APROPOS
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
APROPOS is a malware family of adware and Trojans used to download other malware mostly rootkit malware onto already infected systems. As such, this causes further malware infection.
TECHNICAL DETAILS
Yes
Downloads files
Installation
This adware drops the following files:
- %Program Files%\CxtPls\ace.dll
- %User Temp%\~compoundinst0\auto_update_loader.exe
- %Program Files%\CxtPls\AI_12-02-2013.log
- %Program Files%\CxtPls\atl.dll
- %Program Files%\CxtPls\CxtPls.dll
- %Program Files%\CxtPls\CxtPls.exe
- %Program Files%\CxtPls\data.bin
- %Program Files%\CxtPls\libexpat.dll
- %Program Files%\CxtPls\ProxyStub.dll
- %Program Files%\CxtPls\uninstaller.exe
- %Program Files%\CxtPls\WinGenerics.dll
- %system%\ipcir.exe
- %System%\ippdec.exe
- %System%\ipcir.exe
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It creates the following folders:
- %User Temp%\~compoundinst0
- %Program Files%\CxtPls
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
Autostart Technique
This adware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AutoLoaderAproposClient = "{malware path}\{malware name}"
Other System Modifications
This adware adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
LoadUrl = "http://download.{BLOCKED}tplus.net/apropos/client/WB.POP/<
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
TempFile = "%User Temp%\auf0.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Parameters =
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Attempts = "{number}"
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Trust = "{number}"
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Total = "{number}"
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Downloaded = "{number}"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Apropos
HKEY_LOCAL_MACHINE\SOFTWARE\Apropos\
Client
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
EnvoloAutoUpdater
HKEY_LOCAL_MACHINE\SOFTWARE\Envolo
Download Routine
This adware saves the files it downloads using the following names:
- %User Temp%\auf0.exe
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other Details
This adware connects to the following possibly malicious URL:
- http://download.{BLOCKED}tplus.net/apropos/client/WB.POP/1/AproposClientInstaller.exe
- http://download.{BLOCKED}tplus.net/apropos/client/WB.POP/<
>/AproposClientInstaller.exe - http://download.{BLOCKED}tplus.net/shared/AutoUpdaterInstaller.exe
- http://download.{BLOCKED}tplus.net/shared/Msvcp60Installer.exe
- http://{BLOCKED}2.ocslab.com/shared/AutoUpdaterInstaller.exe
- http://{BLOCKED}2.ocslab.com/shared/Msvcp60Installer.exe
- http://{BLOCKED}2.ocslab.com/test/shared/AutoUpdaterInstaller.exe
- http://{BLOCKED}2.ocslab.com/test/shared/Msvcp60Installer.exe