Adware:Win32/OpenCandy

(?)

Encyclopedia entry
Updated: Aug 09, 2012 | Published: Feb 14, 2011

Aliases
Not available

Alert Level (?)
Moderate

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.139.1873.0
Released: Nov 12, 2012

Detection initially created:
Definition: 1.97.1582.0
Released: Feb 12, 2011

Summary

Adware:Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent. These versions are detected by Microsoft’s anti-malware products.

Top

Symptoms

System Changes

The following system changes may indicate the presence of OpenCandy:

While running an installation program utilizing the OpenCandy component, you may receive an offer to install a recommended program. This offer may indicate it is "Powered by OpenCandy".
Your firewall or other network monitoring program may indicate traffic to various opencandy.com servers.

Top

Technical Information (Analysis)

Installation

When running an installation program utilizing the OpenCandy component, an OpenCandy DLL named "OCSetupHlp.dll" is extracted into the Temporary files folder. The DLL determines which, if any, of the developer's selected offers to display.

For example, if a recommended program is already installed on the system, the OpenCandy component will not recommend it and make a different recommendation, if available. Should the OpenCandy component offer a program, the offer may indicate it is "Powered by OpenCandy" and appear as the following example, or similar:

Image showing how an OpenCandy offer may appear.

Image showing how an OpenCandy offer may appear.

Should the user choose to install a recommended program, a download manager named "LatestDLMgr.exe" executes and facilitates the download and installation of the recommended program. This installation may look similar to the following example:

Image showing how an OpenCandy recommended program's installation progress window may appear.

Files associated with OpenCandy are normally removed once the installation completes however, they may remain on the system under certain circumstances. OpenCandy may store information in the registry and use this during future installations utilizing the OpenCandy component.

Its location in the registry is dependent on the first program installed utilizing the OpenCandy component in its installer and may be similar to the following:

HKLM\SOFTWARE\ADatumCorporation\OpenCandy
HKLM\SOFTWARE\ADatumCorporation\OpenCandy\Completed
HKLM\SOFTWARE\Wow6432Node\ADatumCorporation\OpenCandy
HKLM\SOFTWARE\Wow6432Node\ADatumCorporation\OpenCandy\Completed

Adware:Win32/OpenCandy transmits various information to a remote server, including the following:

a code identifying the downloaded program - this code allows for tracking the specific downloaded program's installation and allows the OpenCandy component to download the list of offers the program's developer chose to recommend
a unique machine code which may be stored locally on the computer and used by future installers utilizing the OpenCandy component
operating system version
the current language the operating system is using
the language of the installer
the country location and time zone of the affected computer
installation status of offered programs
if a recommendation is made, how long the offer is viewed and if it is accepted
if a recommendation is accepted, whether the recommended program's installer successfully downloads and launches, and whether it completes successfully, fails or is cancelled

Analysis by Aaron Hulett

Top

Prevention

Follow these general security tips to better protect your computer.

Top

Recovery

To detect and remove this program and other potentially unwanted software that may be installed in your computer, run a full-system scan with an up-to-date antispyware product such as the following:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Additional removal instructions

This program may be present in your Temporary Internet Files folder. We recommend that you delete your temporary Internet files to prevent the persistent detection of this program from within the Temporary Internet Files folder.

To delete the temporary Internet files from Internet Explorer, refer to KB Article 260897.

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.