Threat behavior
Spyware:Win32/ShopAtHome.A is a Web browser redirector that monitors your Web browsing behavior and online purchases. ShopAtHome - also known as GoldenRetriever and SelectRebates - claims to track points for your ShopAtHome rebates when you buy products directly from affiliated merchant Web sites without linking through the ShopAtHome Web site.
Installation
ShopAtHome installs through an ActiveX security alert dialog box when you register for an account at the ShopAtHome Web site. ShopAtHome is sometimes bundled with advertisement supported software. Spyware:Win32/ShopAtHome.A makes the following system changes during its installation:
- Creates a folder
<system folder>\sahimages
- Drops the following executable files
%windir%\downloaded program files\ bunsetup.cab
%temp%\bundletracking.asp
%temp%\bundle.exe
binsttmp.tmp
1239bkpt.dll
bundlep.exe
bundle.txt
bundletracking.asp
(cookie files)
ap1001.sah
bundlep_ap1001.cab
- Modifies the registry by adding these keys with value referencing dropped executables
SAHBundle
q2iulfjv
SAHAgent
Within subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Adds keys with value:
SAHAgent
Within subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Adds registry keys with values into the registry hive HKEY_CLASSES_ROOT:
..\CLSID\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7}
..\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
..\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
- Adds registry keys with values into the registry hive HKEY_CURRENT_USER:
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHomeSelect Agent
..\Software\Classes\WEBInstaller.execute
..\Software\Classes\WEBInstaller.execute.1
..\Software\Classes\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}
- Adds registry keys with values into the registry hive HKEY_LOCAL_MACHINE:
..\Software\Classes\CLSID\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Classes\Interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
..\Software\Classes\Interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
..\Software\Classes\WEBInstaller.execute
..\Software\Classes\WEBInstaller.execute.1
..\Software\Microsoft\Code Store Database\Distribution Units\
{E9670165-86FE-4C34-8C4B-D3158DDC5D92}
{5F3B3060-09E0-44C6-86F7-BC7B02B57BEE}
{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\f3uor8hs
..\Software\Microsoft\Windows\CurrentVersion\Uninstall\shopathomeselect agent
..\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\
<path>/xmltok_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/xmlparse_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/webinstaller.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahuninstall_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahdownloader_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/sahagent_.exe\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
<path>/lsp_.dll\{30402ff4-3e71-4a1c-9b4b-1cd3486a9fb2}
..\Software\VGroup
..\Software\VGroup\SAHPopup
..\Software\VGroup\SAHAgent
..\Software\Winsock2\Layered Provider Sample
Additional Information
Spyware:Win32/ShopAtHome.A installs itself in the Winsock layer of a computer and redirects Internet Web traffic through ShopAtHome servers before redirecting Web browsers to the merchant Web sites. A ShopAtHome pop-up window appears and informs you that your Web browser is being transferred to the merchant Web site.
ShopAtHome assigns a customer ID, which may be used to monitor your browsing activities. To receive a cash back rebate, merchants transmit information about the total cost of your order as well as the customer ID to ShopAtHome servers. According to the license agreement (EULA), ShopAtHome monitors browsing activities, redirection to merchant Web sites, keyword searches, and the cookies on your computer; this information is sent back to ShopAtHome and may possibly be shared with Internet behavior monitoring companies. These companies may also monitor the cookies on your computer. ShopAtHome may update itself and may install other programs or files in the background without a user interface.
You can uninstall ShopAtHome using Add and Remove Programs in Control Panel, but your account at the ShopAtHomeSelect Web site will be deactivated. To complete the uninstall of ShopAtHome using this method, you will need to enter a computer generated word, (e.g. "CAPTCHA" generated pass phrase).
If you use other software to remove ShopAtHome, the license agreement states that ShopAtHome may not uninstall completely. After ShopAtHome is uninstalled, you must restart your computer for the changes to take effect.
Prevention