[sam23]

Hey guys.

I have a few questions regarding Zango and all of the famous 180solutions crap.

1. Is there any technical information on Zango functionality anywhere? Apart from the fact that it is a memory resident software that pulls out popups based on user's search queries.

2.Does it communicate with the 180solutions servers?

2a.If it does, did anyone analyze the packets sent?

3.Does it form unique identifiers?

3a.If so, where are they stored? (I dont think they are simply tracking click throughs by originating IP)

[Gordon]

WOW!! Some pretty deep questions for a first post from someone eh?

[sam23]

Thanks, I'll take that as a compliment

Regarding my questions, I have read Edelman's research but it's incomplete for my purposes. Rather it lacks the client side functionality description.

Thanks in advance.

P.S. I dont have any of my test machines available yet for voluntary infection, so if anyone could provide assembly list from the decompiled executable I would appreciate it greatly. Anything will do, usuall diss. dump or SoftIce, windasm or ida listings.
All this doesnt apply of course if Zango/n_case is packed with something nasty.

[Gordon]

For the answers you want I would think it best to get ahold of Ben himself or maybe Ms.B might know.

[Kellie aka Ms. B]

Not sure why you want to know all of this but:

1. Not sure if anything is available, depends on what technical information you are wanting.

2. Yes

2a. Yes

3. It assigns a unique identifier to each install if that's what you mean.

3a. Not sure where you mean by stored? There are no click thrus at all with their software. That's one of the points.

I do not decompile executables and question that such should be asked for here.

[sam23]

What I mean by stored:

During/after install once the UID was generated (based on login ,computer name, domain or whatever they use to generate the UID) it has to be stored somewhere either in windows registry or some sort of configuration file. I was simply wondering where such UID can be located, providing anyone dug in that deep.

As for dissasembling; ZANGO/nCase are typical lawless parasites and there are ways to aggressively fight such infections. I dont see any harm at that, especially since best form of defense is attack.

P.S. From first look Zango is nothing more than a user-agree interface to install good old n-Case.

Upon installing Zango, it attempts to download a zangoinstaller.cab which contains 3 files. ZangoLib.dll ZangoInstaller.dll and Zango.inf
Upon checking out Zango.dll guess what: it riderects of course to download something from

http://bis.180solutions.com/VersionConfig.aspx?did=zango.exe

Guess what it is?
/new_ver=5.11 /new_ver_url=http://bis.180solutions.com/downloads/5.11/msbb.exe /new_ver_sz=278528 /new_ver_sig={...}

Yes, good old nCase. Version 5.11 of msbb.exe which does the usual tricks probably.
I am going to work more on msbb.exe to see if it has any new "features". So far looks the same though.

[bedelman]

As to question 3a: As I recall, 180's unique UID is stored in the registry.