Lamourlady
October 1st, 2002, 05:53 PM
is this not a form of spyware/adware?
application Adware/Spyware
See in-depth notes below
Type of application DLL
Calls home to: www.rgs1.net (HTTP/80)
www.rgs2.net (HTTP/80)
www.cms1.net (HTTP/80)
www.cms2.net (HTTP/80)
www.bns1.net (HTTP/80)
www.bns2.net (HTTP/80)
Placed on system by: Free Software (KaZaA, iMesh, etc.)
Paid-for Software
Disclosure Handled by Cydoor installer (latest version)
Handled by the host application: leading to a potential finger-pointing loop. (previous versions)
Installs to: C:\WINDOWS\SYSTEM\CD_CLINT.DLL
C:\WINDOWS\SYSTEM\CD_GIF.DLL
C:\WINDOWS\SYSTEM\CD_HTM.DLL
C:\WINDOWS\SYSTEM\CD_HTML.DLL
C:\WINDOWS\SYSTEM\CD_SWF.DLL
Loads via: Other Program
Programs using Cydoor load the DLL at run-time and import functions from it.
Stealth Features All files (including ad cache) buried in System dir.
Hostile Features N/A
Insecure Features Downloads executable code
Privacy Transmits email address (if supplied) to Cydoor only.
Transmits user-supplied demographic information (if supplied) to Cydoor. Shared with others in aggregate.
Transmits advertising metrics (ad displays, clicks, etc.)
Uses cookies
Uses GUID to track users across sessions*
* Depending on version. The current version no longer includes a GUID.
In-Depth Info
Cydoor's CD_CLINT.DLL is a libarary used by Cydoor-sponsored applications:
If the application is intended to be used online (e.g. file sharing client, WWW browser), only CD_CLINT is needed/installed.
If the application is for offline use (e.g. mp3 player, graphic editor), CD_LOAD.EXE is run in the background at all times. It downloads ads whenever a connection is available, for offline use.
In our test installation (version 3.2), Cydoor was clearly disclosed during the installation, before it was actually installed. Upon starting, it connects to rgs1.net [log], presumably to get a list of other ad servers (listed above). The DLL logs into one or more of these servers to exchange data [log]. Ads are then downloaded from these servers and stored in C:\Windows\System\adcache\ for display by the host application(s).
In our test installation, Cydoor's CD_CLINT.DLL downloaded executable code to the test system [log]. While the code (a Visual C++ library, ATL.DLL) was not malicious, the program's ability to silently load executable code presents a potential security vulnerability to the user.
The current version appears to respect the user's privacy and informed consent. Therefore, we consider this version most accurately categorized as "Adware". Older versions could more accurately be considered "Spyware".
Other Versions
Cydoor has cleaned up its act considerably since previous versions of its software. Previous versions left it up to the host application's vendor to disclose (or not) that Cydoor ad components were being installed, leading to a finger-pointing loop in cases where the software was not disclosed. Additionally, previous versions used a GUID to track individual users across multiple sessions. This has been removed from the current version, as verified by our tests and information on the Cydoor website. Cydoor's components now come with an uninstall feature that was not present in earlier versions.
If you have older Cydoor components installed, we recommend you either remove the software or (if you use software which requires Cydoor) download the Cydoor file update.
Earlier versions of Cydoor CD_LOAD were similar to the TSADBOT ad-trojan. It is a seperate, always-loading component that digs itself into your Windows Registry (so as to load always on start-up) and refuses to uninstall. It connects to the Internet and downloads ads, transferring data (including a GUID unique to your computer) whether the associated app is running or not. As with TSADBOT, running the installer immediately infects you with the CyDoor trojan, even if the associated application is never installed (you cancel the installation, don't install the software, and/or reject the license agreement). Privacy Power explains:
"If installation of software embedded with Cydoor is terminated by not agreeing with the EULA, Cydoor software may install itself without the software host. This has been personally noted during a rejected installation of MP3 Tag Studio (version 1.6.1) by Magnus Brading Software. If host software containing Cydoor has been fully installed and then uninstalled, the Cydoor component will not be uninstalled."
Imesh, the popular file-sharing client, installs Cydoor spyware. (Guest)
Technical Info
CD_CLINT.DLL exports five functions:
int ServiceShow - places the banner window on the program
int ServiceClose - closes the banner window
void ChannelWrite - used in 2-way communication
void ChannelRead - used in 2-way communication
void DescWrite - sends back information about the user
(Actually, it exports many more, but you're not supposed to know about them.) ServiceShow and ServiceClose return 1 if the operation was successful, and 0 if not. Programs are supposed to refuse operation if the call returns 0.
Removal Procedure:
(Also courtesy of Privacy Power)
1.Delete the following files (usually found in C:\WINDOWS\SYSTEM\):
CD_CLINT.DLL
CD_GIF.DLL
CD_HTM.DLL
CD_SWF.DLL
CD_LOAD.EXE
2.Delete the ADCACHE folder and its contents (usually found under C:\WINDOWS\SYSTEM\).
3.Remove Cydoor and Cydoor Services from the Windows Registry. The following Cydoor keys were added in my Windows 98 Registry and are shown for reference only:
HKEY_CURRENT_USER\Software\Cydoor\
HKEY_CURRENT_USER\Software\Cydoor Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\ Cydoor=CD_Load.exe
doesn't sound harmful, but i still don't like unwanted stuff on my computer. and i don't like the idea of not being able to use my fav program, unless i accept the adware/spyware.
that just sucks.
it seems to state that it was fully disclosed before installing.
hmmmmmmm.
but if u uninstall the software it comes on, well that doesn't mean that the cydoor is uninstalled......seems to stay on your computer.
just for kicks..........anyone ever had it disclosed to them?
and do u think it's good business?
application Adware/Spyware
See in-depth notes below
Type of application DLL
Calls home to: www.rgs1.net (HTTP/80)
www.rgs2.net (HTTP/80)
www.cms1.net (HTTP/80)
www.cms2.net (HTTP/80)
www.bns1.net (HTTP/80)
www.bns2.net (HTTP/80)
Placed on system by: Free Software (KaZaA, iMesh, etc.)
