PUA.Win32.CPInstall.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Diese Malware hat keine Verbreitungsroutine.

Diese Malware hat keine Backdoor-Routine.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Ordner hinzu:

• %Common Programs%\Media Player - Codec Pack
• %System%\Codecs
• %User Temp%\MPCP_FS_files
• %User Temp%\ns{Random Characters}.tmp

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Schleust folgende Komponentendateien ein:

• %Common Programs%\Media Player - Codec Pack\Codec Settings (Run as administrator).lnk
• %Common Programs%\Media Player - Codec Pack\Codec Settings.lnk
• %Common Programs%\Media Player - Codec Pack\Media Player Classic.lnk
• %Common Programs%\Media Player - Codec Pack\Package Homepage.url
• %Common Programs%\Media Player - Codec Pack\Uninstall.lnk
• %Common Startup%\CodecPackTrayMenu.lnk
• %System%\Codecs\AC3Lib.dll.new → renamed to AC3Lib.dll
• %System%\Codecs\AppDialog.exe.new → renamed to AppDialog.exe
• %System%\Codecs\AudioProfiler.exe.new → renamed to AudioProfiler.exe
• %System%\Codecs\CleanUp.exe.new → renamed to CleanUp.exe
• %System%\Codecs\CleanUp_x64.exe.new → renamed to CleanUp_x64.exe
• %System%\Codecs\CodecSettings.exe.new → renamed to CodecSettings.exe
• %System%\Codecs\CodecSettingsADMIN.exe.new → renamed to CodecSettingsADMIN.exe
• %System%\Codecs\CodecUACManager.exe.new → renamed to CodecUACManager.exe
• %System%\Codecs\Compressor.dll.new → renamed to Compressor.dll
• %System%\Codecs\Config.exe.new → renamed to Config.exe
• %System%\Codecs\D3DCompiler_47.dll
• %System%\Codecs\D3DX9_43.dll
• %System%\Codecs\DisableUpdateChecker.exe.new → renamed to DisableUpdateChecker.exe
• %System%\Codecs\LAVFilters\IntelQuickSyncDecoder.dll.new → renamed to IntelQuickSyncDecoder.dll
• %System%\Codecs\LAVFilters\LAVAudio.ax.new → renamed to LAVAudio.ax
• %System%\Codecs\LAVFilters\LAVFilters.Dependencies.manifest.new → renamed to LAVFilters.Dependencies.manifest
• %System%\Codecs\LAVFilters\LAVSplitter.ax.new → renamed to LAVSplitter.ax
• %System%\Codecs\LAVFilters\LAVVideo.ax.new → renamed to LAVVideo.ax
• %System%\Codecs\LAVFilters\avcodec-lav-58.dll.new → renamed to avcodec-lav-58.dll
• %System%\Codecs\LAVFilters\avfilter-lav-7.dll.new → renamed to avfilter-lav-7.dll
• %System%\Codecs\LAVFilters\avformat-lav-58.dll.new → renamed to avformat-lav-58.dll
• %System%\Codecs\LAVFilters\avresample-lav-4.dll.new → renamed to avresample-lav-4.dll
• %System%\Codecs\LAVFilters\avutil-lav-56.dll.new → renamed to avutil-lav-56.dll
• %System%\Codecs\LAVFilters\libbluray.dll.new → renamed to libbluray.dll
• %System%\Codecs\LAVFilters\swscale-lav-5.dll.new → renamed to swscale-lav-5.dll
• %System%\Codecs\Lang\mpcresources.ar.dll
• %System%\Codecs\Lang\mpcresources.be.dll
• %System%\Codecs\Lang\mpcresources.bn.dll
• %System%\Codecs\Lang\mpcresources.bs_BA.dll
• %System%\Codecs\Lang\mpcresources.ca.dll
• %System%\Codecs\Lang\mpcresources.cs.dll
• %System%\Codecs\Lang\mpcresources.da.dll
• %System%\Codecs\Lang\mpcresources.de.dll
• %System%\Codecs\Lang\mpcresources.el.dll
• %System%\Codecs\Lang\mpcresources.en_GB.dll
• %System%\Codecs\Lang\mpcresources.es.dll
• %System%\Codecs\Lang\mpcresources.eu.dll
