Illustration of many multicolored bubbles floating in the air
News

PUP Friday: Bubbling Over

Posted: May 20, 2016 by Jovi Umawing

At Malwarebytes Labs, we’re never short of PUPs to analyse and explore. As per our telemetry to date, SweetIM is one of the top PUPs Malwarebytes Anti-Malware (MBAM) detects and removes from our clients systems. In order to get to know what SweetIM software does on a user’s system, we have selected Bubble Hit by GamePacks (MD5: 0326564318717b9826c4b81eb5d34239).

What is SweetIM?

It is a software product of a company with the same name, SweetIM Technologies LTD, which according to their EULA, is formerly known as the company, Imvent LTD. SweetIM software can be downloaded from its official website, www[DOT]sweetim[DOT]com, but as the brand is associated with third-party affiliates, users can expect to find SweetIM bundled with other free, publicly available software.

SweetIM can be installed on Windows and Mac OS X.

What is Bubble Hit by GamePacks?

Bubble Hit is a bubble shooting game wherein players are asked to clear the colored bubbles from a board by connecting at least three bubbles of the same color. There’s an online version of similar games like this that doesn’t require any installation.

bubble-hit-installer

What happens when you install and execute SweetIM?

Bubble Hit by GamePacks, in particular, installs like any other software. Below is a slideshow of the program’s interface shown in succession after double-clicking the installer file:

The below shortcut file is then created on the user’s Desktop:

icons

Here’s how the game would appear on the user’s desktop once the shortcut is double-clicked:

Pop 'em all

Pop ’em! Pop ’em ALL!

Notable files and/or folders added:

  • C:Program Files (x86)Mozilla Firefoxfirefox.cfg
    • a Firefox configuration file
  • C:WindowsSystem32dmwu.exe
    • detected as Adware.InstallBrain
  • C:WindowsSysWOW64ARFCwrtc.exe
    • detected as PUP.Optional.Perion
  • C:WindowsSysWOW64WNLT
    • detected as PUP.Optional.Perion

Notable entries in the registry that are added:

  • HKLMSYSTEMCURRENTCONTROLSETSERVICESSHAREDACCESSPARAMETERS FIREWALLPOLICYFIREWALLRULES|{C4850434-A1D8-41B2-8280-F7D84D16F659}
  • HKLMSYSTEMCURRENTCONTROLSETSERVICESSHAREDACCESSPARAMETERS FIREWALLPOLICYFIREWALLRULES|{E61685E1-22E1-4F63-9554-5A268CEA6E05}
  • HKLMSYSTEMCURRENTCONTROLSETSERVICESSHAREDACCESSPARAMETERS FIREWALLPOLICYFIREWALLRULES|{FB21A74D-A36D-403A-B957-A4DE53FE3FC9}
  • HKLMSYSTEMCURRENTCONTROLSETSERVICESSHAREDACCESSPARAMETERS FIREWALLPOLICYFIREWALLRULES|{B7E0D1F5-3D00-46F9-B129-B3DC5CEE38E6}

The above keys are “rules” that tells the firewall to allow traffic coming to and from the dropped files, dmwu.exe and wrtc.exe.

Furthermore, based on its registry logs, Bubble Hit by GamePacks’s installer adds emoticons and other elements that “enhances user experience” to the following instant messengers:

Other notable changes:

Users will find that additional changes to their systems will only take place if they allow Bubble Hit to make modifications during its installation phase. Such changes include the search engine being changed to “SweetIM search”, the home page being changed to home[DOT]sweetim[DOT]com, and the browser having an added extension. For example, below is a screenshot of the DealPly add-on prompt for Firefox:

dealply

click to enlarge

Malwarebytes categorizes DealPly as a browser hijacker.

For a complete or detailed list of changes Bubble Hit by GamePacks does to user systems, visit our forum page.

Does Malwarebytes Anti-Malware (MBAM) detect Bubble Hit by GamePacks?

We detect this particular program as PUP.Optional.SweetIM. Check out this Malwarebytes forum post for the complete removal instructions for Bubble Hit by GamePacks.

Conclusion

We’re reminding our readers once again to take extra care when downloading freebies like games and software online. While most PUPs still rely on this kind of lure, others have already begun using fake notifications, such as software updates or ads on Web pages, to get users to click, download, and install them without a second thought. However dodgy and/or malicious files arrive on systems, it is always best to keep your AV software updated and set to real-time blocking. Scanning files to make sure they’re safe to execute can also be a good computing practice if you’re unsure of the legitimacy of their legitimacy.

Stay safe, everyone!

More PUP Friday post(s):

Jovi Umawing

RELATED ARTICLES

Giant Tiger logo
News | Personal

Giant Tiger breach sees 2.8 million records leaked

April 16, 2024 - A threat actor claims to be in possession of 2.8 million records originating from a hack at Canadian retail chain Giant Tiger

CONTINUE READING 0 Comments
week in security
News

A week in security (April 8 – April 14)

April 15, 2024 - A list of topics we covered in the week of April 8 to April 14 of 2024

CONTINUE READING 0 Comments
change social security number
News

How to change your Social Security Number

April 12, 2024 - Wondering whether changing your SSN is an option. Read here what you need to qualify for a new SSN and what you need to get one.

CONTINUE READING 0 Comments
mercenary spyware alert
News | Privacy

Apple warns people of mercenary attacks via threat notification system

April 11, 2024 - Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

CONTINUE READING 0 Comments
A 13-year-old girl is using her smartphone in the dark room. The content she is browsing projects in front of her.
Cybercrime | Personal

How to protect yourself from online harassment

April 10, 2024 - Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Jovi Umawing

Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams