Virus

Adware/Gain

Analysis

[Precision Time]
The details for the Precision Time installer are:
Typical Name: PrecisionTimeSetup.exe
File Size: 973,608 bytes
Version: 3.0.3.0
Company Name: GAIN Publishing
Digital Signature: GAIN Publishing
The details for the Precision Time executables are:
Name: PrecisionTime.exe
File Size: 577,615 bytes
Version: 3.0.3.0
Description: Precision Time Application
Company Name: GAIN Publishing
Name: GatorStubSetup.exe
File Size: 249,919 bytes
Version: 7.1.0.6
Description: Gator Client Application
Company Name: GAIN Publishing
Original Filename: Gator.exe
Name: GMT.exe
File Size: 2,183,220 bytes
Version: 7.1.0.6
Description: GAIN Application
Company Name: GAIN Publishing
Name: CMESys.exe
File Size: 90,112 bytes
Version: 7.1.0.6
Description: CME II Client Application
Company Name: GAIN Publishing
Description of Adware:

Precision Time is an application authored by GAIN Publishing. GAIN is a subsidiary of Claria Corporation. Precision Time is billed as a product that will automatically synchronize the time and date of the Windows clock. This functionality is available within Windows XP natively however. Claria's primary business is that of advertising and behavioral marketing. Upon downloading and installing Precision Time the user's browsing habits will be monitored, and communicated to the Claria Corporation. The purpose of monitoring the user's online behavior is for the display of targeted advertising. These ads can take many forms. Including, but not limited to pop-under ads, pop-up ads, sliding ads, and embedded ads.


System Alterations upon installation:
  • During installation the following directories are created:
    [user's local settings directory]\Temp\fsg_tmp
    [all user's start menu program directory]\GAIN Publishing
    [all user's start menu program directory]\PrecisionTime
    [program files directory]\Common Files\CMEII
    [program files directory]\Common Files\GMT
    [program files directory]\PrecisionTime

  • Note: Many files and subdirectories are also installed, including the executables detailed above.
  • The following Windows Start Menu folders are added:
    Programs -> GAIN Publishing
    Programs -> PrecisionTime
    Programs -> Startup -> Gstartup
    Programs -> Startup -> PrecisionTime

  • Many registry keys are created, including the below:
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\CME
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\GMT
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\PrecisionTime
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\CMEII
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\CMEII\GSNInstalled
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat\GMT
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\GInternet
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\GInternet\Proxy
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\PrecisionTime
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Trickler
    HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\trickles
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrecisionTime

  • Many registry values are added as well, including:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CMESys"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Trickler"

  • Note: The above processes automatically execute Precision Time's GAIN processes upon Windows statup.
Adware Behavior:
  • Upon installation Precision Time performs many DNS lookups, including:
    www.precision-time.com
    web.balance.gator.com
    www.gainpublishing.com
    gi.gator.com
    ts.gator.com
    trickle.gator.com

  • The program then silently accesses several websites within the Gator network. After doing so, it transmits information about the computer on which it has been installed.

  • The program then retrieves several archived installation files from the Gator network. During this process it transmits additional information regarding the local computer.

  • The installation of Precision Time will result in the following applications operating in the background:
    \precis~1\precis~1.exe
    \common files\gmt\gmt.exe
    \common files\xmeii\cmesys.exe

  • Upon synchronizing the user's clock for the first time the following window will be shown:

  • While browsing the web, web browsing behavior is monitored by the GAIN applications such as gmt.exe. This information is then regularly transmitted to the Gator network. Advertisements will frequently be produced targetting the user via analysis of the user's web browsing behavior. A sample ad is shown below: