PUA.Win32.ErrorFix.AA
PUA:Win32/Dllkitster(Microsoft); Artemis!AFA2A289EDF9(McAfee)
Windows
Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.
TECHNICAL DETAILS
1,136,576 bytes
No
04 Nov 2018
Arrival Details
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be manually installed by a user.
Installation
This Potentially Unwanted Application drops the following files:
- %Program Files%\ErrorFix KIT\ErrorFixKIT.exe
- %Program Files%\ErrorFix KIT\ErrorFixKIT.exe
- %Program Files%\ErrorFix KIT\zh-CN\RC.resources.dll
- %Program Files%\ErrorFix KIT\zh-CN\RC.resources.dll
- %Program Files%\ErrorFix KIT\de\RC.resources.dll
- %Program Files%\ErrorFix KIT\de\RC.resources.dll
- %Program Files%\ErrorFix KIT\id\RC.resources.dll
- %Program Files%\ErrorFix KIT\id\RC.resources.dll
- %Program Files%\ErrorFix KIT\da\RC.resources.dll
- %Program Files%\ErrorFix KIT\da\RC.resources.dll
- %Program Files%\ErrorFix KIT\no\RC.resources.dll
- %Program Files%\ErrorFix KIT\no\RC.resources.dll
- %Program Files%\ErrorFix KIT\ru\RC.resources.dll
- %Program Files%\ErrorFix KIT\ru\RC.resources.dll
- %Program Files%\ErrorFix KIT\cs\RC.resources.dll
- %Program Files%\ErrorFix KIT\cs\RC.resources.dll
- %Program Files%\ErrorFix KIT\ar\RC.resources.dll
- %Program Files%\ErrorFix KIT\ar\RC.resources.dll
- %Program Files%\ErrorFix KIT\pl\RC.resources.dll
- %Program Files%\ErrorFix KIT\pl\RC.resources.dll
- %Program Files%\ErrorFix KIT\ja\RC.resources.dll
- %Program Files%\ErrorFix KIT\ja\RC.resources.dll
- %Program Files%\ErrorFix KIT\fr\RC.resources.dll
- %Program Files%\ErrorFix KIT\fr\RC.resources.dll
- %Program Files%\ErrorFix KIT\uk\RC.resources.dll
- %Program Files%\ErrorFix KIT\uk\RC.resources.dll
- %Program Files%\ErrorFix KIT\sv-SE\RC.resources.dll
- %Program Files%\ErrorFix KIT\sv-SE\RC.resources.dll
- %Program Files%\ErrorFix KIT\ko\RC.resources.dll
- %Program Files%\ErrorFix KIT\ko\RC.resources.dll
- %Program Files%\ErrorFix KIT\tr\RC.resources.dll
- %Program Files%\ErrorFix KIT\tr\RC.resources.dll
- %Program Files%\ErrorFix KIT\pt-BR\RC.resources.dll
- %Program Files%\ErrorFix KIT\pt-BR\RC.resources.dll
- %Program Files%\ErrorFix KIT\es-ES\RC.resources.dll
- %Program Files%\ErrorFix KIT\es-ES\RC.resources.dll
- %Program Files%\ErrorFix KIT\vi\RC.resources.dll
- %Program Files%\ErrorFix KIT\vi\RC.resources.dll
- %Program Files%\ErrorFix KIT\ms\RC.resources.dll
- %Program Files%\ErrorFix KIT\ms\RC.resources.dll
- %Program Files%\ErrorFix KIT\fi\RC.resources.dll
- %Program Files%\ErrorFix KIT\fi\RC.resources.dll
- %Program Files%\ErrorFix KIT\th\RC.resources.dll
- %Program Files%\ErrorFix KIT\th\RC.resources.dll
- %Program Files%\ErrorFix KIT\nl\RC.resources.dll
- %Program Files%\ErrorFix KIT\nl\RC.resources.dll
- %Program Files%\ErrorFix KIT\it\RC.resources.dll
- %Program Files%\ErrorFix KIT\it\RC.resources.dll
- %Program Files%\ErrorFix KIT\ro\RC.resources.dll
- %Program Files%\ErrorFix KIT\ro\RC.resources.dll
- %Program Files%\ErrorFix KIT\Newtonsoft.Json.dll
- %Program Files%\ErrorFix KIT\Newtonsoft.Json.dll
- %Program Files%\ErrorFix KIT\sciter32.dll
- %Program Files%\ErrorFix KIT\sciter32.dll
- %Common Programs%\ErrorFix KIT\ErrorFix KIT.lnk
- %Desktop%\ErrorFix KIT.lnk
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %Common Programs% is the folder that contains common program groups for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista, 7, and 8.)
Other Details
This Potentially Unwanted Application adds the following lines or registry entries as part of its routine:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\zh-CN\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\de\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\id\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\da\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\no\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\ru\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\cs\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\ar\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\pl\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\ja\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\fr\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\uk\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\sv-SE\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\ko\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\tr\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\pt-BR\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\es-ES\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\vi\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\ms\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\fi\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\th\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\nl\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\it\= "" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
%Program Files%\ErrorFix KIT\ro\= "" - HKEY_CURRENT_USER\Software\ErrorFix KIT
installed= "1"
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).)
It connects to the following possibly malicious URL:
- https://www.er{BLOCKED}?action=start&os=Windows%207%20Professio{BLOCKED}20NT%206.1.7601%20Service%20Pack%201)®ion_os=Japan&mac=000C29935DCF&datetime=19-04-2019%2003%3A59%3A13&installer=cleDF85.tmp
- https://events.err{BLOCKED}i/settings
- https://www.err{BLOCKED}tings/update.json
- https://update.error{BLOCKED}te?version=1.0.2.8&wl=errorkit