Home / malwarePDF  

Adware:Win32/ClickPotato


First posted on 23 April 2019.
Source: Microsoft

Aliases :

Adware:Win32/ClickPotato is also known as ADSPY/AdSpy.Gen2, AdWare.AdSpy, Pinball.

Explanation :

Adware:Win32/ClickPotato is a program that displays pop-up and notification-style advertisements based on the user's browsing habits. ClickPotato offers a free tool that allows users to access and search free streaming videos of popular films and TV shows.  The tool is a multi-component adware program designed to monitor a user's online browsing behavior to deliver targeted advertising. It may also install components related to Win32/Hotbar and Win32/ShopperReport. InstallationAdware:Win32/ClickPotato makes the following changes to the registry:  Adds subkey: HKLMSOFTWAREClickPotatoLite Adds subkey: HKLMSOFTWAREClassesMenuButtonIE.ButtonIE Adds subkey: HKLMSOFTWAREClassesMenuButtonIE.ButtonIE.1 Adds subkey: HKLMSOFTWAREClassesAppIDMenuButtonIE.DLL Adds subkey: HKLMSOFTWAREClassesCLSID{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} Adds subkey: HKLMSOFTWAREClassesAppID{11C27351-716B-4052-9361-E3B0A3F8221C} Adds subkey: HKLMSOFTWAREClassesTypeLib{814BAA91-DC22-4350-87D6-0C86E93F7F08} Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.Info Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.Info.1 Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.UserProfiles Adds subkey: HKLMSOFTWAREClassesClickPotatoLiteAX.UserProfiles.1 Adds subkey: HKLMSOFTWAREMicrosoftInternet ExplorerExtensions{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}  Adds value: "ButtonText" With data: "ClickPotato" Adds value: "CLSID" With data: "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" Adds value: "ClsidExtension" With data: "{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}" Adds value: "Default Visible" With data: "Yes" Adds value: "HotIcon" With data: "C:Program FilesClickPotatoLitein10.0.511.0ClickPotatoLiteSABHO.dll,201" Adds value: "Icon" With data: "C:Program FilesClickPotatoLitein10.0.511.0ClickPotatoLiteSABHO.dll,201" To subkey: HKLMSOFTWAREMicrosoftInternet ExplorerExtensions{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}  Adds value: "ClickPotatoLiteSA" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun  Adds value: "ClickPotatoLiteSA" To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall  Adware:Win32/ClickPotato makes the following system changes to the users computer:  Creates directory:
%programfiles%ClickPotatoLitein10.0.%varies%.0

Where %programfiles% represents the user's program folder and %varies% is a three digit number indicating the release number.   Creates the following files in this directory:
ClickPotatoLiteSA.exe        
ClickPotatoLiteSAAX.dll      
ClickPotatoLiteSABHO.dll      
ClickPotatoLiteSAHook.dll    
ClickPotatoLiteUninstaller.exe   Creates directory:
%programfiles%ClickPotatoLitein10.0.%varies%.0firefoxextensions

Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.   Creates the following files in this directory:
chrome.manifest  
install.rdf   Creates directory:
%programfiles%ClickPotatoLitein10.0.%varies%.0firefoxextensionsplugins

Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.   Creates the following file in this directory:
npclntax_ClickPotatoLiteSA.dll   Creates directory:
ClickPotato

Note:  refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%AppDataRoamingMicrosoftWindowsStart Menu'.   Creates the following files in this directory:
About Us.lnk                          
ClickPotato Customer Support.lnk      
ClickPotato Uninstall Instructions.lnk
Creates directory:
%programdata%ClickPotatoLiteSA

Where %programdata% represents the users programdata folder, that is, C:ProgramData   Creates the following files in this directory:
ClickPotatoLiteSA.dat
ClickPotatoLiteSAAbout.mht
ClickPotatoLiteSAau.dat
ClickPotatoLiteSAEULA.mht
ClickPotatoLiteSA_hpk.dat
ClickPotatoLiteSA_kyf.dat  Program behavior Creates shortcuts Once installed, Adware:Win32/ClickPotato can be seen as a shortcut on an Internet Explorer toolbar, as seen in the image below:   The adware's presence can also be see in the 'Manage Add-ons' window, as seen in the image below:   Adware:Win32/ClickPotato may also display an icon on a user's desktop, as seen in the image below:    Bundles with other programs 
Adware:Win32/ClickPotato may be distributed bundled with known free download software such as:  FLVBlaster VLC  Xvid  Easy Video  OpenOffice  Lime Wire eMule  ARES 2010 Version  Audacity 7zip

The installer may also include other adware programs such as Adware:Win32/HotBar, Adware:Win32/ShopperReport and BrowserModifier:Win32/Zwangi.

Displays in multiple browsers In the wild, we have observed Win32/CLickPotato running in the following browsers: Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Firefox 3.6 Firefox 4.0  Analysis by Michael Johnson & Methusela Ferrer

Last update 23 April 2019

 

TOP

Malware :