HTTP request was mangled - sadly, I do not have a log of the http headers.

Checking for the following files should give you a good idea on whether or not you've been infected with this: ADSInet.dll, Accipiter.Ini,ADSAdClient31.dbg, ent31.dll and/or the registry entries:
SYSTEM\CurrentControlSet\Services\EventLog\Application\ADSAdClient31
SYSTEM\CurrentControlSet\Services\ADSAdClient31 ADSAdClientPerf31