Analisado por: Nikko Tamana   

 Plataforma:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 Classificao do risco total:
 infecção relatada:
 Impacto no sistema: :
 Exposição das informações:
Baixo
Medium
Alto
Crítico

  • Tipo de grayware:
    Adware

  • Destrutivo:
    Não

  • Criptografado:
     

  • In the Wild:
    Sim

  Visão geral


  Detalhes técnicos

Tipo de compactação: 1,126,400 bytes
Tipo de arquivo: EXE
Data de recebimento das amostras iniciais: 03 setembro 2012

Installation

Schleust folgende Dateien/Komponenten ein:

  • %System%\acwfs4t2.exe
  • %System%\f50i.tcp
  • %System%\wdc1n.dll

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.)

Autostart-Technik

Fügt die folgenden Registrierungsschlüssel hinzu, um sich als Browser Helper Object (BHO) zu installieren:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{0DEADE31-9A37-48B2-921A-7825EA93D32A}

Andere Systemänderungen

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok\CLSID

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1\CLSID

HKEY_CLASSES_ROOT\Fseytdc.Yvakt

HKEY_CLASSES_ROOT\Fseytdc.Yvakt\CLSID

HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1

HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1\CLSID

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
InprocServer32

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
ProgID

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
VersionIndependentProgID

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
InprocServer32

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
ProgID

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
VersionIndependentProgID

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid32

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
TypeLib

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\0

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\0\win32

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\FLAGS

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\qI9nJ

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
PROTOCOLS\Filter\text/html

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FFjTq

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NJv7jy = ""%System%\dgfgql.exe""

Fügt die folgenden Registrierungseinträge als Teil der Installationsroutine hinzu:

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok
{Default} = "Ariaqudok Class"

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1
{Default} = "Ariaqudok Class"

HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"

HKEY_CLASSES_ROOT\Fseytdc.Yvakt
{Default} = "Yvakt Class"

HKEY_CLASSES_ROOT\Fseytdc.Yvakt\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"

HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1
{Default} = "Yvakt Class"

HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}
{Default} = "Yvakt Class"

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
InprocServer32
{Default} = "%System%\wdc1n.dll"

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
InprocServer32
ThreadingModel = "Apartment"

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
ProgID
{Default} = "Fseytdc.Yvakt.1"

HKEY_CLASSES_ROOT\CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\
VersionIndependentProgID
{Default} = "Fseytdc.Yvakt"

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}
{Default} = "Ariaqudok Class"

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
InprocServer32
{Default} = "%System%\wdc1n.dll"

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
InprocServer32
ThreadingModel = "both"

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
ProgID
{Default} = "Fseytdc.Ariaqudok.1"

HKEY_CLASSES_ROOT\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\
VersionIndependentProgID
{Default} = "Fseytdc.Ariaqudok"

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}
{Default} = "IYvakt"

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid
{Default} = "{00020424-0000-0000-C000-000000000046}"

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
ProxyStubClsid32
{Default} = "{00020424-0000-0000-C000-000000000046}"

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
TypeLib
{Default} = "{2383594E-4C4B-46A0-BA6A-817A8CAD2393}"

HKEY_CLASSES_ROOT\Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\
TypeLib
Version = "1.0"

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
{Default} = ""

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\
text/html
CLSID = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0
{Default} = "Fseytdc 1.0 Type Library"

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\0\win32
{Default} = "%System%\wdc1n.dll"

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\FLAGS
{Default} = "0"

HKEY_CLASSES_ROOT\TypeLib\{2383594E-4C4B-46A0-BA6A-817A8CAD2393}\
1.0\HELPDIR
{Default} = "%System%\"

HKEY_LOCAL_MACHINE\SOFTWARE\qI9nJ
BN3FLm1rP = "20051"

HKEY_LOCAL_MACHINE\SOFTWARE\qI9nJ
Vsevu3l = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok
{Default} = "Ariaqudok Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok.1
{Default} = "Ariaqudok Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Ariaqudok.1\CLSID
{Default} = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt
{Default} = "Yvakt Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1
{Default} = "Yvakt Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Fseytdc.Yvakt.1\CLSID
{Default} = "{0DEADE31-9A37-48B2-921A-7825EA93D32A}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}
{Default} = "Yvakt Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\InprocServer32
{Default} = "%System%\wdc1n.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\ProgID
{Default} = "Fseytdc.Yvakt.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{0DEADE31-9A37-48B2-921A-7825EA93D32A}\VersionIndependentProgID
{Default} = "Fseytdc.Yvakt"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}
{Default} = "Ariaqudok Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\InprocServer32
{Default} = "%System%\wdc1n.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\InprocServer32
ThreadingModel = "both"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\ProgID
{Default} = "Fseytdc.Ariaqudok.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600}\VersionIndependentProgID
{Default} = "Fseytdc.Ariaqudok"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}
{Default} = "IYvakt"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid
{Default} = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\ProxyStubClsid32
{Default} = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\TypeLib
{Default} = "{2383594E-4C4B-46A0-BA6A-817A8CAD2393}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{924350BE-EC92-4ACE-97D7-006721346D23}\TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
PROTOCOLS\Filter\text/html
{Default} = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
PROTOCOLS\Filter\text/html
CLSID = "{BA576CDE-9949-4473-A8F7-6C17C2A7E600}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FFjTq
DisplayName = "Quicklinks"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
FFjTq
UninstallString = ""%System%\acwfs4t2.exe" -G8Fq"