|
11. Sep 2010, 01:58 PM
|
#1 (permalink) | |||
|
Banned
Join Date: Sep 2009
Posts: 62
|
KMPlayer, new version, comes with CoolGram ad-ware
Some readers of the page for the "Best Free Media Player" review page here posted some concern or worry about the new KMPlayer coming with CoolGram and I found this out a little before reading their posts, which caused me to check this review page here.
Ad-supported: The new version is new KMPlayer 2.9.4.1437 and I downloaded it from Softpedia using its mirror link, and Softpedia says that the player is "ad-supported". That part now clearly is CoolGram, which Softpedia staff would've certainly verified. But I still wanted to do some additional verification and then post a description of what I found, which is that KMPlayer with the CoolGram application adware seems safe and that if a person wants to get rid of CoolGram while installing and keeping the new KMPlayer, then it looks like this should be a very simple job. Threatfire (TF): During the installation, TF launched a red- or burgandy-colored alert, warning that C:\Progam Files\OSTEC\CoolgramS.exe was suddenly installed and that it is or contains a trojan that's aka Trojan.Win32.SuspectCRC. (I had never seen an alert of this color from TF, before, and have been using it for years, albeit only started using it at security level 4 and 5 this year.) TF reported that it quarantined this program, but there's nothing listed in TF's quaratine, nothing in any of its reports (Allowed, Denied and Protection Log), and I can still see the file in the OSTEC subfolder. I can't upload the visible coolgrams.exe file to Virustotal (VT), and while the Properties for the file are a little accessible, Properties only provides the General tab. But Avira and MBAM could scan the file.I ran scans with fully updated Avira Antivir 9 and MBAM on CoolgramS.exe. Avira produced a warning, but nothing specific for names, and there's nothing about this warning in Avira's report or log. MBAM reported a clean file. System Explorer (SE) and Virustotal.com (VT): Using the Check MD5 button (for a VT scan) in the SE page, below, VT lists two alerts for CoolgramS.exe version "2, 0, 0, 10", which has the size of 107728. I can't get the version of this file, but the size is the same, 107,728 bytes. The two alerts are from Dr. Web, for Trojan.DownLoad2.15110, and eSafe, for "Virus in password protected archive". All other 38 or so AVs didn't report finding any problems with the file. I don't know eSafe, but oubt that it's the sole AV or anti-malware that can scan inside of password-protected archives. If any antimalware apps can do that, then eSare surely isn't the sole one among the 40 or so scanners used by VT.http://www.systemexplorer.net/filein...grams.exe.html VT says that the program, so the CoolGram application, is from OSTEC Corporation and copyrighted from 2005. Threat Expert (TE): The information from TE seems to indicate that coolgrams.exe is safe or most likely safe. TE reports that Ikarus reported Trojan.Win32.SuspectCRC, but also concludes with the severity level being very low, barely anything at all, for "What's been found", which solely is "Downloads/requests other files from Internet". http://www.threatexpert.com/report.a...8ad5a107431690 TE lists the four executable files and two shortcuts that are installed, as well as the registry changes for CoolGram, and all of these changes are simple, little, very clean and straightforward; enough that it should be easy, very simple to remove the disk and Windows registry changes for Coolgram. What Coolgram is: lockergnome.com (in a download page there) says that OSTEC Corporation is the publisher of "Global Strategic Carrier System Coolgram-CoolWeb", so that tells us what Coolgram is. PC Magazine (see a little further below) also says this. OSTEC Corp. website: After considerable searching just to find the website of OSTEC Corp., it turns out that the domain name does not have "ostec" in it, contrary to what I was expecting. Maybe it's to avoid potential confusion with ostec-inc.co.jp, which the results of my search returned a link for.There's a listing for "Ostec Corp." at southkoreapages.com and that page says that the company's website is coolgram.com and that the CEO is "Andrew Kim. Sun-jae". PC Mag.: The page for "Global Strategic Carrier System Coolgram-CoolWeb" at shareware.pcmag.com also says that OSTEC's website is coolgram.com. I'll quote a little from the Quick Facts page for this shareware. Quote:
PC Pit Stop has a page for coolgram.exe, one of the four executables installed for the application, and doesn't say anything about AV alerts, or warnings, but gives some runtime information. http://www.pcpitstop.com/libraries/p...lGram.exe.html Quote:
Quote:
Easy to remove: It should be easy to remove CoolGram if a person wants to do this. New version - KMPLayer.com vs Softpedia: I didn't find a download for the new version in the kmplayer.com home or download page the other day; having checked there before doing the dowload from Softpedia's mirror for kmplayer in order to check for the release date, as opposed to the upload date at Softpedia (usually not the same). But this also happened with the prior version, for which a link could be found for at kmplayer.com, but it was in the forums. Softpedia doesn't list the new version as either beta or alpha, so it should be stable and downloadable from kmplayer.com; but maybe they're understaffed at KMPlayer and it's easier for them to let people get the downloads for new versions from other websites for a while. Or maybe it's because they don't have sufficient servers. But whatever the reason is, the download at Softpedia is the real KMPlayer (with a little adware included). Conclusion: It looks like there's [possibly] nothing to worry about with the new KMPlayer, with the adware that's included; but what PC Pit Stop says about coolgram.exe not returning enough information about itself makes it sound a little too stealthy to me. It's not something I'm really familiar with, but I seem to recall having once read or heard of some softwares running very much in stealth manner and this makes me feel [uncomfortable]. However, I think that there might not be a problem if a person is running a security tool or app. that catches the install of CoolGram like Threatfire does and lets the security app. kill this install and then removes all traces of CoolGram by using the information for changes as specified at Threat Expert. It would be to be done before running KMPlayer or anything else, other than a file manager and registry editor for removing whatever changes are made for CoolGram. If it wasn't for the stealthiness, then I might leave CoolGram installed to support the KMPlayer team, but CoolGram's operational secrecy is spooky. The KMPlayer team should find a better, friendlier, and testably safe adware to inlude, I think. And I wonder why Softpedia didn't take note of this and mention it in the download page. If nothing wrong or "unhealthy" for users happens during coolgram.exe's execution, then a download site could mention that this was verified and the program was found to do nothing unsafe. |
|||
|
|
|
12. Sep 2010, 01:59 PM
|
#2 (permalink) |
|
Banned
Join Date: Sep 2009
Posts: 62
|
UPDATE: More Coolgram files installed than Threat Expert reports
Under the subheading of "File System Modifications", Threat Expert (TE) reports that four .exe, one .dll, and two .lnk files are installed and created in the Program Files\OSTEC\CoolGram folder.
Two more files: To make sure I fully got rid of CoolGram, I deleted the above OSTEC folders and then did a file search of the Program Files and Windows folders or directories and two more files with CoolGram in their filenames were found. One is or was, until I searched for it and destroyed it myself, a CoolGram OCX file in the Windows\system32 folder. The other file, of which I don't recall the extension, was in the Windows\Prefetch folder. Maybe those two files weren't installed with the installation of CoolGram in the KMP download, but if they weren't, then I don't know what installed them or why they're there, and I went ahead and ran a "destroy" on them. |
|
|
|
|
12. Sep 2010, 02:32 PM
|
#3 (permalink) | |
|
Banned
Join Date: Sep 2009
Posts: 62
|
A second KMP install for testing, but Threatfire is stubborn, :)
Around two hours ago, I tried to do another install of the new version of KMPlayer, v2.9.4.1437, and (this time) told Threatfire (TF) to let the full CoolGram installation proceed, when it was just starting. TF "obeyed", at first, BUT the process leads to the execution of coolgrams.exe and TF absolutely will not let this continue.
It is the ""Known Malware" Alert" of TF that is produced; as opposed to TF's ""Potentially Malicious" Alert", which permits users to tell TF to let a process continue. TF does a forced killing of coolgrams.exe and a forced quaranting; leaving no option for the user to tell TF to let coolgrams.exe run. But TF doesn't only do this. TF deletes all of the CoolGram files, while leaving the Program Files\OSTEC\ folder and subfolders in place (and empty); as well as the two CoolGram-named files I wrote about in my second post, above. [AND] TF also does the same thing with the installation of KMP and deletes the downloaded KMP installer file. Perhaps running TF at security level 3 for installing KMP along with CoolGram will have a different result, but at level 4 and telling TF to let the installation of CoolGram proceed ends with the above results. Instead of setting TF at level 3, a TF user could just leave it at 4 and tell TF to kill the installation of CoolGram when TF gives the initial """Potentially Malicious" Alert"" that is provided at the start of the installation of CoolGram. The latter approach leaves KMP installed, while all CoolGram files in Program Files\OSTEC\CoolGram are deleted or never installed, and two appear to be left in two Windows subfolders, as stated in my second post. What coolgrams.exe does: TF reported that coolgrams.exe, when run during the installation of CoolGram anyway, is trying to access the Internet and is manipulating or performing some operations on or with 32 Windows system files or programs. I'd like to be able to produce the list of Windows system files involved, but am not able to get this list from a TF report, so can't provide the list here. Threat Expert (TE): In the TE page for coolgrams.exe linked in my first post, TE lists four files coolgrams.exe retrieves or downloads over the Internet. This list is found under the subheading of "Other Details" at the end of TE's report and the list is the following one. Quote:
TE says that one of the CoolGram files that TE lists as installed is an uninstaller placed in the Windows directory or folder. That's fine, but TF says that coolgrams.exe is or contains a [known] trojan. If TF only reported a potential malware, then a TF user could lower TF's security level to 3 or lower, or just disable it as a Windows start-up until after KMP and CoolGram are installed. Questions: Might TF be mistaken about Coolgram being a [known] trojan? And if the CoolGram-named files in the Windows\system32 and Windows\Prefetch folders were really placed there with this installation of CoolGram, then why would Threat Expert have missed this? Last edited by Anupam; 12. Sep 2010 at 03:34 PM. Reason: Edited out links to direct downloads |
|
|
|
|
|
12. Sep 2010, 03:35 PM
|
#4 (permalink) |
|
Moderator
Join Date: Jul 2008
Location: India
Posts: 9,484
|
mike, your post contained links to direct downloads of files. We do not allow that. Please read the forum rules carefully, if you have not read them yet.
Forum Rules
__________________
Anupam |
|
|
|
12. Sep 2010, 04:20 PM
|
#5 (permalink) | |
|
Banned
Join Date: Sep 2009
Posts: 62
|
Sorry about the hyperlinked files, Anupam
Quote:
I think you're not and that, instead, I must have not noticed that the CoolUpdate.ini and the three CoolGram .ZIP files were linked. When previewing my immediately above post, I happened to notice that the CoolUpdate.ini and other URLs were hyperlinked, so I removed the code that was causing this, as well as the "http://" part. I hadn't noticed this when making the earlier post. Otherwise, I would've definitely made sure that the URL's were not going to be hyperlinked. Last edited by Anupam; 12. Sep 2010 at 04:29 PM. Reason: Removed link again |
|
|
|
|
|
12. Sep 2010, 04:31 PM
|
#6 (permalink) |
|
Moderator
Join Date: Jul 2008
Location: India
Posts: 9,484
|
Why did you make the duplicate post again? Please do not make duplicate posts. I have removed the duplicate post.
Also, even without the hyperlink, we won't allow links to direct download of files, because they are still links, unless they are obfuscated appropriately. Please stick to the forum rules.
__________________
Anupam |
|
|
|
|
12. Sep 2010, 07:32 PM
|
#7 (permalink) | |
|
Banned
Join Date: Sep 2009
Posts: 62
|
Re. the four CoolGram files Threat Expert says are retrieved from over the Internet
Again, Threat Expert`s report says that the following.
