Home / malwarePDF  

Adware:Win32/GamePlayLabs


First posted on 07 June 2012.
Source: Microsoft

Aliases :

Adware:Win32/GamePlayLabs is also known as W32/GamePlay.B (Norman), ADSPY/GamePlayLabs.A.13 (Avira).

Explanation :



Adware:Win32/GamePlayLabs is a program that collects data when you browse websites. It then uses this data to display targeted advertising.

Installation

You may install Adware:Win32/GamePlayLabs electively from a specific website.

Upon installation, Adware:Win32/GamePlayLabs may create different files to run in different Internet browsers. For example, it installs the following files to run in Internet Explorer:

  • %Application Data%\GamePlayLabs Plugin\BHO.dll
  • %Application Data% \GamePlayLabs Plugin\gplplugin.crx
  • %Application Data% \GamePlayLabs Plugin\gplplugin.xpi
  • %Application Data%\GamePlayLabs Plugin\setup.ini
  • %Application Data% \GamePlayLabs Plugin\Uninstall.exe


Note: %Application Data% refers to application data directory, for example: c:\Documents and Settings\Administrator\Local Settings\Application Data

Adware:Win32/GamePlayLabs adds itself as a Firefox extension by adding the following directories with supporting files:

  • %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com
  • %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com\chrome\content
  • %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com\chrome\locale\en-US
  • %DefaultFirefoxProfile%\extensions\plugin3@gameplaylabs.com\defaults\preferences


Note: %DefaultFirefoxProfile% refers to the location that Firefox uses stores its profiles, for example: c:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zi8xn3a1.default

Below are some examples of Firefox files we have observed being installed:

  • chrome.manifest
  • ff-overlay.xul
  • icon.png
  • install.rdf
  • overlay.js
  • overlay.properties
  • prefs.js
  • setup.ini


Adware:Win32/GamePlayLabs adds itself as a Google Chrome extension by adding the following directories with supporting files:

  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\<random characters>\1.0_0
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\chrome-extension_<random characters>_0.localstorage


Below are some examples of Google Chrome files we have observed being installed:

  • background.html
  • gameplaylabs.png
  • gameplaylabsplugin.js
  • manifest.json
  • npGamePlayLabsPlugin.dll


Adware:Win32/GamePlayLabs makes the following changes to the registry:



  • Creates the following subkey:

    HKCU\Software\GamePlayLabs




  • Registers itself as a BHO (Browser Helper Object) by adding the following subkeys:

    HKLM\SOFTWARE\Classes\AppID\BHO.DLL
    HKLM\SOFTWARE\Classes\AppID\{65C994A2-C65A-4A20-BA92-AADAFC0DCE49}
    HKLM\SOFTWARE\Classes\BHO.GamePlayLabsBHO
    HKLM\SOFTWARE\Classes\BHO.GamePlayLabsBHO.1
    HKLM\SOFTWARE\Classes\CLSID\{984A9162-8891-4D19-8CFE-17648BB4E1EC}
    HKLM\SOFTWARE\Classes\Interface\{8E7AD93B-3E87-423D-947F-A321FA7E31C4}
    HKLM\SOFTWARE\Classes\TypeLib\{199C34A4-5436-403F-A250-219E16672570}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{984A9162-8891-4D19-8CFE-17648BB4E1EC}




  • Adds the following subkey, values and data to add an uninstall entry to the Add/remove programs list dialog:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePlayLabs Plugin
    Sets value: "DisplayName"
    With data: "GamePlayLabs Plugin"
    Sets value: "UninstallString"
    With data: €œ\Application Data\GamePlayLabs Plugin\Uninstall.exe€

Program behavior

If you install the program, you may be asked to provide certain personal information during the registration process. Adware:Win32/GamePlayLabs may store this information, then later use it to display targeted advertising on your computer. You may also be sent a questionnaire requesting more information for the same purpose of providing targeted advertising.

Adware:Win32/GamePlayLabs has also been observed collecting information when you visit the GamePlayLabs website, such as:

  • Email addresses
  • Passwords
  • Computer name
  • Internet connection information


Once installed, Adware:Win32/GamePlayLabs may collect your browsing data the utilizes this information to display targeted advertising.

After being installed as a BHO, you can see Adware:Win32/GamePlayLabs in the Internet Explorer 'Manage Add-ons' dialog:



After being installed as a Firefox extension, you can see Adware:Win32/GamePlayLabs in the Firefox 'Add-ons' dialog:





Adware:Win32/GamePlayLabs data-collecting behavior is mentioned in their end-user license agreement (EULA):





Analysis by Michael Johnson & Ding Plazo

Last update 07 June 2012

 

TOP