PUA.Win32.Vittalia.AN

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following folders:

• %User Temp%\ns{Random Characters}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\1.txt
• %User Temp%\8157Installer.exe
• %User Temp%\8157Installer.INI
• %User Temp%\8157fondo.bmp.zip
• %Malware Path%\fondo.bmp
• %User Temp%\8157header.bmp.zip
• %Malware Path%\header.bmp
• %User Temp%\license.rtf
• %User Temp%\ajax_loader.gif
• %User Temp%\instloffer.exe
• %User Temp%\vittalia.jpg
• %User Temp%\square_babylonv3.bmp
• %User Temp%\toolbar_bbv3.bmp
• %User Temp%\square_babylonv2.bmp
• %User Temp%\toolbar_bbv2.bmp
• %User Temp%\square_babylon.bmp
• %User Temp%\toolbar_bb.bmp
• %User Temp%\square_coupish.bmp
• %User Temp%\coupish_largo.gif
• %User Temp%\square_dealply.bmp
• %User Temp%\dealply_largo.gif
• %User Temp%\moreinfo_coupondropdown.bmp
• %User Temp%\square_coupondropdown.bmp
• %User Temp%\square_speedupmypc.bmp
• %User Temp%\moreinfo_speedupmypc.bmp
• %User Temp%\square_driverscanner.bmp
• %User Temp%\moreinfo_driverscanner.bmp
• %User Temp%\yontoo.bmp
• %User Temp%\freetwittube_logo.bmp
• %User Temp%\freetwittube_image1.bmp
• %User Temp%\square_freetwittube.bmp
• %User Temp%\qtrax_image1.bmp
• %User Temp%\square_qtrax.bmp
• %User Temp%\freetwittube_text.rtf
• %User Temp%\ns{Random Characters}.tmp\modern-header.bmp
• %User Temp%\ns{Random Characters}.tmp\modern-wizard.bmp
• %User Temp%\ns{Random Characters}.tmp\System.dll
• %User Temp%\ns{Random Characters}.tmp\inetc.dll
• %User Temp%\0001geo.tmp
• %User Temp%\0001api.tmp
• %User Temp%\0001api.tmp
• %User Temp%\ns{Random Characters}.tmp\nsArray.dll
• %User Temp%\0001inst.tmp
• %User Temp%\0001api.tmp
• %User Temp%\0001api.tmp
• %User Temp%\ns{Random Characters}.tmp\nsDialogs.dll
• %User Temp%\0001inst.tmp
• %User Temp%\ns{Random Characters}.tmp\ButtonEvent.dll
• %User Temp%\0001inst.tmp
• %User Temp%\ns{Random Characters}.tmp\BgWorker.dll
• %User Temp%\ns{Random Characters}.tmp\execDos.dll
• %User Temp%\0001inst.tmp
• %User Temp%\ns{Random Characters}.tmp\inetc.dll
• %User Temp%\ns{Random Characters}.tmp\ThreadTimer.dll
• %User Temp%\tbbabylonv3.exe
• %User Temp%\ns{Random Characters}.tmp\Anuncios.dll
• %User Temp%\ns{Random Characters}.tmp\sarainetc2.dll
• %User Temp%\ns{Random Characters}.tmp\nsExec.dll
• %User Temp%\ns{Random Characters}.tmp\ns9E92.tmp
• %User Temp%\ns{Random Characters}.tmp\System.dll
• %User Temp%\0001inst.tmp
• %User Temp%\ns{Random Characters}.tmp\animgif.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%User Temp%\8157Installer.exe" /KEYWORD=8157 "/PATHFILES=%User Temp%\"
• %User Temp%\instloffer.exe "/SENDREPORTS=1" "/REPORTURL=http://xmlinstcp.{BLOCKED}t.eu/cmd/report.php" "/PARTNERID=TRAILSJA" "/OFFERID={ID}" "/PROGRAMURLENCODED=7-Zip%20File%20Manager%209%20" "/ORIGEN=" "/OFFERKEYWORD=BABYLONV3" "/OFFERURL=http://media.{BLOCKED}vita.com.es/xmlstatic/installers/software/babylon/babylonv3.exe" "/OFFERPARAMS=/babTrack=#affID={ID}# /S /aflt=babsst /instlref=sst /srcExt=ss /mnt /mhp /mds " "/OFFERPARAMSURLENCODED=%2FbabTrack%3D%23affID%3D{ID}%23%20%2FS%20%2Faflt%3Dbabsst%20%2Finstlref%3Dsst%20%2FsrcExt%3Dss%20%2Fmnt%20%2Fmhp%20%2Fmds%20" "/CHANNEL={ID}" "/CONVERSIONURL=" "/INSTTYPE=ax"
• "%User Temp%\nsk8DBF.tmp\ns9E92.tmp" "%User Temp%\tbbabylonv3.exe" /babTrack="affID={ID}" /S /aflt=babsst /instlref=sst /srcExt=ss /mnt /mhp /mds
• "%Program Files%\Google\Chrome\Application\chrome.exe" --single-argument http://japanese.{BLOCKED}framework.org/lv/afterdownload/view.htm?product=CloneCD%205.3.1.4%20