• %System%\Codecs\Lang\mpcresources.fi.dll
• %System%\Codecs\Lang\mpcresources.fr.dll
• %System%\Codecs\Lang\mpcresources.gl.dll
• %System%\Codecs\Lang\mpcresources.he.dll
• %System%\Codecs\Lang\mpcresources.hr.dll
• %System%\Codecs\Lang\mpcresources.hu.dll
• %System%\Codecs\Lang\mpcresources.hy.dll
• %System%\Codecs\Lang\mpcresources.id.dll
• %System%\Codecs\Lang\mpcresources.it.dll
• %System%\Codecs\Lang\mpcresources.ja.dll
• %System%\Codecs\Lang\mpcresources.ko.dll
• %System%\Codecs\Lang\mpcresources.lt.dll
• %System%\Codecs\Lang\mpcresources.ms_MY.dll
• %System%\Codecs\Lang\mpcresources.nl.dll
• %System%\Codecs\Lang\mpcresources.pa.dll
• %System%\Codecs\Lang\mpcresources.pl.dll
• %System%\Codecs\Lang\mpcresources.pt_BR.dll
• %System%\Codecs\Lang\mpcresources.pt_PT.dll
• %System%\Codecs\Lang\mpcresources.ro.dll
• %System%\Codecs\Lang\mpcresources.ru.dll
• %System%\Codecs\Lang\mpcresources.sk.dll
• %System%\Codecs\Lang\mpcresources.sl.dll
• %System%\Codecs\Lang\mpcresources.sr.dll
• %System%\Codecs\Lang\mpcresources.sv.dll
• %System%\Codecs\Lang\mpcresources.th_TH.dll
• %System%\Codecs\Lang\mpcresources.tr.dll
• %System%\Codecs\Lang\mpcresources.tt.dll
• %System%\Codecs\Lang\mpcresources.uk.dll
• %System%\Codecs\Lang\mpcresources.vi.dll
• %System%\Codecs\Lang\mpcresources.zh_CN.dll
• %System%\Codecs\Lang\mpcresources.zh_TW.dll
• %System%\Codecs\MPCP.ico
• %System%\Codecs\NotifyDisplayChange.exe.new → renamed to NotifyDisplayChange.exe
• %System%\Codecs\ReClock.dll.new → renamed to ReClock.dll
• %System%\Codecs\ReClockDS.dll.new → renamed to ReClockDS.dll
• %System%\Codecs\ReClockHelper.dll.new → renamed to ReClockHelper.dll
• %System%\Codecs\Resampler.dll.new → renamed to Resampler.dll
• %System%\Codecs\RunEvent.SetDisplayFrequency.sample.vbs.new → renamed to RunEvent.SetDisplayFrequency.sample.vbs
• %System%\Codecs\RunEvent.sample.vbs.new → renamed to RunEvent.sample.vbs
• %System%\Codecs\SetACL.exe
• %System%\Codecs\Shaders\"0-255 to 16-235.hlsl"
• %System%\Codecs\Shaders\"16-235 to 0-255 [SD].hlsl"
• %System%\Codecs\Shaders\"16-235 to 0-255.hlsl"
• %System%\Codecs\Shaders\"Adaptive sharpen.hlsl"
• %System%\Codecs\Shaders\"BT.601 to BT.709 [HD].hlsl"
• %System%\Codecs\Shaders\"Deinterlace (blend).hlsl"
• %System%\Codecs\Shaders\"Edge sharpen.hlsl"
• %System%\Codecs\Shaders\"LCD angle correction.hlsl"
• %System%\Codecs\Shaders\"Sharpen complex 2.hlsl"
• %System%\Codecs\Shaders\"Sharpen complex.hlsl"
• %System%\Codecs\Shaders\"YV12 chroma upsampling.hlsl"
• %System%\Codecs\Shaders\Denoise.hlsl
• %System%\Codecs\Shaders\Grayscale.hlsl
• %System%\Codecs\Shaders\Invert.hlsl
• %System%\Codecs\Shaders\Letterbox.hlsl
• %System%\Codecs\Shaders\LumaSharpen.hlsl
• %System%\Codecs\Shaders\Nightvision.hlsl
• %System%\Codecs\Shaders\Procamp.hlsl
• %System%\Codecs\Shaders\Sepia.hlsl
• %System%\Codecs\Shaders\Sharpen.hlsl
• %System%\Codecs\Shaders\Threshold.hlsl
• %System%\Codecs\Timestretch.dll.new → renamed to Timestretch.dll
• %System%\Codecs\TrayMenu.exe.new → renamed to TrayMenu.exe
• %System%\Codecs\Uninst.exe
• %System%\Codecs\Uninst.exe.new → renamed to Uninst.exe
• %System%\Codecs\UpdateChecker.exe.new → renamed to UpdateChecker.exe
• %System%\Codecs\mpc-hc.exe
