ADW_SOCIALCOLOR

August 02, 2013
 Analysis by: Anthony Joe Melgarejo
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This adware may be manually installed by a user.

It creates folders where it drops its files.

  TECHNICAL DETAILS

File Size:

570,025 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

01 Aug 2013

Arrival Details

This adware may be manually installed by a user.

It creates the following folders:

  • %AppDataLocal%\Google\Chrome\User Data\Default\Extensions\fjehjjchfbllbcmipahcpahdongpiego
  • %Program Files%\JCOM
  • %Program Files%\JCOM\FF

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other System Modifications

This adware adds the following registry entries:

HKEY_CURRENT_USER\Software\Mozilla\
Firefox\Extensions
fbtune@fbtune.com = "%Program Files%\JCOM\FF"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Chrome\Extensions\
fjehjjchfbllbcmipahcpahdongpiego
path = "%Program Files%\JCOM\extension.crx"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Google\Chrome\Extensions\
fjehjjchfbllbcmipahcpahdongpiego
version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Mozilla\Firefox\Extensions
"%Program Files%\JCOM\FF" = "%Program Files%\JCOM\FF"

HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\fjehjjchfbllbcmipahcpahdongpiego
path = "%Program Files%\JCOM\extension.crx"

HKEY_LOCAL_MACHINE\SOFTWARE\Google\
Chrome\Extensions\fjehjjchfbllbcmipahcpahdongpiego
version = "1.0"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://search.pagead.in/"

(Note: The default value data of the said registry entry is "{Default/User-defined Start Page}".)

NOTES:

It drops the Chrome and Firefox extension files in the created folders.

It installs FB Tune as an extension/add-on in Chrome and Firefox.

It changes the start page of Internet Explorer to http://{BLOCKED}h.{BLOCKED}d.in/ .