ADW_MULTIPLUG.GA

Publish Date: 15 novembre 2014

Analysé par: Jaime Benigno Reyes

AdWare.Win32.MultiPlug.nbjr (Kaspersky)

Plate-forme:

Windows

Overall Risk:

Dommages potentiels: :

Distribution potentielle: :

reportedInfection:

Information Exposure Rating::

Faible

Medium

Élevé

Critique

Type de grayware:
Adware
Destructif:
Non
Chiffrement:
In the wild::
Oui

Overview

Wird möglicherweise manuell von einem Benutzer installiert.

Détails techniques

File size: 866,672 bytes

File type: EXE

Memory resident: Non

Date de réception des premiers échantillons: 15 novembre 2014

Übertragungsdetails

Wird möglicherweise manuell von einem Benutzer installiert.

Installation

Fügt die folgenden Ordner hinzu:

%All Users Profile%\Application Data\Trusted Publisher (Versions lower than Windows Vista)
%All Users Profile%\Application Data\Trusted Publisher\SW-Booster (Versions lower than Windows Vista)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\EZDownloader (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\LiveSupport (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2 (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\SkypEmoticons (Windows Vista and higher versions)
%All Users Profile%\Start Menu\Programs\EZDownloader (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\Optimizer Pro v3.2 (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\LiveSupport (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\SkypEmoticons (Versions lower than Windows Vista)
%All Users Profile%\Trusted Publisher (Windows Vista and higher versions)
%All Users Profile%\Trusted Publisher\SW-Booster (Windows Vista and higher versions)
%Application Data%\Mozilla\Firefox\Profiles\random alphanumeric characters.default\searchplugins
%Application Data%\SkypEmoticons
%Application Data%\SkypEmoticons\Temp
%Program Files%\EZDownloader
%Program Files%\LiveSupport
%Program Files%\Optimizer Pro
%System%\AMD64
%System%\X86
%User Temp%\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]
%User Temp%\{random alphanumeric characters}
%User Temp%\{random alphanumeric characters}\images
%User Temp%\{random alphanumeric characters}\steps
%User Temp%\{random alphanumeric characters}\temp

Schleust die folgenden Dateien ein:

