Description
nCase (also spelled nCASE or n-CASE, randomly) is adware from 180Solutions. It consists of a process, msbb.exe, that runs constantly with Windows and shows advertising.
nCase is aware of the FlashTrack parasite and will disable it if it is running, to stop it showing competing adverts. Some versions also seem to connect to the Gator web servers occasionally, for unknown reasons.
Variants
nCase/msbb is the core executable.
nCase/Inst is an ActiveX drive-by installer control that loads nCase/msbb. This has been seen since around March 2003.
nCase/Alert is a randomly-named executable run at start up that checks that for nCase being removed. It then offers to reinstall the main program, or remove itself (this option does work, rather better than the 'official' uninstall in fact).
Distribution
Bundled with a large range of applications, particularly file-sharing programs. nCase are known to send e-mail to software authors asking them to include the nCase bundle.
Also installed by ActiveX drive-by downloads in adverts inserted on some free web hosting services, and bundled with programs installed by ActiveX drive-by download in adverts (eg. an 'Error Patch' application that does nothing other than load n-Case).
Also installed by the FavoriteMan and BookedSpace parasites.
What it does
Advertising
Yes. Looks for known URLs and keywords in URLs, and opens pop-up advertisements targeted at such sites. Also opens non-targeted pop-up adverts at arbitrary times during IE usage. Can add shortcut icons to the Start menu and Desktop if directed to by its controlling servers.
Privacy violation
Yes. The URL or keyword is passed with a unique identifier to nCase's controlling server bis.180solutions.com when a targeted advert is shown, allowing web usage to be tracked across sites.
Newer versions of the software also seem to try to read an e-mail address, real name and ZIP code to associate with the unique identifier, from applications' data in the registry:
Outlook Express mail accounts
Outlook user info
AOL Instant Messenger accounts
Windows location
RealPlayer location
Windows Fax headers
eFax.com headers
Acrobat user info
Netscape user info
MS Comic Chat registration
GameSpy registration
NetFerret registration
Security issues
Yes. nCase can download and execute arbitrary unsigned code from its controlling servers, as an update feature.
Stability problems
May cause an error message such as "msbb.exe file is linked to the missing export wininet.dll" on older systems without a WinInet library. Can also cause IE to be a bit slow to start up, and some versions are reported to generate page fault errors.
Removal
There is an uninstall feature for nCase, but it is a bit of a bad joke. You have to go to Add/Remove Programs in the Control Panel, choose 'Insterstitial ad delivery by n-Case', click 'Remove', confirm you are connected to the internet and download the uninstaller EXE. (This only works if Active Scripting in Internet Explorer is set to 'Enable', not 'Disable' or 'Prompt'.)
Run the uninstaller (which will again ask for internet access) and then do the whole lot over again for the entry 'PAD lookups by n-Case'. And it still sometimes doesn't work, for unknown reasons.
To add injury to insult, this method does not remove the installer control, so if you had the nCase/Inst variant, any web page will be able to re-install nCase without any prompting.
You may find it easier to remove by hand.
Manual removal
Open the registry (click 'Start', choose 'Run' and enter 'regedit'), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, right-click the entry 'msbb' inside it, and click 'Delete'.
To delete nCase/Alert, also check for a randomly-named entry three or more letters long, pointing to a .EXE of the same name in the Windows folder. Delete this entry and the file it points to. Alternatively, wait for the next restart and it should prompt to you reinstall or remove itself.
Restart the computer and you should be able to delete the 'nCase' folder inside Program Files. In older versions without an 'nCase' folder, look in the System folder (inside the Windows folder; called 'System32' under Windows NT, 2000 and XP, or just 'System' on Windows 95, 98 and Me), and delete msbb.exe.
To clean up, you can also delete the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb and HKEY_CURRENT_USER\Software\180solutions.
To delete nCase/Inst, if you have the nCase/Inst variant, open the Downloaded Program Files folder inside the Windows folder, right-click the 'nCaseInstaller Class' entry and choose 'Remove'.
