MoneyTree is an ActiveX control used to download premium-rate diallers, generally for porn sites.
MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder.
MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder.
MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.
MoneyTree/MultiDist: installs MulDist.ocx and MulDist.inf in the Downloaded Program Files folder.
MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizerparasite.
Also known as
MoneyTree/NSUpdate is known as All-In-One Telcom by Spybot Search and Destroy; the NSLite variant by Ad-Aware 6 as Proclaim Telcom. Both names come from the company names given in the file’s digital signature.
Loaded by ActiveX drive-by-download in pages operated by mtree (domains such as mtreexxx.nl), which are often redirected to by pop-up adverts, 404 pages at porn hosts and misspelled domains.
mtree also often use direct EXE file downloads to distribute the same diallers; this does not leave an ActiveX control loaded as is not detected by the script at this site.
What it does
Yes. With the control installed, any web page may download and execute arbitrary unsigned code from one of mtree’s servers.
Open the ‘Downloaded Program Files’ folder (which can be found in the Windows folder), and delete the entry for ‘NSUpdateLiteCtrl Class’ (NSUpdate variant), ‘NSLiteUpdateCtrl Class’ (NSLitevariant), ‘MoneyTree Dialer’ (UniDist variant), ‘MultiDist’ (MultiDist variant), or ‘Software Update Manager’ (DyFuCA variant).