Paid-for Software
Disclosure Handled by Cydoor installer (latest version)
Handled by the host application: leading to a potential finger-pointing loop. (previous versions)
Installs to: C:\WINDOWS\SYSTEM\CD_CLINT.DLL
C:\WINDOWS\SYSTEM\CD_GIF.DLL
C:\WINDOWS\SYSTEM\CD_HTM.DLL
C:\WINDOWS\SYSTEM\CD_HTML.DLL
C:\WINDOWS\SYSTEM\CD_SWF.DLL
Loads via: Other Program
Programs using Cydoor load the DLL at run-time and import functions from it.
Stealth Features All files (including ad cache) buried in System dir.
Hostile Features N/A
Insecure Features Downloads executable code
Privacy Transmits email address (if supplied) to Cydoor only.
Transmits user-supplied demographic information (if supplied) to Cydoor. Shared with others in aggregate.
Transmits advertising metrics (ad displays, clicks, etc.)
Uses cookies
Uses GUID to track users across sessions*
* Depending on version. The current version no longer includes a GUID.
In-Depth Info
Cydoor's CD_CLINT.DLL is a libarary used by Cydoor-sponsored applications:
If the application is intended to be used online (e.g. file sharing client, WWW browser), only CD_CLINT is needed/installed.
If the application is for offline use (e.g. mp3 player, graphic editor), CD_LOAD.EXE is run in the background at all times. It downloads ads whenever a connection is available, for offline use.
In our test installation (version 3.2), Cydoor was clearly disclosed during the installation, before it was actually installed. Upon starting, it connects to rgs1.net [log], presumably to get a list of other ad servers (listed above). The DLL logs into one or more of these servers to exchange data [log]. Ads are then downloaded from these servers and stored in C:\Windows\System\adcache\ for display by the host application(s).
In our test installation, Cydoor's CD_CLINT.DLL downloaded executable code to the test system [log]. While the code (a Visual C++ library, ATL.DLL) was not malicious, the program's ability to silently load executable code presents a potential security vulnerability to the user.
The current version appears to respect the user's privacy and informed consent. Therefore, we consider this version most accurately categorized as "Adware". Older versions could more accurately be considered "Spyware".
Other Versions
Cydoor has cleaned up its act considerably since previous versions of its software. Previous versions left it up to the host application's vendor to disclose (or not) that Cydoor ad components were being installed, leading to a finger-pointing loop in cases where the software was not disclosed. Additionally, previous versions used a GUID to track individual users across multiple sessions. This has been removed from the current version, as verified by our tests and information on the Cydoor website. Cydoor's components now come with an uninstall feature that was not present in earlier versions.
If you have older Cydoor components installed, we recommend you either remove the software or (if you use software which requires Cydoor) download the Cydoor file update.
Earlier versions of Cydoor CD_LOAD were similar to the TSADBOT ad-trojan. It is a seperate, always-loading component that digs itself into your Windows Registry (so as to load always on start-up) and refuses to uninstall. It connects to the Internet and downloads ads, transferring data (including a GUID unique to your computer) whether the associated app is running or not. As with TSADBOT, running the installer immediately infects you with the CyDoor trojan, even if the associated application is never installed (you cancel the installation, don't install the software, and/or reject the license agreement). Privacy Power explains:
"If installation of software embedded with Cydoor is terminated by not agreeing with the EULA, Cydoor software may install itself without the software host. This has been personally noted during a rejected installation of MP3 Tag Studio (version 1.6.1) by Magnus Brading Software. If host software containing Cydoor has been fully installed and then uninstalled, the Cydoor component will not be uninstalled."
Imesh, the popular file-sharing client, installs Cydoor spyware. (Guest)
Technical Info
CD_CLINT.DLL exports five functions:
int ServiceShow - places the banner window on the program
int ServiceClose - closes the banner window
void ChannelWrite - used in 2-way communication
void ChannelRead - used in 2-way communication
void DescWrite - sends back information about the user
(Actually, it exports many more, but you're not supposed to know about them.) ServiceShow and ServiceClose return 1 if the operation was successful, and 0 if not. Programs are supposed to refuse operation if the call returns 0.
Removal Procedure:
(Also courtesy of Privacy Power)
1.Delete the following files (usually found in C:\WINDOWS\SYSTEM\):
CD_CLINT.DLL
CD_GIF.DLL
CD_HTM.DLL
CD_SWF.DLL
CD_LOAD.EXE
2.Delete the ADCACHE folder and its contents (usually found under C:\WINDOWS\SYSTEM\).
3.Remove Cydoor and Cydoor Services from the Windows Registry. The following Cydoor keys were added in my Windows 98 Registry and are shown for reference only:
HKEY_CURRENT_USER\Software\Cydoor\
HKEY_CURRENT_USER\Software\Cydoor Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\ Cydoor=CD_Load.exe
doesn't sound harmful, but i still don't like unwanted stuff on my computer. and i don't like the idea of not being able to use my fav program, unless i accept the adware/spyware.
that just sucks.
it seems to state that it was fully disclosed before installing.
hmmmmmmm.
but if u uninstall the software it comes on, well that doesn't mean that the cydoor is uninstalled......seems to stay on your computer.
just for kicks..........anyone ever had it disclosed to them?
and do u think it's good business?