ADW_ARTUA

Publish Date: 07 septembre 2013

Analysé par: Nikko Tamana

W32/InstalleRex.J (Fortinet)

Plate-forme:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

Overall Risk:

reportedInfection:

System Impact Rating: :

Information Exposure Rating::

Faible

Medium

Élevé

Critique

Type de grayware:
Adware
Destructif:
Non
Chiffrement:
In the wild::
Oui

Overview

Détails techniques

File size: 291,616 bytes

File type: EXE

Date de réception des premiers échantillons: 14 mai 2013

Installation

Schleust folgende Dateien/Komponenten ein:

%All Users Profile%\Application Data\BetterSoft\OptimizerPro\1173230912.ini
%All Users Profile%\Application Data\BetterSoft\OptimizerPro\OptimizerPro.exe
%All Users Profile%\Application Data\coontinueetosavee\519b2fac988c8.dll
%All Users Profile%\Application Data\coontinueetosavee\519b2fac988c8.tlb
%All Users Profile%\Application Data\coontinueetosavee\data\coontinueetosavee.dat
%All Users Profile%\Application Data\coontinueetosavee\settings.ini
%All Users Profile%\Application Data\coontinueetosavee\uninstall.exe
%All Users Profile%\Application Data\InstallMate\OptimizerPro\Custom.dll
%All Users Profile%\Application Data\InstallMate\OptimizerPro\Readme.txt
%All Users Profile%\Application Data\InstallMate\OptimizerPro\Setup.dat
%All Users Profile%\Application Data\InstallMate\OptimizerPro\Setup.exe
%All Users Profile%\Application Data\InstallMate\OptimizerPro\Setup.ico
%All Users Profile%\Application Data\InstallMate\OptimizerPro\TsuDll.dll
%All Users Profile%\Application Data\InstallMate\OptimizerPro\_Setup.dll
%All Users Profile%\Application Data\InstallMate\{GUID}\{Month and Day}25153853.log
%All Users Profile%\Application Data\InstallMate\{GUID}\Custom.dll
%All Users Profile%\Application Data\InstallMate\{GUID}\Readme.txt
%All Users Profile%\Application Data\InstallMate\{GUID}\Setup.dat
%All Users Profile%\Application Data\InstallMate\{GUID}\Setup.exe
%All Users Profile%\Application Data\InstallMate\{GUID}\Setup.ico
%All Users Profile%\Application Data\InstallMate\{GUID}\TsuDll.dll
%All Users Profile%\Application Data\InstallMate\{GUID}\_Setup.dll
%All Users Profile%\Application Data\SearchNewTab\519b2ffd207a4.dll
%All Users Profile%\Application Data\SearchNewTab\519b2ffd207a4.tlb
%All Users Profile%\Application Data\SearchNewTab\data\SearchNewTab.dat
%All Users Profile%\Application Data\SearchNewTab\settings.ini
%All Users Profile%\Application Data\SearchNewTab\uninstall.exe
%All Users Profile%\Desktop\NCdownloader.lnk
%All Users Profile%\Start Menu\Programs\coontinueetosavee\coontinueetosavee.lnk
%All Users Profile%\Start Menu\Programs\coontinueetosavee\Uninstall.lnk
%All Users Profile%\Start Menu\Programs\Optimizer Pro\Help.lnk
%All Users Profile%\Start Menu\Programs\Optimizer Pro\Optimizer Pro on the Web.lnk
%All Users Profile%\Start Menu\Programs\Optimizer Pro\Optimizer Pro.lnk
%All Users Profile%\Start Menu\Programs\Optimizer Pro\Uninstall Optimizer Pro.lnk
%All Users Profile%\Start Menu\Programs\SearchNewTab\SearchNewTab.lnk
%All Users Profile%\Start Menu\Programs\SearchNewTab\Uninstall.lnk
%All Users Profile%\Start Menu\Programs\Solibo Ltd\NCdownloader\NCdownloader.lnk
%All Users Profile%\Start Menu\Programs\Startup\NCdownloader.lnk
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\searchplugins\WebSearch.xml
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\ec6w3hphv@dnyljrtjcp-.org\bootstrap.js
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\ec6w3hphv@dnyljrtjcp-.org\chrome.manifest
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\ec6w3hphv@dnyljrtjcp-.org\content\bg.js
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\ec6w3hphv@dnyljrtjcp-.org\install.rdf
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\u0rvu-k@srg-wwcxb.edu\bootstrap.js
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\u0rvu-k@srg-wwcxb.edu\chrome.manifest
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\u0rvu-k@srg-wwcxb.edu\content\bg.js
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\u0rvu-k@srg-wwcxb.edu\install.rdf
%Cookies%\{User name}@mediatoolbox-online[1].txt
%Desktop%\Optimizer Pro.lnk
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1\519b2ffd205576.64236490.js
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1\background.html
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1\content.js
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1\lsdb.js
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1\manifest.json
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1\newtab.html
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1\sqlite.js
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli\1\519b2fac986861.33064148.js
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli\1\background.html
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli\1\content.js
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli\1\lsdb.js
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli\1\manifest.json
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli\1\sqlite.js
%Program Files%\ContinueToSave\sprotector.dll
%Program Files%\ContinueToSave\uninstall.exe
%Program Files%\Optimizer Pro\English.ini
%Program Files%\Optimizer Pro\file_id.diz
%Program Files%\Optimizer Pro\HomePage.url
%Program Files%\Optimizer Pro\OptimizerPro.chm
%Program Files%\Optimizer Pro\OptimizerPro.exe
%Program Files%\Optimizer Pro\OptProGuard.exe
%Program Files%\Optimizer Pro\OptProLauncher.exe
%Program Files%\Optimizer Pro\OptProReminder.exe
%Program Files%\Optimizer Pro\OptProSchedule.exe
%Program Files%\Optimizer Pro\OptProSmartScan.exe
%Program Files%\Optimizer Pro\OptProStart.exe
%Program Files%\Optimizer Pro\OptProUninstaller.exe
%Program Files%\Optimizer Pro\scan.gif
%Program Files%\Optimizer Pro\sqlite3.dll
%Program Files%\Optimizer Pro\unins000.dat
%Program Files%\Optimizer Pro\unins000.exe
%Program Files%\Solibo Ltd\NCdownloader\ICSharpCode.SharpZipLib.dll
%Program Files%\Solibo Ltd\NCdownloader\Interop.SHDocVw.dll
%Program Files%\Solibo Ltd\NCdownloader\NCdownloader.Core.dll
%Program Files%\Solibo Ltd\NCdownloader\NCdownloader.exe
%Program Files%\Solibo Ltd\NCdownloader\NCdownloader.exe.config
%Program Files%\Solibo Ltd\NCdownloader\NCdownloader.Extension.dll
%Program Files%\Solibo Ltd\NCdownloader\NCdownloader.Spider.dll
%Program Files%\Solibo Ltd\NCdownloader\TabStrip.dll
%Program Files%\Solibo Ltd\NCdownloader\unins000.dat
%Program Files%\Solibo Ltd\NCdownloader\unins000.exe
%Program Files%\WebSearch\sprotector.dll
%Program Files%\WebSearch\uninstall.exe
%Windows%\Tasks\schedule!1173230912.job

(Hinweis: %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT und C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000, XP und Server 2003.. %Desktop% ist der Ordner 'Desktop' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Desktop unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Desktop unter Windows NT und C:\Dokumente und Einstellungen\{Benutzername}\Desktop unter Windows 2000, XP und Server 2003.. %Program Files%ist der Standardordner 'Programme', normalerweise C:\Programme.. %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Erstellt die folgenden Ordner:

%All Users Profile%\Application Data\BetterSoft
%All Users Profile%\Application Data\BetterSoft\OptimizerPro
%All Users Profile%\Application Data\coontinueetosavee
%All Users Profile%\Application Data\coontinueetosavee\data
%All Users Profile%\Application Data\InstallMate
%All Users Profile%\Application Data\InstallMate\OptimizerPro
%All Users Profile%\Application Data\InstallMate\{GUID}
%All Users Profile%\Application Data\SearchNewTab
%All Users Profile%\Application Data\SearchNewTab\data
%All Users Profile%\Application Data\StarApp
%All Users Profile%\Application Data\StarApp\Setup
%All Users Profile%\Start Menu\Programs\coontinueetosavee
%All Users Profile%\Start Menu\Programs\Optimizer Pro
%All Users Profile%\Start Menu\Programs\SearchNewTab
%All Users Profile%\Start Menu\Programs\Solibo Ltd
%All Users Profile%\Start Menu\Programs\Solibo Ltd\NCdownloader
%Application Data%\Microsoft\Protect\S-1-5-21-1614895754-436374069-682003330-1003\8f6b14e9-b9fd-48d1-8ac6-e5f2baa2b2c4
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\searchplugins
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\ec6w3hphv@dnyljrtjcp-.org
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\ec6w3hphv@dnyljrtjcp-.org\content
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\u0rvu-k@srg-wwcxb.edu
%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\u0rvu-k@srg-wwcxb.edu\content
%Application Data%\Google\Chrome\User Data\Default\Extensions
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn
%Application Data%\Google\Chrome\User Data\Default\Extensions\djkiheoffgjccjmbjcflfdnlfglgclpn\1
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli
%Application Data%\Google\Chrome\User Data\Default\Extensions\fjnoiefabobcgejciadkjikpkboifmli\1
%Program Files%\Optimizer Pro
%Program Files%\ContinueToSave
%Program Files%\Solibo Ltd
%Program Files%\Solibo Ltd\NCdownloader
%Program Files%\WebSearch
%System%\AMD64
%System%\X86

(Hinweis: %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT und C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000, XP und Server 2003.. %Program Files%ist der Standardordner 'Programme', normalerweise C:\Programme.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.)

Autostart-Technik

Fügt die folgenden Registrierungsschlüssel hinzu, um sich als Browser Helper Object (BHO) zu installieren:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{77B68582-C8C2-F64C-D59B-8CF2DCDD4225}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{D16B5728-B637-572D-CA27-7FC345629091}

Andere Systemänderungen

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_CURRENT_USER\Software\Optimizer Pro

HKEY_CURRENT_USER\Software\Optimizer Pro\
wpdata

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes

HKEY_LOCAL_MACHINE\SOFTWARE\SP Global

HKEY_LOCAL_MACHINE\SOFTWARE\SProtector

HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\
info

HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\
_09b71135

HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\
_b0285714

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\SearchScopes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\SearchScopes\{GUID}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
OptimizerPro

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
OptimizerPro\States

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
SP_09b71135

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
SP_b0285714

Fügt die folgenden Registrierungseinträge als Teil der Installationsroutine hinzu:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{77B68582-C8C2-F64C-D59B-8CF2DCDD4225}
{Default} = "SearchNewTab"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{77B68582-C8C2-F64C-D59B-8CF2DCDD4225}
NoExplorer = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{D16B5728-B637-572D-CA27-7FC345629091}
{Default} = "coontinueetosavee"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{D16B5728-B637-572D-CA27-7FC345629091}
NoExplorer = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\
Firefox\Extensions
ec6w3hphv{Default}dnyljrtjcp-.org = "%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\ec6w3hphv{Default}dnyljrtjcp-.org"

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\
Firefox\Extensions
u0rvu-k{Default}srg-wwcxb.edu = "%Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\u0rvu-k{Default}srg-wwcxb.edu"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager
PendingFileRenameOperations = "\??\%User Temp%\Tsu6AAC7CF3.dll"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Optimizer Pro = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

ADW_ARTUA

Overview

Détails techniques

Ressources

Support

À propos de Trend

Siège social national

ADW_ARTUA

Overview

Détails techniques

Ressources

Support

À propos de Trend

Siège social national

Amérique

Moyen-Orient et Afrique

Europe

Asie-Pacifique