• %System%\Codecs\mpciconlib.dll
• %System%\DCBassSourceMod.ax.new → renamed to DCBassSourceMod.ax
• %System%\DSDOUT_VIDEO.bmp.new → renamed to DSDOUT_VIDEO.bmp
• %System%\DSDProcessUnit.dll.new → renamed to DSDProcessUnit.dll
• %System%\DSDSourceFilter.ax.new → renamed to DSDSourceFilter.ax
• %System%\DSDToPCMFilter.ax.new → renamed to DSDToPCMFilter.ax
• %System%\DSDVideoOutFilter.ax.new → renamed to DSDVideoOutFilter.ax
• %System%\DiscHandler.exe.new → renamed to DiscHandler.exe
• %System%\DivXa32.acm.new → renamed to DivXa32.acm
• %System%\FLWindowsVistaAPI.dll.new → renamed to FLWindowsVistaAPI.dll
• %System%\Formats.ini.new → renamed to Formats.ini
• %System%\IcarosCache.dll
• %System%\IcarosCache.dll.new → renamed to IcarosCache.dll
• %System%\IcarosConfig.exe.new → renamed to IcarosConfig.exe
• %System%\IcarosPropertyHandler.dll
• %System%\IcarosPropertyHandler.dll.new → renamed to IcarosPropertyHandler.dll
• %System%\IcarosThumbnailProvider.dll
• %System%\IcarosThumbnailProvider.dll.new → renamed to IcarosThumbnailProvider.dll
• %System%\IcarosUICore.dll.new → renamed to IcarosUICore.dll
• %System%\IntelQuickSyncDecoder.dll.new → renamed to IntelQuickSyncDecoder.dll
• %System%\LAVAudio.ax.new → renamed to LAVAudio.ax
• %System%\LAVFilters.Dependencies.manifest.new → renamed to LAVFilters.Dependencies.manifest.dll
• %System%\LAVSplitter.ax.new → renamed to LAVSplitter.ax
• %System%\LAVVideo.ax.new → renamed to LAVVideo.ax
• %System%\Lagarith.dll.new → renamed to Lagarith.dll
• %System%\OptimFROG.dll.new → renamed to OptimFROG.dll
• %System%\PCMOUT_VIDEO_1644.bmp.new → renamed to PCMOUT_VIDEO_1644.bmp
• %System%\PCMOUT_VIDEO_2496.bmp.new → renamed to PCMOUT_VIDEO_2496.bmp
• %System%\TomsMoComp_ff.dll.new → renamed to TomsMoComp_ff.dll
• %System%\VSFilter.dll.new → renamed to VSFilter.dll
• %System%\VzCs.dll.new → renamed to VzCs.dll
• %System%\VzCsDsAudioDevice.vzcs.classinfo.new → VzCsDsAudioDevice.vzcs.classinfo
• %System%\VzCsDsAudioDevice.vzcs.new → renamed to VzCsDsAudioDevice.vzcs
• %System%\avcodec-ics-58.dll
• %System%\avcodec-ics-58.dll.new → renamed to avcodec-ics-58.dll
• %System%\avcodec-lav-58.dll.new → renamed to avcodec-lav-58.dll
• %System%\avfilter-lav-7.dll.new → renamed to avfilter-lav-7.dll
• %System%\avformat-ics-58.dll
• %System%\avformat-ics-58.dll.new → renamed to avformat-ics-58.dll
• %System%\avformat-lav-58.dll.new → renamed to avformat-lav-58.dll
• %System%\avi.dll.new → renamed to avi.dll
• %System%\avi.x64.dll.new → renamed to avi.x64.dll
• %System%\avresample-lav-4.dll.new → renamed to avresample-lav-4.dll
• %System%\avs.dll.new → renamed to avs.dll
• %System%\avss.dll.new → renamed to avss.dll
• %System%\avutil-ics-56.dll
• %System%\avutil-ics-56.dll.new → renamed to avutil-ics-56.dll
• %System%\avutil-lav-56.dll.new → renamed to avutil-lav-56.dll
• %System%\bass.dll.new → renamed to bass.dll
• %System%\bass_aac.dll.new → renamed to bass_aac.dll
• %System%\bass_alac.dll.new → renamed to bass_alac.dll
• %System%\bass_ape.dll.new → renamed to bass_ape.dll
• %System%\bass_mpc.dll.new → renamed to bass_mpc.dll
• %System%\bass_ofr.dll.new → renamed to bass_ofr.dll
• %System%\bass_tak.dll.new → renamed to bass_tak.dll
• %System%\bass_tta.dll.new → renamed to bass_tta.dll
• %System%\basscd.dll.new → renamed to basscd.dll
• %System%\bassflac.dll.new → renamed to bassflac.dll
• %System%\bassopus.dll.new → renamed to bassopus.dll
• %System%\basswv.dll.new → renamed to basswv.dll
• %System%\cdxareader.ax.new → renamed to cdxareader.ax
• %System%\cue2xml.js.new → renamed to cue2xml.js
• %System%\dsmux.exe.new → renamed to dsmux.exe
• %System%\dsmux.x64.exe.new → renamed to dsmux.x64.exe
• %System%\dxr.dll.new → renamed to dxr.dll
• %System%\dxr.x64.dll.new → renamed to dxr.x64.dll
• %System%\ff_kernelDeint.dll.new → renamed to ff_kernelDeint.dll
• %System%\ff_liba52.dll.new → renamed to ff_liba52.dll
• %System%\ff_libdts.dll.new → renamed to ff_libdts.dll
• %System%\ff_libfaad2.dll.new → renamed to ff_libfaad2.dll
• %System%\ff_libmad.dll.new → renamed to ff_libmad.dll
• %System%\ff_samplerate.dll.new → renamed to ff_samplerate.dll
• %System%\ff_unrar.dll.new → renamed to ff_unrar.dll
• %System%\ff_wmv9.dll.new → renamed to ff_wmv9.dll
• %System%\ffdshow.ax.new → renamed to ffdshow.ax
• %System%\ffmpeg.dll.new → renamed to ffmpeg.dll
• %System%\gdsmux.exe.new → renamed to gdsmux.exe
• %System%\gdsmux.x64.exe.new → renamed to gdsmux.x64.exe
• %System%\libFLAC.dll.new → renamed to libFLAC.dll
• %System%\libbluray.dll.new → renamed to libbluray.dll
• %System%\libmmd.dll.new → renamed to libmmd.dll
• %System%\libmpeg2_ff.dll.new → renamed to libmpeg2_ff.dll
• %System%\madFlac.ax.new → renamed to madFlac.ax
• %System%\mkunicode.dll.new → renamed to mkunicode.dll
• %System%\mkunicode.x64.dll.new → renamed to mkunicode.x64.dll
• %System%\mkv2vfr.exe.new → renamed to mkv2vfr.exe
• %System%\mkv2vfr.x64.exe.new → renamed to mkv2vfr.x64.exe
• %System%\mkx.dll.new → renamed to mkx.dll
• %System%\mkx.x64.dll.new → renamed to mkx.x64.dll
• %System%\mkzlib.dll.new → renamed to mkzlib.dll
• %System%\mkzlib.x64.dll.new → renamed to mkzlib.x64.dll
• %System%\mp4.dll.new → renamed to mp4.dll
• %System%\mp4.x64.dll.new → renamed to mp4.x64.dll
• %System%\msvcp71.dll
• %System%\msvcp80.dll
• %System%\msvcr71.dll
• %System%\msvcr80.dll
• %System%\ogm.dll.new → renamed to ogm.dll
• %System%\ogm.x64.dll.new → renamed to ogm.x64.dll
• %System%\splitter.ax.new → renamed to splitter.ax
• %System%\splitter.x64.ax.new → renamed to splitter.x64.ax
• %System%\swscale-ics-5.dll
• %System%\swscale-ics-5.dll.new → renamed to swscale-ics-5.dll
• %System%\swscale-lav-5.dll.new → renamed to swscale-lav-5.dll
• %System%\tak_deco_lib.dll.new → renamed to tak_deco_lib.dll
• %System%\ts.dll.new → renamed to ts.dll
• %System%\ts.x64.dll.new → renamed to ts.x64.dll
• %System%\x264vfw.dll.new → renamed to x264vfw.dll
• %System%\xvidcore.dll.new → renamed to xvidcore.dll
• %System%\xvidvfw.dll.new → renamed to xvidvfw.dll
• %User Temp%\ns{random}.tmp
• %User Temp%\ns{random}.tmp\UserInfo.dll
• %User Temp%\ns{random}.tmp\System.dll
• %User Temp%\ns{random}.tmp\easy.ini
• %User Temp%\ns{random}.tmp\video.ini
• %User Temp%\ns{random}.tmp\video_hardware.ini
• %User Temp%\ns{random}.tmp\audio.ini
• %User Temp%\ns{random}.tmp\InstallOptions.dll
• %System Root%\unstart.ini → added after uninstallation process

