Adware:Win32/ClickPotato is a program that displays pop-up and notification-style advertisements based on the user's browsing habits.
Â
ClickPotato offers a free tool that allows users to access and search free streaming videos of popular films and TV shows. The tool is a multi-component adware program designed to monitor a user’s online browsing behavior to deliver targeted advertising. It may also install components related to
Win32/Hotbar and
Win32/ShopperReport.
Installation
Adware:Win32/ClickPotato makes the following changes to the registry:
Â
Adds subkey: HKLM\SOFTWARE\ClickPotatoLite
Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE
Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE.1
Adds subkey: HKLM\SOFTWARE\Classes\AppID\MenuButtonIE.DLL
Adds subkey: HKLM\SOFTWARE\Classes\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}
Adds subkey: HKLM\SOFTWARE\Classes\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C}
Adds subkey: HKLM\SOFTWARE\Classes\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08}
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info.1
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles.1
Adds subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}
Â
Adds value: "ButtonText"
With data: "ClickPotato"
Adds value: "CLSID"
With data: "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
Adds value: "ClsidExtension"
With data: "{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}"
Adds value: "Default Visible"
With data: "Yes"
Adds value: "HotIcon"
With data: "C:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201"
Adds value: "Icon"
With data: "C:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201"
To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}
Â
Adds value: "ClickPotatoLiteSA"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Â
Adds value: "ClickPotatoLiteSA"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Â
Adware:Win32/ClickPotato makes the following system changes to the users computer:
Â
- Creates directory:
%programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\
Where %programfiles% represents the user's program folder and %varies% is a three digit number indicating the release number.
Â
- Creates the following files in this directory:
ClickPotatoLiteSA.exe       Â
ClickPotatoLiteSAAX.dll     Â
ClickPotatoLiteSABHO.dll     Â
ClickPotatoLiteSAHook.dll   Â
ClickPotatoLiteUninstaller.exe
Â
- Creates directory:
%programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\
Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.
Â
- Creates the following files in this directory:
chrome.manifest Â
install.rdf
Â
- Creates directory:
%programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\plugins\
Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.
Â
- Creates the following file in this directory:
npclntax_ClickPotatoLiteSA.dll
Â
- Creates directory:
<start menu>\ClickPotato\
Note: <start menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu'.
Â
- Creates the following files in this directory:
About Us.lnk                         Â
ClickPotato Customer Support.lnk     Â
ClickPotato Uninstall Instructions.lnk
- Creates directory:
%programdata%\ClickPotatoLiteSA\
Where %programdata% represents the users programdata folder, that is, C:\ProgramData
Â
- Creates the following files in this directory:
ClickPotatoLiteSA.dat
ClickPotatoLiteSAAbout.mht
ClickPotatoLiteSAau.dat
ClickPotatoLiteSAEULA.mht
ClickPotatoLiteSA_hpk.dat
ClickPotatoLiteSA_kyf.dat
Â
Program behavior
Creates shortcuts
Â
Once installed, Adware:Win32/ClickPotato can be seen as a shortcut on an Internet Explorer toolbar, as seen in the image below:
Â
Â
The adware's presence can also be see in the 'Manage Add-ons' window, as seen in the image below:
Â
Â
Adware:Win32/ClickPotato may also display an icon on a user's desktop, as seen in the image below:
Â
Â
Bundles with other programs
Â
Adware:Win32/ClickPotato may be distributed bundled with known free download software such as:Â
- FLVBlaster
- VLCÂ
- XvidÂ
- Easy VideoÂ
- OpenOfficeÂ
- Lime Wire
- eMuleÂ
- ARES 2010 VersionÂ
- Audacity
- 7zip
The installer may also include other adware programs such as Adware:Win32/HotBar, Adware:Win32/ShopperReport and BrowserModifier:Win32/Zwangi.
Displays in multiple browsers
Â
In the wild, we have observed Win32/CLickPotato running in the following browsers:
- Internet Explorer 6
- Internet Explorer 7
- Internet Explorer 8
- Firefox 3.6
- Firefox 4.0Â
Analysis by Michael Johnson & Methusela Ferrer