Adware/Gain
Analysis
[Precision Time]
The details for the Precision Time installer are:
Typical Name: PrecisionTimeSetup.exe
File Size: 973,608 bytes
Version: 3.0.3.0
Company Name: GAIN Publishing
Digital Signature: GAIN Publishing
The details for the Precision Time executables are:
Name: PrecisionTime.exe
File Size: 577,615 bytes
Version: 3.0.3.0
Description: Precision Time Application
Company Name: GAIN Publishing
Name: GatorStubSetup.exe
File Size: 249,919 bytes
Version: 7.1.0.6
Description: Gator Client Application
Company Name: GAIN Publishing
Original Filename: Gator.exe
Name: GMT.exe
File Size: 2,183,220 bytes
Version: 7.1.0.6
Description: GAIN Application
Company Name: GAIN Publishing
Name: CMESys.exe
File Size: 90,112 bytes
Version: 7.1.0.6
Description: CME II Client Application
Company Name: GAIN Publishing
Description of Adware:
Precision Time is an application authored by GAIN Publishing. GAIN is a subsidiary of Claria Corporation. Precision Time is billed as a product that will automatically synchronize the time and date of the Windows clock. This functionality is available within Windows XP natively however. Claria's primary business is that of advertising and behavioral marketing. Upon downloading and installing Precision Time the user's browsing habits will be monitored, and communicated to the Claria Corporation. The purpose of monitoring the user's online behavior is for the display of targeted advertising. These ads can take many forms. Including, but not limited to pop-under ads, pop-up ads, sliding ads, and embedded ads.
System Alterations upon installation:
During installation the following directories are created:
[user's local settings directory]\Temp\fsg_tmp
[all user's start menu program directory]\GAIN Publishing
[all user's start menu program directory]\PrecisionTime
[program files directory]\Common Files\CMEII
[program files directory]\Common Files\GMT
[program files directory]\PrecisionTime
Note: Many files and subdirectories are also installed, including the executables detailed above. The following Windows Start Menu folders are added:
Programs -> GAIN Publishing
Programs -> PrecisionTime
Programs -> Startup -> Gstartup
Programs -> Startup -> PrecisionTime
Many registry keys are created, including the below:
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\CME
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\GMT
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\AppInfo\PrecisionTime
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\CMEII
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\CMEII\GSNInstalled
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\dyn
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat\GMT
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\GInternet
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\GInternet\Proxy
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\PrecisionTime
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Trickler
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\trickles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrecisionTime
Many registry values are added as well, including:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CMESys"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Trickler"
Note: The above processes automatically execute Precision Time's GAIN processes upon Windows statup.
Upon installation Precision Time performs many DNS lookups, including:
www.precision-time.com
web.balance.gator.com
www.gainpublishing.com
gi.gator.com
ts.gator.com
trickle.gator.comThe program then silently accesses several websites within the Gator network. After doing so, it transmits information about the computer on which it has been installed.
The program then retrieves several archived installation files from the Gator network. During this process it transmits additional information regarding the local computer.
The installation of Precision Time will result in the following applications operating in the background:
\precis~1\precis~1.exe
\common files\gmt\gmt.exe
\common files\xmeii\cmesys.exe
Upon synchronizing the user's clock for the first time the following window will be shown:
While browsing the web, web browsing behavior is monitored by the GAIN applications such as gmt.exe. This information is then regularly transmitted to the Gator network. Advertisements will frequently be produced targetting the user via analysis of the user's web browsing behavior. A sample ad is shown below:
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |