DownloadPlus

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Summary:	Adware.DownloadPlus is an adware program that connects to a predetermined site and displays pop-ups advertisements.
Vendor Notes:	DownloadPlus is a process run at Windows startup which opens pop-up adverts (many of them porn-related) and, for some reason, weather reports.
Alias:	Adware.DownloadPlus, TrojanDownloader.Win32.Lalus
Category:	Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product. Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.
Variants:	DownloadPlus/MCInst
Similar Pests:	Adware · Downloader
Origins
Group:	Porn Kings
By This Group:	DownloadPlus 1.0.6 ·
Date of Origin:	Variants from May, 2003 to May, 2003
Distribution
Distribution:	Installed by ActiveX drive-by download in pop-up ads (via DownloadPlus/MCInst). Also loaded by the ISTbar/AUpdate parasite. In this case there is no ActiveX installer control, and the script at this site will be unable to detect DownloadPlus.
Prevalence:	DownloadPlus: 1.7% More Info
Clot Factor:	DownloadPlus: 1 The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:	DownloadPlus: Insufficient data to report growth
Operation
Platform:	Windows 2000, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Advertising:	Yes. Downloads an untargeted list of adverts to show from its controlling server tnc4u.com, and opens them periodically as pop-unders.
Storage Required:	DownloadPlus: at least 325 KB
Risks
Security Issues:	Yes. Can silently download and execute arbitrary unsigned code from its controlling server, as a self-updating feature.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Browse to the startup folder. This is done by clicking Start -> (All) Programs -> Startup. Right-click 'Download Plus' and choose delete. Restart your computer. Start Windows Explorer and delete: %AppData%\DownloadPlus.exe Note: %AppData% is a variable (?). By default, this is 'C:\WINDOWS\Profiles\%UserName%\Application Data\' or 'C:\WINDOWS\Application Data\' (Windows 95/98/Me) or 'C:\Documents and Settings\%UserName%\Application Data\' (Windows NT/2000/XP). Note: %UserName% is a variable (?). This is set to your username.
	Stop Running Processes: Kill these running processes with Task Manager: installer.exe invictus_04262003.exe profilepath+\application data\downloadplus.exe profilepath+\local settings\temp\msgcenter_lminv1.exe profilepath+\local settings\temporary internet files\content.ie5\8blz6av5\msgcenter_lminv1[1].exe systemroot+\msgcenter_lminv1.exe updatemedia.exe
	Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: medup012.dll medup020.dll
	Clean Registry: Remove these registry items (if present) with RegEdit: HKEY_CURRENT_USER\software\0x7a69
	Remove Files: Remove these files (if present) with Windows Explorer: inctrl.log install.log installer.exe invictus_04262003.exe medup012.dll medup020.dll muconf.xml profilepath+\application data\downloadplus.exe profilepath+\local settings\temp\msgcenter_lminv1.exe profilepath+\local settings\temporary internet files\content.ie5\8blz6av5\msgcenter_lminv1[1].exe startupfolder+\download plus.lnk systemroot+\msgcenter_lminv1.exe updatemedia.exe
Research
File Analyses:	DownloadPlus: inctrl.log · install.log · installer.exe · invictus_04262003.exe · medup012.dll · medup020.dll · muconf.xml · updatemedia.exe
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	Benjamin Googins PestPatrol's Pest Research Center
Last Revised:	April 02, 2005