%All Users Profile%\Application Data\Trusted Publisher\SW-Booster\SW-Booster.exe (Versions lower than Windows Vista)
%All Users Profile%\Application Data\Trusted Publisher\SW-Booster\{random number} (Versions lower than Windows Vista)
%All Users Profile%\Application Data\Trusted Publisher\SW-Booster\{random number}.ini (Versions lower than Windows Vista)
%All Users Profile%\Desktop\EZDownloader.lnk (Versions lower than Windows Vista)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\EZDownloader\EZDownloader.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\LiveSupport\LiveSupport.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (Windows Vista and higher versions)
%All Users Profile%\Microsoft\Windows\Start Menu\Programs\SkypEmoticons\SkypEmoticons.lnk (Windows Vista and higher versions)
%All Users Profile%\Start Menu\Programs\EZDownloader\EZDownloader.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\LiveSupport\LiveSupport.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\LiveSupport\Uninstall LiveSupport.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\Optimizer Pro v3.2\Check updates.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\Optimizer Pro v3.2\Help.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro on the Web.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\Optimizer Pro v3.2\Optimizer Pro.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\Optimizer Pro v3.2\Uninstall Optimizer Pro.lnk (Versions lower than Windows Vista)
%All Users Profile%\Start Menu\Programs\SkypEmoticons\SkypEmoticons.lnk (Versions lower than Windows Vista)
%All Users Profile%\Trusted Publisher\SW-Booster\SW-Booster.exe (Windows Vista and higher versions)
%All Users Profile%\Trusted Publisher\SW-Booster\{random number} (Windows Vista and higher versions)
%All Users Profile%\Trusted Publisher\SW-Booster\{random number}.ini (Windows Vista and higher versions)
%Application Data%\LiveSupport.exe_log.txt
%Application Data%\Mozilla\Firefox\Profiles\random alphanumeric characters.default\searchplugins\WebSearch.xml
%Application Data%\SkypEmoticons\Lng.s
%Application Data%\SkypEmoticons\Res.dll
%Application Data%\SkypEmoticons\SE.exe
%Application Data%\SkypEmoticons\SEDownloader.exe
%Application Data%\SkypEmoticons\Settings.se
%Application Data%\SkypEmoticons\Temp\SE.exe
%Application Data%\SkypEmoticons\unins000.dat
%Application Data%\SkypEmoticons\unins000.exe
%Application Data%\regsvr32.exe_log.txt
%Desktop%\LiveSupport.lnk
%Desktop%\Optimizer Pro.lnk
%Program Files%\EZDownloader\EZDownloader.Core.dll
%Program Files%\EZDownloader\EZDownloader.Extension.dll
%Program Files%\EZDownloader\EZDownloader.Spider.dll
%Program Files%\EZDownloader\EZDownloader.exe
%Program Files%\EZDownloader\EZDownloader.exe.config
%Program Files%\EZDownloader\ICSharpCode.SharpZipLib.dll
%Program Files%\EZDownloader\Interop.SHDocVw.dll
%Program Files%\EZDownloader\TabStrip.dll
%Program Files%\EZDownloader\unins000.dat
%Program Files%\EZDownloader\unins000.exe
%Program Files%\LiveSupport\LiveSupport.exe
%Program Files%\LiveSupport\LiveSupport_deskband_x32.dll
%Program Files%\LiveSupport\LiveSupport_deskband_x64.dll
%Program Files%\LiveSupport\unins000.dat
%Program Files%\LiveSupport\unins000.exe
%Program Files%\LiveSupport\unins000.msg
%Program Files%\Optimizer Pro\CookiesException.txt
%Program Files%\Optimizer Pro\English.ini
%Program Files%\Optimizer Pro\English.iniAM
%Program Files%\Optimizer Pro\HomePage.url
%Program Files%\Optimizer Pro\OptProGuard.exe
%Program Files%\Optimizer Pro\OptProHelper.dll
%Program Files%\Optimizer Pro\OptProLauncher.exe
%Program Files%\Optimizer Pro\OptProReminder.exe
%Program Files%\Optimizer Pro\OptProSchedule.exe
%Program Files%\Optimizer Pro\OptProSmartScan.exe
%Program Files%\Optimizer Pro\OptProStart.exe
%Program Files%\Optimizer Pro\OptProUninstaller.exe
%Program Files%\Optimizer Pro\OptimizerPro.chm
%Program Files%\Optimizer Pro\OptimizerPro.exe
%Program Files%\Optimizer Pro\StartupList.txt
%Program Files%\Optimizer Pro\bg_new3.bmp
%Program Files%\Optimizer Pro\cancel.bmp
%Program Files%\Optimizer Pro\file_id.diz
%Program Files%\Optimizer Pro\itdownload.dll
%Program Files%\Optimizer Pro\scan.gif
%Program Files%\Optimizer Pro\sqlite3.dll
%Program Files%\Optimizer Pro\unins000.dat
%Program Files%\Optimizer Pro\unins000.exe
%Program Files%\Optimizer Pro\unins000.msg
%System Root%\Users\Public\Desktop\EZDownloader.lnk (Windows Vista and higher versions)
%System%\Tasks\SW-Booster-S-{random number}
%User Temp%\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\tmp
%User Temp%\LiveSupport_setup.exe
%User Temp%\optprosetup.exe
%User Temp%\sSetup-se.exe
%User Temp%\{random alphanumeric characters}\images\loader.gif
%User Temp%\{random alphanumeric characters}\images\progressbar.gif
%User Temp%\{random alphanumeric characters}\steps\1.ini
%User Temp%\{random alphanumeric characters}\steps\10.ini
%User Temp%\{random alphanumeric characters}\steps\11.ini
%User Temp%\{random alphanumeric characters}\steps\2.ini
%User Temp%\{random alphanumeric characters}\steps\4.ini
%User Temp%\{random alphanumeric characters}\steps\4_1.ini
%User Temp%\{random alphanumeric characters}\steps\4_2.ini
%User Temp%\{random alphanumeric characters}\steps\4_2_1.ini
%User Temp%\{random alphanumeric characters}\steps\5.ini
%User Temp%\{random alphanumeric characters}\steps\6.ini
%User Temp%\{random alphanumeric characters}\steps\6_1.ini
%User Temp%\{random alphanumeric characters}\steps\6_1_2.ini
%User Temp%\{random alphanumeric characters}\steps\6_1_2_1.ini
%User Temp%\{random alphanumeric characters}\steps\6_1_3.ini
%User Temp%\{random alphanumeric characters}\steps\6_1_4.ini
%User Temp%\{random alphanumeric characters}\steps\6_1_5.ini
%User Temp%\{random alphanumeric characters}\steps\6_1_6.ini
%User Temp%\{random alphanumeric characters}\steps\6_2.ini
%User Temp%\{random alphanumeric characters}\steps\6_2_1.ini
%User Temp%\{random alphanumeric characters}\steps\6_3.ini
%User Temp%\{random alphanumeric characters}\steps\7.ini
%User Temp%\{random alphanumeric characters}\steps\7_1.ini
%User Temp%\{random alphanumeric characters}\steps\7_2.ini
%User Temp%\{random alphanumeric characters}\steps\8.ini
%User Temp%\{random alphanumeric characters}\steps\8_1.ini
%User Temp%\{random alphanumeric characters}\steps\8_2.ini
%User Temp%\{random alphanumeric characters}\steps\8_2_1.ini
%User Temp%\{random alphanumeric characters}\steps\8_2_1.ini.txt
%User Temp%\{random alphanumeric characters}\steps\9.ini
%User Temp%\{random alphanumeric characters}\steps\9.ini.txt
%User Temp%\{random alphanumeric characters}\temp\EzDownloader_setup.exe
%User Temp%\{random alphanumeric characters}\temp\OpProSetup.exe
%User Temp%\{random alphanumeric characters}\temp\fs_sdhp.exe
%User Temp%\{random alphanumeric characters}\temp\putfu.exe
%User Temp%\{random alphanumeric characters}\temp\usetup.exe
%User Temp%\{random alphanumeric characters}\temp\wpc_mystartsearch.exe
%Windows%\Tasks\SW-Booster-S-{random number}.job

(Hinweis: %Application Data% ist der Ordner 'Anwendungsdaten' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Anwendungsdaten unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Anwendungsdaten unter Windows NT und C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Anwendungsdaten unter Windows 2000, XP und Server 2003.. %Desktop% ist der Ordner 'Desktop' für den aktuellen Benutzer, normalerweise C:\Windows\Profile\{Benutzername}\Desktop unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Desktop unter Windows NT und C:\Dokumente und Einstellungen\{Benutzername}\Desktop unter Windows 2000, XP und Server 2003.. %Program Files%ist der Standardordner 'Programme', normalerweise C:\Programme.. %System Root% ist der Stammordner, normalerweise C:\. Dort befindet sich auch das Betriebssystem.. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows XP und Server 2003.. %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000, XP und Server 2003.. %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Autostart-Technik

Erstellt folgende Registrierungseinträge, um die eingeschleuste Komponente bei jedem Systemstart automatisch auszuführen:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
LiveSupport = ""%Program Files%\LiveSupport\LiveSupport.exe" /noshow /log"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Optimizer Pro = "%Program Files%\Optimizer Pro\OptProLauncher.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
se = ""%Application Data%\SkypEmoticons\SE.exe" /minimized "

Andere Systemänderungen

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_CLASSES_ROOT\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}

HKEY_CLASSES_ROOT\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}

HKEY_CURRENT_USER\Software\Classes\
CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}

HKEY_CURRENT_USER\Software\LiveSupport

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

HKEY_CURRENT_USER\Software\Optimizer Pro

HKEY_CURRENT_USER\Software\WebApp

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
LiveSupport_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Optimizer Pro_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
S-{random number}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
SkypEmoticons_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{0F44DC3A-6E62-4961-A14B-95323C512F9B}_is1

HKEY_LOCAL_MACHINE\SOFTWARE\SW-Booster

Ändert die folgenden Registrierungseinträge:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://websearch.searchfix.info/?unqvl={number}&idate={installation date}"

(Note: The default value data of the said registry entry is "{user's start page}".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Start Page = "http://websearch.searchfix.info/?unqvl={number}&idate={installation date}"

(Note: The default value data of the said registry entry is "{user's start page}".)

ADW_MULTIPLUG.GA

Overview

Détails techniques

Ressources

Support

À propos de Trend

Siège social national

ADW_MULTIPLUG.GA

Overview

Détails techniques

Ressources

Support

À propos de Trend

Siège social national

Amérique

Moyen-Orient et Afrique

Europe

Asie-Pacifique