BoClean Failure, BoClean Failure

Tonight, I was prompted to update my AOL Instant Messenger. In the process of installing that update, I got a warning from BoClean that it had detected the WildTagent Trojan and offered to shut it down. I said yes and it said it had safely removed it and deleted the registry entries.

THEN... approximately 3 minutes later, I got the following warning from my firewall which appears to show it was trying to "phone home":

wcmdmgr

updaterservice.wildtangent.com [64.125.97.63], port http [80]

[10/2/2004 19:21:50]

Direction: outgoing
Local Point: 0.0.0.0, port 3771
Adapter: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
Remote Point: updaterservice.wildtangent.com [64.125.97.63], port http [80]
Protocol: TCP

So my question... did BoClean fail me?

Help... what should I do?

If it did not fail and has successfully protected me from this Trojan, than WHY did I get that alert from my firewall minutes later? (Of course, I instructed my firewall to block the outgoing communication request).

Just ran SpyBot and it detected 3 different registry entries associated with tne WildTangent Trojan - WHY didn't BoClean delete these?

Scanning right now with TDS-3 .. TDS made positive identification of Adware.WildTagent - and the presence of wcmdmgr.exe on my hard drive.

Should not have BoClean deleted any of this? BoClean's message indicated my registry had been cleaned of of WildTagent and yet it apparently is still there and functional since it WildTangent attempted to send outgoing communication which I blocked from my firewall, several minutes after BoClean intervened.

What happened? It appears BoClean failed to protect? I'm running ver 4.11 and BoClean indicates it's last update was today 2/10/04 at 04:09:30.

Here's what BoClean's log said:



------------------------------
02/10/2004 19:16:28:
Analyzing file C:\WINDOWS\WT\UPDATER\WCMDMGRL.EXE
Trojan horse was found in above file
WILDTANGENT TROJAN STOPPED by BOCLEAN!
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.


That sounded good.. but then note what happened minutes later according
to my firewall:

wcmdmgr

updaterservice.wildtangent.com [64.125.97.63], port http [80]

[10/2/2004 19:21:50]

Direction: outgoing
Local Point: 0.0.0.0, port 3771
Adapter: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
Remote Point: updaterservice.wildtangent.com [64.125.97.63], port http [80]
Protocol: TCP

I hit "deny" outgoing communication at that point.. had I allowed it, perhaps BOCLEAN would've again kicked in to stop it? I didn't want to risk it to find out, and I thought because of the message above that said my registry had been cleaned (which from what SpyBot) is now reporting to me, doesn't seem to be the case, that there shouldn't have been anything initiating outgoing communication - I'm new to this so perhaps BoClean is working correctly but if so, I need someone to explain this to me.. it doesn't look right.

Mark,

Have you contacted Kevin about it? He hasn't had much time lately to get to the forums, doing so will likley get you a faster answer, I will tell him to stop by here later as well.....

No, how do I reach Kevin?

Greetings, and my apologies for both the delay AND the confusion there. Yes indeed, AOL's snappy new "Instant Messenger" does contain WildTangent - their "partnership" in popup advertising is part of their new "buddy games" "feature."

WildTangent is a "borderline" trojan - actually defined as "adware" and where we cut the mustard is a complicated legal thing that Nancy can explain better than I can. But legally, most of the WildTangent stuff is not "officially" a trojan except for the one part that BOClean brought down. On "Unca Kevin's 'scale-o-evil'", WildTangent rates a 2 out of 100 since it's a minor one - just that one module actually.

The reasoning is this - WildTangent DOES place a working uninstaller on the control panel. If you go there to the "Add/Remove software" item and remove the "WildTangent" stuff, almost ALL of it does go away. The "WCMDMGRL.EXE" item will remain running and will not come out. This ONE piece is the actual "trojan" ... the other item detected by a few others is the "updater" for it. A fresh new one was made for AOL exclusively so THEY could provide advertising. Also, another factor is that when people go to install anything containing "WildTangent" there ***IS*** a VERY clearly stated warning of what WildTangent is and what it does from a privacy standpoint in the license agreement prior to installation. Folks don't read it though.

Just so you know though, we DID update BOClean to get the "updater" as well - you might want to check our site if you haven't updated already. Unlike the "WCMDMGRL.EXE" item though, the "WCMDMGR" portion is controlled directly by AOL-IM itself and that's why BOClean didn't get it at the same time - it wasn't running or TRYING to run until the firewall nabbed it first and locked access in my best estimation of what happened. BOClean DOES detect that one also however had the firewall not hit it first.

As to the registry entries, those would belong to the entire SET of WildTangent files and the "game pieces" belonging to it. The registry entry associated with "WCMDMGRL" would have been removed by BOClean but any others unrelated would have remained.

What you'll want to do (of course, ditch that AIM first) is go to your Program files folder and have a look at all the "WildTangent" subfolder. There'll also be more in the \(windows)\WT folder ... there's a lot of stuff in there. Running the "Add/Remove" from the control panel however for "WildTangent" WILL remove all this - and BECAUSE the uninstall works for everything else, there was no need for BOClean to go after that since it can't run without the piece we "took out." AOL however has decided to make SURE that if you remove it, they can put it back, thus the other bit of the "surprise" ...

Once again, apologies for the delay - we're insanely busy on this end since the appearance of "mydoom." The BEST way to get ahold of us quickly is directly to:

support(at)nsclean.com

First priority - find and kill nasties. Second priority, support email. Third, questions email, Fourth, code for the future. Last priority, "groups" ... sorry about that.

Been a long night, I go home.

Thank you very much for your thorough response! I'm resting much easier now..

Best Wishes,

Mark

Er.. this posting is dead wrong. The Web Driver is just the game engine that all the AIM games used to play multiplayer. The updater application isn't cleaned because it's part of AIM. It's the background process that downloads and launches a java game automatically if you accept a multiplayer game invitation in AIM. The updater does collect anonymous sytem config data and call an update server with that data to see if it needs to download patches for machines with that hardware configuration... to play games...

You guys really need to get your facts straight, you're confusing people with misinformation. AOL stopped supporting games in AIM because of people spreading this foolishness around. AOL DID ship weather bug which DID pop up ads, but it had nothing to do with the WildTangent game bits.