CommonName
- By W3 Privacy
- Published 05/8/2007
- Parasites
- Unrated
CommonName
Description
CommonName is marketed as a 'keywords' service, allowing one to enter simple names insatead of URLs.
After its original release, the software has become a complicated (and sometimes buggy) search-hijacker and adware, aggressively bundled with many third-party apps.
Variants
CommonName/Toolbar: installs an IE toolbar with a keyword lookup box.
CommonName/Agent: takes over searches entered into the standard IE address bar (by means of an IE Browser Helper Object), and pops up ads occasionally.
CommonName/Mib: version 3.6.0.0 onwards also includes a WinSock2 Layered Service Provider, CNMib.dll.
CommonName/Zenet: version 3.6.2.0 onwards also has its BHO re-register itself periodically, to make it hard to remove manually.
CommonName/Winnet: version 4.0.0.0 onwards also has a separate updating process, which re-registers itself constantly, to make it even harder to remove manually.
CommonName/Comwiz: later 4.x versions use two restarting processes instead of one. In a trick learned from virus authors, if one process is killed the other one starts it back up again. However the LSP seems no longer to be in use.
Also known as
CNBabeIE after the file name used. CommonName/Toolbar is known internally as BabeIE, CommonName/Agent and Mib as BabeIE2.
Distribution
Included in many file-sharing programs, such as Grokster, iMesh, FreeWire, MThree MP3 tools and older versions of KaZaA.
What it does
Advertising
Yes. All variants except Toolbar connect to their controlling servers once a day, who may ask them to open pop-under advertising. They also change search settings to point to commonname.com.
Privacy violation
Cookies are used to identify you when requests are made to CommonName. This may occur when the advertising is opened, a keyword is entered into the address bar.
When you visit a URL whose top-level-domain the CommonName/Agent or Mib software does not know about (eg. alternative TLDs or intranet hostnames; CommonName/Agent also does not know about .edu, .mil, .int, .su and .gb), a request is also made. This could allow users to be tracked across web site visits.
Security issues
Yes (Winnet, Comwiz variants): Can download and execute arbitrary code from its controlling server, as an update feature.
No (other variants).
Stability problems
Can cause Explorer to crash occasionally with a 'runtime error' in CNBabe, or an 'illegal operation' in CNMib.
CommonName/Agent also had a bug in its unknown-top-level-domain code which meant that any URL longer than 72 characters became corrupted.
The Agent and Mib variants can cause 404 pages not to be shown.
The Winnet variant can bombard you with autodial requests if you are not connected to the internet when it wants to check for updates.
Removal
For Agent, Toolbar and Mib variants, the CommonName entry in the Control Panel's Add/Remove Programs option should work fine.
With the later variants (Zenet onwards), unfortunately, this just sends you to a page on CommonName's web site with a form to submit leading to an uninstaller download. This requires a working Internet Explorer with ActiveX downloads enabled to function.
Spybot S&D update 2002-09-08 and later, and Ad-Aware can remove the Toolbar and Agent variants; Spybot update 2002-11-30 and HijackThis 1.8 can remove the Mib variant.
Manual removal
Each successive variant of CommonName gets harder to remove by hand. Variants with an LSP (Mib, Zenet, Winnet) are particularly tricky: do not try to delete them by just deleting the files. If you manage to delete the LSP you will lose network connectivity.
CommonName/Comwiz
This variant cannot be manually uninstalled from the normal desktop. You have to boot Windows without letting the two self-restoring processes start up.
On Windows NT/2000/XP/2003, you can do this by pressing F8 just before Windows XP starts loading and choosing "Safe Mode". Open the 'Program Files' folder and delete the 'CommonName' folder inside it.
On Windows 95/98/Me, you will have to boot to DOS to do it, and enter the commands:
cd "\Program Files"
deltree /Y CommonName
This is a 'dirty' way of uninstalling the software, leaving behind a bit of a mess. If you like you can clear up by deleting the registry keys mentioned in the instructions fro CommonName/Agent.
CommonName/Winnet
You must first kill the 'winnet.exe' process (otherwise, it will keep setting itself up to run automatically). Press Ctrl-Alt-Delete and open the Task Manager. If you are using Windows NT/2000/XP, choose the 'Processes' tab to list all programs. Choose 'winnet.exe' and end the process.
Continue with the instructions for Zenet.
CommonName/Zenet
Open the registry (Start->Run->regedit). Open the key 'HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}', right click the 'InProcServer32' subkey and choose 'Delete'. (This neuters the CommonName BHO but doesn't completely remove it, so it won't notice the change and re-register itself.)
Now go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There will be a value here titled 'Zenet' (or 'Winnet', for that variant). Delete it and reboot the machine immediately.
Continue with the instructions for Mib.
CommonName/Mib
The CNMib.dll module must now be removed from the Winsock2 LSP chain. CounterExploitation's tool LSPFix can do this for you. Download it, run it and tell it to 'Remove' CNMib.dll, and 'Keep' everything else.
You can also do it by hand if you are brave. Open the registry (Start->Run->regedit) and open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\ Parameters\Protocol_Catalog9\Catalog_Entries. There will be a list of numeric subkeys; open each one and double-click its 'PackedCatalogItem' value. You should be able to see a filename at the top of the right-hand column in the 'Edit Binary Value' window. If it is 'C:\Program Files\CommonName\Toolbar\cnmib.dll' or similar, delete the entire '00000somenumber' key. The path must point exactly at the cnmib.dll file! Do not delete the key just because you see a cnmib hanging on the end - for example '%SystemRoot%\system32\mswsock.dll.r\cnmib.dll' actually points to mswsock, not cnmib.
Then rename the numeric subkeys so that they count up each number from 000000000001, filling in any gaps you left by deleting old ones. Finally, go back up to 'Protocol_Catalog9' and change the 'Num_Catalog_Entries' value to reflect the new number of subkeys you have. Set the base to decimal in the 'Edit DWORD value' window and enter the highest number subkey that is left after renaming.
If your manual removal went wrong in any way you will have lost your networking ability. Sorry! LSPFix may still be able to rescue you in this situation, but otherwise you are looking at a reinstall of Windows or at least its networking components.
Once the LSP is gone, continue with the instructions for Agent.
CommonName/Agent
Open the registry (Start->Run->regedit) and delete the following keys and values:
HKEY_LOCAL_MACHINE\Software\CommonName
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Add A Page Note
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Bookmark This Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Email This Link
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search using CommonName
HKEY_CLASSES_ROOT\BabeIE.AgentIE
HKEY_CLASSES_ROOT\BabeIE.AgentIE.1
HKEY_CLASSES_ROOT\BabeIE.Handler
HKEY_CLASSES_ROOT\BabeIE.Handler.1
HKEY_CLASSES_ROOT\BabeIE.Helper
HKEY_CLASSES_ROOT\BabeIE.Helper.1
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}
HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}
HKEY_CLASSES_ROOT\TypeLib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}
HKEY_CLASSES_ROOT\Protocols\Handler\cn
Reboot and you should be able to delete the entire CommonName folder in Program Files. Finally, you can use Internet Options->Programs->Reset Web Settings to restore the normal search options.
Phew! You can stop now.
CommonName/Toolbar
First, deregister CNBabe. To do this, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\CommonName\Toolbar\CNBabe.dll"
(Change the filename above if your Program Files folder is somewhere other than 'C:\Program Files' - for example if you are using a different drive, or a non-English version of Windows.)
Reboot and you should be able to delete the CommonName folder in Program Files.