(Hinweis: %Common Startup% ist der gemeinsame Autostart-Ordner des Systems, normalerweise C:\Windows\Startmenü\Programme\Autostart unter Windows 98 und ME, C:\WINNT\Profile\All Users\Programme\Autostart unter Windows NT und C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart unter Windows 2000, XP und Server 2003.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.)

Fügt die folgenden Prozesse hinzu:

• %System%\Codecs\TrayMenu.exe

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Autostart-Technik

Erstellt folgende Registrierungseinträge, um die eingeschleuste Komponente bei jedem Systemstart automatisch auszuführen:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Codec Pack Update Checker = %System%\Codecs\UpdateChecker.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Codec Settings UAC Manager = %System%\Codecs\CodecUACManager.exe

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Media Foundation\ByteStreamHandlers\.m4a
{271C3902-6095-4c45-A22F-20091816EE9E}_disabled = MPEG4 Byte Stream Handler

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{31435641-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{31435657-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{31637661-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{34363248-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{34363268-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{44495658-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{5634504D-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{58564944-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{64697678-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{7634706D-0000-0010-8000-00AA00389B71} = {SID}

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
DirectShow\Preferred
{78766964-0000-0010-8000-00AA00389B71} = {SID}

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\acm\msacm.divxa32
Description = "DivX Audio Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\acm\msacm.divxa32
Driver = DivXa32.acm

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\acm\msacm.divxa32
FriendlyName = "DivX Audio Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.lags
Description = "Lagarith lossless codec [LAGS]"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.lags
Driver = lagarith.dll

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.lags
FriendlyName = "Lagarith lossless codec [LAGS]"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.x264
Description = "x264 Video Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.x264
Driver = x264vfw.dll

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.x264
FriendlyName = "x264 Video Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.xvid
Description = "XviD 1.3.7 Video Codec"

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.xvid
Driver = xvidvfw.dll

HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\
MediaResources\icm\vidc.xvid
FriendlyName = "XviD 1.3.7 Video Codec"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ogmfile\shellex\PropertySheetHandlers\
HaaliMediaSplitter

Verbreitung

Diese Malware hat keine Verbreitungsroutine.

Backdoor-Routine

Diese Malware hat keine Backdoor-Routine.