Quote:
The .ini file contains the following code. [VER]The other three files that are retrieved over the Internet for the installation of CoolGram each contain single files. CoolGram.zip contains CoolGram.exe. CoolGramS.zip contains CoolgramS.exe. UninstCool.exe contains UninstCool.exe. This strikes me as very strange and suspect; especially for adware and the user of KMPlayer not being told about what CoolGram does when it`s being installed. KMP does not even tell downloaders the name of the adware. The four files are all very small and the adware could be fully included in the CoolGram installer or install launcher in the KMPlayer download, imo. Doing that would not increase the size of the KMP download by even a quarter of 1MB. I`m not an expert in this regard, but doing it the way CoolGram does it makes it simple for mal-things to be done without the user knowing it until it`s too later; unless the user is running security software that catches what the installation of CoolGram does. We`re told that all other applications should be closed or terminated for the installation of KMP and most other softwares, but I rarely disable Avira Antivir 9`s Guard and Threatfire, while usually also leaving WinPatrol in run-mode. But only Threatfire caught this CoolGram activity with coolgrams.exe, with Threatfire running at security level 4. I wonder if level 3 would have also caught this. Virustotal results for each of the above .zip files: CoolGram.zip generates one alert and it`s from Symantec, which says it identified WS.Reputation.1. So I checked Threat Expert for coolgram.exe and the report is the same one I already posted about for coolgrams.exe.CoolGramS.zip generates four alerts. AVG- SHeur2.AYJTUninstCool.zip generates three alerts. Authentium - W32/SelfStarterInternetTrojan!MaximusClosing: While Threat Expert of PC Tools says that the severity level is not nil or none, its report says that the level is very low; apparently as low as it can be before becoming nil. But, and stated in one of my earlierp posts, I found two coolgram-named files under the Windows system directory, one in the system32 subfolder and the other in the prefetch subfolder; and Threat Expert evidently missed these two files. Threat Expert reports the UninstCool.exe is placed directly in the Windows system folder, but makes no mention of the other two files, which I definitely believe were placed there by CoolGram. Threat Expert or PC Tools is evidently not as reliable as they could be. I tried to notify them of this at 10:16 this morning, but didn`t have a registered account with PC Tools. The online way of contacting them kept failing, because I supposedly didn`t write in the ``proper format``, whatever that`s supposed to be. There are no tips provided for what the proper format is. So I used the email link in the contact page to send the notice via e-mail, but this got bounced back because of being an unknown party. I then created a user account, activated it, and then tried sending the e-mail again. It was sent at 10:36 this morning and I haven`t gotten a bounch-back rejection, yet, so I guess they`ll be getting the message. I`m done with this for now, needing to take a break from this, but will try to notify KMP later on today or this evening; telling them that CoolGram is evidently not a good idea for adware and providing a link to this forum thread so that they can read the findings here, instead of repeating them. I didn`t only do this today, for I also spent considerable time reading a forum or thread here about speeding up Firefox start-up and loading of web pages; but it`s time to take a break from all of this stuff. Last edited by Anupam; 12. Sep 2010 at 07:37 PM. Reason: Removed links to direct files... AGAIN!! |
|
|
|
|
|
12. Sep 2010, 09:02 PM
|
#9 (permalink) | |
|
Banned
Join Date: Sep 2009
Posts: 62
|
You`re welcome
Quote:
It lead me to finding out that while Threat Expert of PC Tools is good, it is not thorough; not in this case anyway. Hmmm, speaking of that, it just came to mind that I hadn`t checked Threat Expert about UninstCool.exe, so I just did and, like for coolgram.exe, we get the same report as for coolgrams.exe; but the malware alerts vary in number for all three of these programs at Virustotal.com, as previously explained, and Threat Expert is short a few alerts. Threat Expert and, therefore, PC Tools is definitely not thorough, but at least Threatfire from PC Tools served its purpose for coolgrams.exe. If it hadn`t been for that, then CoolGram would have been fully installed on my system and then maybe bad things or problems would have happened. With Threatfire`s action, CoolGram`s lifespan on my system was terminated before this adware could do whatever it does to the system. Based on what I saw with my searches, a lot of people report problems due to CoolGram. |
|
|
|
|
|
12. Sep 2010, 09:07 PM
|
#10 (permalink) | |
|
Banned
Join Date: Sep 2009
Posts: 62
|
Quote:
As for a duplicate post, I did not realize that I made one and never intended to do so. So I apologize for this, as well as the URLs. Actually, I do not see any duplicate post. And I just checked for the forum rules, starting from the home page of the forums, and did not find them. The FAQ seemed to be the place to look, since I saw no links for Forum Rules, but the FAQ does not appear to mention of the nature that you are talking about. Last edited by mikecorbeil; 12. Sep 2010 at 09:13 PM. |
|
|
|
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
