PacerD's ActiveX popups ask users to accept "browser enhancements" that actually consist of more than a dozen different advertising programs -- bogging down users' computers without offering any substantial benefits.
Users surfing the web (using anything less than the very latest web browsers) often receive popups like that shown at right. Some of these popups are legitimate requests to install software actually required to view the web pages users request -- for example, the newest version of Macromedia Flash, a popular video and animation player. But other popups are mere trickery, seeking to convert users' computers into advertisement display channels for software distributors' own benefit. A single click "Yes" in one such box can bring a user's computer to a virtual stand-still due to the large number of programs added.
This article examines one misleading popup, its methods, its (purported) license agreement, and its effects. Notable characteristics:
Update (October 2005): Along with the ActiveX popups described in this article, PacerD also attempts to install via security exploits. Video, details, and analysis.
The Installation Prompt
While browsing www.iowrestling.com, an online wrestling site, I received the popup shown in the first image at right. The popup's text reads:
"Do you want to install and run PLEASE CLICK YES to install our free browser enhancements. This file has been signed ... Publisher authenticity verified by Comodo Code Signing CA ..."
With healthy skepticism and appropriate analysis, users may be able to see risks in this request. Who are PacerD and Comodo Code Signing? What is the nature of the "enhancement" they offer?
But a user who sees this official-looking dialog box -- perhaps recognizing it from similar legitimate boxes seen in the past -- may press Yes without realizing the resulting effects. After pressing the Yes button, the user has no further opportunity to cancel or stop the installation, even if the user immediately realizes her mistake.
At least as notable as what the installation prompt says is what it doesn't say. The prompt says nothing about any advertising resulting from pressing Yes, and it also fails to mention any effects on privacy, computer reliability, or computer speed. The prompt even fails to mention that a user wanting more information about the installation can click the blue text to learn more. Some users may recognize the blue formatting as a hyperlink, but the prompt does nothing to alert or remind users of this feature.
The (Purported) License Agreement
If a user sees and clicks on the installation prompt's blue underlining, the user receives a document entitled "sample" (in its HTML TITLE tag) that, according to its first line of text, "contains the license agreement for Pacisoft distributed by PacerD." This heading is importantly deficient. For one, the "sample" title makes it unclear whether the document is in fact claimed to be official and binding. Furthermore, even careful users cannot know the meaning of the reference to "Pacisoft"; the prior popup mentioned a company called PacerD but did not mention "Pacisoft" or any other specific product name.
A user who nonetheless chooses to examine the "license agreement" finds a 1,951-word document, shown in eight on-screen pages.
At page four, the document mentions installation of third-party software, including "desktoptraffic, websearch, peopleonpage, adpowerzone, direct revenue, exact, surfsidekick, [and] 180," and giving the hyperlinks to each of the corresponding license agreements (save for Direct Revenue, which lacks a link).
At page eight, the document claims that disputes must be submitted to arbitration, and that such arbitration must be conducted in the Seychelles (an island in Eastern Africa, northeast of Madagascar).
Other provisions purport to disclaim all warranties, to limit PacerD's liability, and to grant PacerD the right to install other "independent" software at any time.
Effects of Installation
If a user presses Yes once in the popup shown in the first image above, PacerD begins to install numerous advertising programs. Beyond the eight programs disclosed in PacerD's license, in my testing PacerD also installed AdDestroyer, Apropos Media, Elitebar, Shop At Home, TopConverting, and Virtual Bouncer. In addition, while the PacerD license discloses installation of "exact," I actually observed three different eXact Advertising programs installed -- BullsEye, CashBack, and NaviSearch.
All told, in my testing the single press of the "Yes" button caused the creation of 1,274 registry keys, 2,175 registry entries, 56 folders, and 711 files. PacerD also added two new web browser toolbars, and six advertisement icons on my Windows desktop.
After installation of PacerD, browsing the web became effectively impossible due to the large number of add-ons and their numerous popup ads, delays, crashes, and other interruptions.
Although installation required only a single click of a single "Yes" button, removing the many resulting programs is far harder. Some of the programs have uninstallers in Control Panel -- each of which must be separately activated and completed. Others can only be removed manually or with third-party removal tools. In my testing, even the removal tools that get the best reviews couldn't immediately clear the entire infection.
See also Webhelper4u's analysis of a similar infection from PacerD.
Users unhappy with PacerD may wonder who to blame. Some possibilities:
Last Updated: April 25, 2005 - Sign up for notification of major updates and related work.