Home / malware

PDF

Adware:Win32/OpenCandy

First posted on 19 July 2012.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/OpenCandy.

Explanation :

On July 10th, 2012 18:30 PST, an incorrect detection for Adware:Win32/OpenCandy was identified. On July 11th, 2012 at 15:25 PST, Microsoft released an update that addresses the issue. Signature versions 1.129.1502.0 and higher include this update.

Adware:Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent. These versions are detected by Microsoft's anti-malware products. Installation When running an installation program utilizing the OpenCandy component, an OpenCandy DLL named "OCSetupHlp.dll" is extracted into the Temporary files folder. The DLL determines which, if any, of the developer's selected offers to display. For example, if a recommended program is already installed on the system, the OpenCandy component will not recommend it and make a different recommendation, if available. Should the OpenCandy component offer a program, the offer may indicate it is "Powered by OpenCandy" and appear as the following example, or similar:

Should the user choose to install a recommended program, a download manager named "LatestDLMgr.exe" executes and facilitates the download and installation of the recommended program. This installation may look similar to the following example: Files associated with OpenCandy are normally removed once the installation completes however, they may remain on the system under certain circumstances. OpenCandy may store information in the registry and use this during future installations utilizing the OpenCandy component. Its location in the registry is dependent on the first program installed utilizing the OpenCandy component in its installer and may be similar to the following:

HKLM\SOFTWARE\ADatumCorporation\OpenCandy
HKLM\SOFTWARE\ADatumCorporation\OpenCandy\Completed
HKLM\SOFTWARE\Wow6432Node\ADatumCorporation\OpenCandy
HKLM\SOFTWARE\Wow6432Node\ADatumCorporation\OpenCandy\Completed Adware:Win32/OpenCandy transmits various information to a remote server, including the following:

• a code identifying the downloaded program - this code allows for tracking the specific downloaded program's installation and allows the OpenCandy component to download the list of offers the program's developer chose to recommend
• a unique machine code which may be stored locally on the computer and used by future installers utilizing the OpenCandy component
• operating system version
• the current language the operating system is using
• the language of the installer
• the country location and time zone of the affected computer
• installation status of offered programs
• if a recommendation is made, how long the offer is viewed and if it is accepted
• if a recommendation is accepted, whether the recommended program's installer successfully downloads and launches, and whether it completes successfully, fails or is cancelled

Analysis by Aaron Hulett

Last update 19 July 2012

 

TOP