Andere Details

Fügt die folgenden Registrierungseinträge hinzu, um der Systemsteuerung eine Deinstallationsoption hinzuzufügen:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
DisplayIcon = %System%\Codecs\.\MPCP.ico,0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
DisplayName = Media Player Codec Pack 4.5.7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
DisplayVersion = 4.5.7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack
UninstallString = %System%\Codecs\Uninst.exe

Fügt die folgenden Registrierungsschlüssel hinzu:

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Gabest (Contains configuration for Gabest VSFilter used for processing subtitles)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\GNU\
{ffdshow and ffdshow64} (Contains configuration for ffdshow used for encoding and decoding different video formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\GNU\
{ffdshow_audio and ffdshow64_audio} (Contains configuration for ffdshow used for encoding and decoding audio formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\GNU\
{ffdshow_dxva and ffdshow64_dxva} (Contains configuration for ffdshow_dxva used for encoding and decoding DXVA video formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\LAV (Contains configuration for LAV used for encoding and decoding different media formats)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
MediaPlayer (Contains configuration for Windows Media Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
Multimedia\WMPlayer (Contains configuration for Windows Media Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\3dtv.at\
Stereoscopic Player (Contains configuration for Stereoscopic Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\NVIDIA Corporation\
NVIDIA 3D Vision Video Player (Contains configuration for NVIDIA 3D Vision Video Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\MPC-HC\
MPC-HC (Contains configuration for MPC-HC Player)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Sony Corporation\
DSD Playback DirectShow Filters (Contains configuration for DSD Playback DirectShow Filters)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Sony Corporation\
DSD to PCM Playback DirectShow Filters (Contains configuration for DSD to PCM Playback DirectShow Filters)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Icaros (Contains configuration for Icaros video thumbnail software)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Media Player - Codec Pack (Contains uninstall information for the installed application)

{HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER}\Software\Media Player - Codec Pack (Contains information for the installed application)

HKEY_LOCAL_MACHINE\SOFTWARE\Software\
CLASSES\MatroskaVideo (Contains configuration for Matroska video formats)

HKEY_LOCAL_MACHINE\SOFTWARE\{Haali and HaaliMkx} (Contains configuration for Haali and HaaliMkx Media Splitter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{Windows or Windows NT}\CurrentVersion\{drivers.desc and drivers32} (Contains configuration for Windows multimedia drivers)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Media Type\{e436eb83-524f-11ce-9f53-0020af0ba770}\{49952F4C-3EDC-4A9B-8906-1DE02A3D4BC2} (Contains additional configuration for Haali Media splitter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
AutoplayHandlers\Handlers\MSPlayBluRayOnArrival (Contains configuration for autoplay handlers)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
AutoplayHandlers\Handlers\MSPlayDVDMovieOnArrival (Contains configuration for autoplay handlers)

HKEY_CURRENT_USER\Software\ReClock (Contains configuration for the Reclock component of the installed application)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ogmfile\shellex\PropertySheetHandlers\
HaaliMediaSplitter (for Haali Media Splitter Usage)

{HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_CLASSES_ROOT}\
{.mka, .mkv and ogmfile} (for MatroskaVideo Usage)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\
{B98D13E7-55DB-4385-A33D-09FD1BA26338} (for LAV Splitter Source Usage)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B98D13E7-55DB-4385-A33D-09FD1BA26338} (for LAV Splitter Source Usage)

HKEY_CLASSES_ROOT\CLSID\{B98D13E7-55DB-4385-A33D-09FD1BA26338} (for LAV Splitter Source Usage)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER (added if Uninstallation option is used)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER\SOFTWARE (added if Uninstallation option is used)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER\SOFTWARE\DSP-worx (added if Uninstallation option is used)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HKEY_CURRENT_USER\SOFTWARE\DSP-worx\
DC-Bass Source Mod (added if Uninstallation option is used)

Es macht Folgendes:

• It may opt to shutdown the system after installation.
• It connects to the following URL to send information and receive ad configuration:
  • https://d2cp8mgeqj97lj.{BLOCKED}ront.net/sec
  • https://d2cp8mgeqj97lj.{BLOCKED}ront.net/assets/schema/1.0/schema.xsd
• It connects to the following URL to download and load resources in memory
  • https://d3j6hg32mwjrha.{BLOCKED}ront.net/ver/il/v9.24.527.231.6
• It connects to the following URL to send installation analytics:
  • https://d2cp8mgeqj97lj.{BLOCKED}ront.net/report
• It may display different ads depending on the received configuration from its list of connected URLs.
• It sends the following information to its list of connected URLs:
  • Install status
  • Operating system version
  • Locale
  • Memory size
  • Flag if executed on x64 architecture
  • Execution mode
  • Generated ID and session ID
• It contains pre-checked checkboxes that toggle which components to install.