Advertising Spyware: CyDoor CD_Load.exe (Ads On Software (tm))

Your generous donations help keep this site online! ~~Click here~~ to support cexx.org.

Advertising Spyware: CyDoor CD_Load.exe and CD_Clint.dll

Jump to:
At-A-Glance info
Detailed info
Removal Procedure

CD_Clint.dll: At-A-Glance
(see also: CD_Load.exe)

Nature of application Adware/Spyware

See in-depth notes below

Type of application DLL

Calls home to: www.rgs1.net (HTTP/80)
www.rgs2.net (HTTP/80)
www.cms1.net (HTTP/80)
www.cms2.net (HTTP/80)
www.bns1.net (HTTP/80)
www.bns2.net (HTTP/80)

Placed on system by: Free Software (KaZaA, iMesh, etc.)
Paid-for Software

Disclosure

Handled by Cydoor installer (latest version)

Handled by the host application: leading to a potential finger-pointing loop. (previous versions)

Installs to: C:\WINDOWS\SYSTEM\CD_CLINT.DLL
C:\WINDOWS\SYSTEM\CD_GIF.DLL
C:\WINDOWS\SYSTEM\CD_HTM.DLL
C:\WINDOWS\SYSTEM\CD_HTML.DLL
C:\WINDOWS\SYSTEM\CD_SWF.DLL

Loads via: Other Program

Programs using Cydoor load the DLL at run-time and import functions from it.

Stealth Features

All files (including ad cache) buried in System dir.

Hostile Features N/A

Insecure Features

Downloads executable code

Privacy

Transmits email address (if supplied) to Cydoor only.

Transmits user-supplied demographic information (if supplied) to Cydoor. Shared with others in aggregate.

Transmits advertising metrics (ad displays, clicks, etc.)

Uses cookies

Uses GUID to track users across sessions*

* Depending on version. The current version no longer includes a GUID.

In-Depth Info

Cydoor's CD_CLINT.DLL is a libarary used by Cydoor-sponsored applications:

If the application is intended to be used online (e.g. file sharing client, WWW browser), only CD_CLINT is needed/installed.
If the application is for offline use (e.g. mp3 player, graphic editor), CD_LOAD.EXE is run in the background at all times. It downloads ads whenever a connection is available, for offline use.

In our test installation (version 3.2), Cydoor was clearly disclosed during the installation, before it was actually installed. Upon starting, it connects to rgs1.net [log], presumably to get a list of other ad servers (listed above). The DLL logs into one or more of these servers to exchange data [log]. Ads are then downloaded from these servers and stored in C:\Windows\System\adcache\ for display by the host application(s).

In our test installation, Cydoor's CD_CLINT.DLL downloaded executable code to the test system [log]. While the code (a Visual C++ library, ATL.DLL) was not malicious, the program's ability to silently load executable code presents a potential security vulnerability to the user.

The current version appears to respect the user's privacy and informed consent. Therefore, we consider this version most accurately categorized as "Adware". Older versions could more accurately be considered "Spyware".

Other Versions
Cydoor has cleaned up its act considerably since previous versions of its software. Previous versions left it up to the host application's vendor to disclose (or not) that Cydoor ad components were being installed, leading to a finger-pointing loop in cases where the software was not disclosed. Additionally, previous versions used a GUID to track individual users across multiple sessions. This has been removed from the current version, as verified by our tests and information on the Cydoor website. Cydoor's components now come with an uninstall feature that was not present in earlier versions.

If you have older Cydoor components installed, we recommend you either remove the software or (if you use software which requires Cydoor) download the Cydoor file update.

Earlier versions of Cydoor CD_LOAD were similar to the TSADBOT ad-trojan. It is a seperate, always-loading component that digs itself into your Windows Registry (so as to load always on start-up) and refuses to uninstall. It connects to the Internet and downloads ads, transferring data (including a GUID unique to your computer) whether the associated app is running or not. As with TSADBOT, running the installer immediately infects you with the CyDoor trojan, even if the associated application is never installed (you cancel the installation, don't install the software, and/or reject the license agreement). ~~Privacy Power~~ explains:

"If installation of software embedded with Cydoor is terminated by not agreeing with the EULA, Cydoor software may install itself without the software host. This has been personally noted during a rejected installation of MP3 Tag Studio (version 1.6.1) by Magnus Brading Software. If host software containing Cydoor has been fully installed and then uninstalled, the Cydoor component will not be uninstalled."

Imesh, the popular file-sharing client, installs Cydoor spyware. (Guest)

Technical Info
CD_CLINT.DLL exports five functions:

int ServiceShow - places the banner window on the program
int ServiceClose - closes the banner window
void ChannelWrite - used in 2-way communication
void ChannelRead - used in 2-way communication
void DescWrite - sends back information about the user

(Actually, it exports many more, but you're not supposed to know about them.) ServiceShow and ServiceClose return 1 if the operation was successful, and 0 if not. Programs are supposed to refuse operation if the call returns 0.

Removal Procedure:
(Also courtesy of Privacy Power)

1.Delete the following files (usually found in C:\WINDOWS\SYSTEM\):

CD_CLINT.DLL
CD_GIF.DLL
CD_HTM.DLL
CD_SWF.DLL
CD_LOAD.EXE

2.Delete the ADCACHE folder and its contents (usually found under C:\WINDOWS\SYSTEM\).

3.Remove Cydoor and Cydoor Services from the Windows Registry. The following Cydoor keys were added in my Windows 98 Registry and are shown for reference only:

HKEY_CURRENT_USER\Software\Cydoor\
HKEY_CURRENT_USER\Software\Cydoor Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Cydoor=CD_Load.exe

Note: See the Adware Neutering section.

Links
~~Privacy Power! Adware, Badware, Spyware: CyDoor~~ - Especially applicable to the previous Cydoor version
.

Version analysed: Cydoor CD_CLINT.DLL version 3,2,0,9
Analysis by: Bill Webb, on SPYBOX (Windows 95 OSR2)

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)

Nature of application	Adware/Spyware See in-depth notes below
Type of application	DLL
Calls home to:	www.rgs1.net (HTTP/80) www.rgs2.net (HTTP/80) www.cms1.net (HTTP/80) www.cms2.net (HTTP/80) www.bns1.net (HTTP/80) www.bns2.net (HTTP/80)
Placed on system by:	Free Software (KaZaA, iMesh, etc.) Paid-for Software
Disclosure	Handled by Cydoor installer (latest version) Handled by the host application: leading to a potential finger-pointing loop. (previous versions)
Installs to:	C:\WINDOWS\SYSTEM\CD_CLINT.DLL C:\WINDOWS\SYSTEM\CD_GIF.DLL C:\WINDOWS\SYSTEM\CD_HTM.DLL C:\WINDOWS\SYSTEM\CD_HTML.DLL C:\WINDOWS\SYSTEM\CD_SWF.DLL
Loads via:	Other Program Programs using Cydoor load the DLL at run-time and import functions from it.
Stealth Features	All files (including ad cache) buried in System dir.
Hostile Features	N/A
Insecure Features	Downloads executable code
Privacy	Transmits email address (if supplied) to Cydoor only. Transmits user-supplied demographic information (if supplied) to Cydoor. Shared with others in aggregate. Transmits advertising metrics (ad displays, clicks, etc.) Uses cookies Uses GUID to track users across sessions* * Depending on version. The current version no longer includes a GUID.