Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.


When I first saw that U.S. reality TV show several years ago about regular people who were hauling cart after cart of bagged items out of a grocery store, all paid for with pieces of paper cut out from dailies and printed stubs, I thought that the world had gone mad.

It appeared to me that retail shops had something to be afraid of before hackers even stepped in to the picture: a buyer wielding a mammoth binder full of coupons.

Regardless of how that show affected viewers, there is no doubt that coupons—or anything that stops consumers from shelling out more yet bringing more to the table—is something great to have for the practical and money-sensible in us. And we’re an ever-growing population.

If you’re actively looking for coupons to print and download online, you may see sites offering cheap deals and software designed to ping you about coupon offers. One such program is located at cheapcouponalert[DOT]com (screenshot of default page below).

_default_click to enlarge

Partial text from the page:

Save Money with Coupon Alert!

$ Get alerted about the latest coupons!
$ Thousands of users have installed Coupon Alert
$ Save money!
$ Takes just seconds to download and install!

PUPs can also make their way into systems without any one knowing as they can be bundled and installed by other unwanted programs, freeware, shareware, or at times, malware. We detect this particular PUP, which may arrive on a system with the vanilla file name, setup.exe, as PUP.Optional.CouponAlert.A.

propertiesNote that earlier versions of the installer which we were able to retrieve from VT, showed complete details of the file in question, including the company that owns the copyright: Rational Thought Solutions.

Once executed, CouponAlert.A normally displays a user interface, such as the one below, which presents the coupon hunter the options to proceed with the installation or abort.

GUI1

The former leads to another GUI, showing a progress bar as it installs.

GUI2

Lastly, it loads a “Success!” page from a newly opened browser:

successclick to enlarge

CouponAlert.A is known to make changes to either the Start page, Home page, or Search engine settings of popular Web browsers. It also installs itself as a service, so it runs whenever Windows is loaded.

Users on systems with CouponAlert.A installed will see a small, green button at the upper-right corner of the page they’re browsing. Based on our tests, this button only shows up when visiting certain online retail shops, such as Amazon, when you thought that it’ll be visible by default.

One can, however, force it to show by pressing specific keys simultaneously. Below are screenshots of sites we’ve visited wherein the button appeared by itself:

This slideshow requires JavaScript.

Clicking the green button opens a mini-feed of news from various sources. According to Bleeping Computer, it show coupons on occasion. During our tests, however, we haven’t encountered any offer of coupons.

We’ve also noted that when we visited legitimate domains that do serve coupons (such as Coupon.com and Coupon.Walmart.com), the extension appears to not work.

Those who have Malwarebytes Anti-Malware (MBAM) installed are protected from PUP.Optional.CouponAlert.A. If you want to know the more technical aspects of this PUP, please refer to this removal instruction page on our forums.

So, to save, or not to save? I think we all know the answer to that. But as we do so, let’s make it a point to also save ourselves time, effort, and clicks – for some people, installing a PUP to assist with coupon collection might be a deal breaker.

Jovi Umawing