Your generous donations help keep this site online! Click here to support
Backdoor Santa Spyware: AdTools/Codehammer Message Mates (tm)

Message Mates (and similar products, Screen Mates & ScreenMovies) are a series of software programs produced by AdTools, Inc., "The World Leader in Internet Desktop Marketing Tools" (blech), and distributed by Message Mates .com. Historically, these programs, notorious for being passed around as .EXE email attachments (didn't people learn from Melissa?), display a humorous presentation followed by one or more ad-banners. These banners would be statically embedded into the Message Mate application and take the viewer to a predefined Web page if clicked.

New versions of Message Mates, however, have taken on the characteristics of Spyware modules, silently connecting to the Internet when run and exchanging information with a remote server. This is done without informing the user and may contain a GUID to aid in tracking individual users*.

The Message Mate software tested displayed an animated presentation, followed by a screen of advertisements. Upon closing the program, it attempted to initiate an Internet connection to an external server. The program also tried to "phone home" when clicking a button that displays AdTools' Privacy Policy. (Ed. note: This strikes me as a very poorly-thought decision on the part of the creators; a person interested in privacy issues is the last person you want to violate the privacy of!). When I get my packet sniffer back installed, I'll be further investigating the interaction of the Message Mate software with the remote server(s).

Thanks Edward for the heads-up re Message Mates' new capabilities.

Update 3/23/01
It would appear there IS indeed a GUID--or at the very least, some or all Message Mates will add keys to your Registry when run. Ed shares the following AdTools, Inc. keys found in his system Registry after viewing Message Mates on the system. The entry marked in red appears to be a tracking GUID, and the rest are double-word (numeric) values containing program preferences and history.

One of the Registry keys contains a reference to ice9, an "interactive multimedia desktop microsite" (minibrowser) that comes along with some AdTools presentations. Its spooky purpose, including references to "Complex tracking" and "data collections forms" is described here. The name ice9 itself is stolen from a Kurt Vonnegut novel, and coincidentally(?), is also the name of a rather nasty computer virus.

[HKEY_CURRENT_USER\Software\AdTools, Inc.]

[HKEY_CURRENT_USER\Software\AdTools, Inc.\Connection]

[HKEY_CURRENT_USER\Software\AdTools, Inc.\Temp]

[HKEY_CURRENT_USER\Software\AdTools, Inc.\UserInfo]

[HKEY_CURRENT_USER\Software\AdTools, Inc.\Ice9]

[HKEY_CURRENT_USER\Software\AdTools, Inc.\Lotta]

[HKEY_CURRENT_USER\Software\AdTools, Inc.\DMM]

Up (Adware)
HomeE-mailCopyrights and Disclaimers


"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)