Updates

There is a company named Aadcom that is apparently using some pretty sleazy advertising techniques. Their web site is a little vague on this, but it seems they use what can only be a BHO, a Browser Helper Object, to log the keystrokes of the user when the user is at a web site filling out forms (how is that not illegal?). Whether this BHO sends data back to the company is unclear at present, though I think it is likely.

Afterward, this BHO interacts produces a popunder ad while you are browsing. It is similar to Top Text and Ezula in that the web site connected to in the popunder just might be a competitor of the site you were viewing when the popunder was created.

At this time, there is not enough information about this to give a specific warning. From the description on Aadcom's web site (see below), it would almost have to be that they are using a BHO as part of their strategy. Presently I have no information about how this BHO would be installed. Almost certainly it will follow the pattern of other spyware applications by being bundled along with a host application.

It's possible that whichever BHO it utilizes is one that is already known, in which case it is likely already a target of AdAware. In case it is not yet something that is targeted by AdAware, I recommend checking your system with BHO Demon for unauthorized BHOs. Even without this potential new threat, I'd recommend having this product installed, as it is a very useful tool.

The company has on their web site a fairly detailed description of how they operate. There is an ActiveX control on each and every page, so I'll spare you that danger by quoting it below. The entire description can be found here.

AADCOM is now introducing a new technology that allows advertisers to send real-time targeted messages reaching consumers while they are surfing the web.

This advanced software application sits on the users browser and is able to "read" every keyword the user types, every web site they visit, which allows our advertisers to send special offers to our users while they are online.

This allows our advertisers to target messages based on popular keywords. In addition, we can also provide keyword searches from every search engine worldwide, including Yahoo, Excite, HotBot, Google, and more. As of October 23rd 2001 Aadcom's user base was approximately 3 million and growing at a rate of close to 50,000 per day.

Live Campaign Snap Shot

When users browse the web, AADCOM will identity those viewers interested in your company and provide an instant targeted offer.

As an example, when a user visits Etrade.com online, we can deliver an "Instant Message" from Datek.com. This type of Real-time targeting delivers CTR percentages of up to 14%, almost 30 times that of a standard banner advertisement.

Deliver your targeted message anywhere on the web.

Whatever your customers are doing on the web - and wherever they are doing it - AADCOM can deliver your targeted message to create a campaign to heighten awareness, boost click-through rates or drive sales.

As an example, when a user visits Autobytel.com, we provide an "Instant Message" for the advertiser.

Here are the complete details of the registry changes made by this spyware application on install (with a tip of the hat to Sam Shinke for digging this out):

The following registry entries are created:

This is an easily killed piece of scumware. AdAware was updated to handle the Transponder's mutation to VX2. It should have no problem eliminating this pest as well. There is a more complete description of Transponder and all of it's mutations at cexx.org.

There was a loose confederation of pro-privacy activists that dug all this information out. Thanks to Bill Webb of cexx.org, Robert of dualsmp (who snookered the aadcom people into sending him uninstallation instructions, which is how this mystery was solved), Tyrune for digging around in aadcom's html coding and Sam Shinke for providing the list of registry changes made during install. If you're not already a member of the community, you should join the the grc.com newsgroups where all of these things are discussed on a daily basis.

One final note. This application is affiliated with the site http://netpalnow.com. It's been reported that a certain page on that site tries to install this spyware application via an ActiveX control. SpywareInfo recommends having ActiveX set to prompt in all but your trusted zones, but especially in the internet zone (for Internet Explorer). We also strongly recommend adding this web site to your hosts file.