Propagation

This Potentially Unwanted Application does not have any propagation routine.

Backdoor Routine

This Potentially Unwanted Application does not have any backdoor routine.

Rootkit Capabilities

This Potentially Unwanted Application does not have rootkit capabilities.

Download Routine

This Potentially Unwanted Application connects to the following URL(s) to download its component file(s):

• http://media.{BLOCKED}ita.com.es/xmlstatic/ads/afterdownload_trailsframework.html
• http://media.{BLOCKED}ita.com.es/xmlstatic/installers/software/babylon/babylonv3.exe
• http://pf.{BLOCKED}t.com/s/2/8/28544-661074-7-zip-file-manager.exe

It saves the files it downloads using the following names:

• %User Temp%\afterdownload_trailsframework.html
• %User Temp%\babylonv3.exe
• %User Temp%\28544-661074-7-zip-file-manager.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Potentially Unwanted Application adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Vittalia

It connects to the following website to send and receive information:

• http://xmlinstcp.{BLOCKED}t.eu/cmd/geo.php
• http://xmlinstcp.{BLOCKED}t.eu/cmd/api.php?action=newenduser
• http://xmlinstcp.{BLOCKED}t.eu/cmd/api.php?action=enduser&enduser_id=
• http://xmlinstcp.{BLOCKED}t.eu/cmd/report.php?PartnerId=TRAILSJA&OfferId{ID}&action=startedInstall&program=7-Zip%20File%20Manager%209%20¶meter=&origen=&of{ID}&ofSel{ID}&ofNos_mi=/noempty&ofNos_ot=/noempty&ofDis_mi=/noempty&ofDis_ot=/noempty
• http://xmlinstcp.{BLOCKED}t.eu/cmd/report.php?PartnerId=TRAILSJA&OfferId{ID}&action=OfferShown&program=7-Zip%20File%20Manager%209%20&origen=
• http://xmlinstcp.{BLOCKED}t.eu/cmd/report.php?PartnerId=TRAILSJA&OfferId{ID}&action=OfferAccepted¶meter=%2FbabTrack%3D%23affID%3D115285%23%20%2FS%20%2Faflt%3Dbabsst%20%2Finstlref%3Dsst%20%2FsrcExt%3Dss%20%2Fmnt%20%2Fmhp%20%2Fmds%20&program=7-Zip%20File%20Manager%209%20&origen=&toolbar=1&homepage=1&feed=1
• http://xmlinstcp.{BLOCKED}t.eu/cmd/report.php?PartnerId=TRAILSJA&OfferId{ID}&action=StartDownload&program=7-Zip%20File%20Manager%209%20&origen=&of{ID}
• http://xmlinstcp.{BLOCKED}t.eu/cmd/report.php?PartnerId=TRAILSJA&OfferId{ID}&action=OfferInstallCompleted¶meter=error¶meter2=%2FbabTrack%3D%23affID%3D115285%23%20%2FS%20%2Faflt%3Dbabsst%20%2Finstlref%3Dsst%20%2FsrcExt%3Dss%20%2Fmnt%20%2Fmhp%20%2Fmds%20&program=7-Zip%20File%20Manager%209%20&origen=&prod=BT&ch=115285&babylonv3_mntrid=
• http://xmlinstcp.{BLOCKED}t.eu/cmd/report.php?PartnerId=TRAILSJA&OfferId{ID}&action=EndInstall&program=7-Zip%20File%20Manager%209%20&origen=&of{ID}

It does the following:

• It opens the following website through browser:
• http://japanese.{BLOCKED}framework.org/lv/afterdownload/view.htm?product=CloneCD%205.3.1.4%20
• It displays the following during installation:
  
  
  

However, as of this writing, the said sites are inaccessible.

It does not exploit any vulnerability.