PUA.Win32.UniBlue.AE

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following folders:

• %User Temp%\mia1
• %Program Files%\Uniblue\RegistryBooster
• %Application Data%\Uniblue
• %User Temp%\mia{random characters}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\lang.loc
• %User Temp%\mia.tmp
• %Common Programs%\Uniblue\RegistryBooster\Uninstall RegistryBooster.lnk
• %Common Programs%\Uniblue\RegistryBooster\RegistryBooster.lnk
• %Application Data%\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
• %Desktop%\Uniblue RegistryBooster.lnk
• %W‌indows%\Tasks\RegistryBooster.job

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Common Programs% is the folder that contains common program groups for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• .\bm_installer.exe /m="{Malware Path}\{Malware Filename}.EXE" /k=""
• %System%\taskkill.exe /F /IM RegistryBooster.exe
• %System%\taskkill.exe /F /IM registrybooster.exe
• %System%\taskkill.exe /F /IM rbmonitor.exe
• %System%\taskkill.exe /F /IM rbnotifier.exe
• %System%\taskkill.exe /F /IM move_serial.exe
• %System%\taskkill.exe /F /IM rb_move_serial.exe
• %System%\taskkill.exe /F /IM rb_track_install.exe
• %Program Files%\Uniblue\RegistryBooster\rb_move_serial.exe
• %Program Files%\Uniblue\RegistryBooster\rb_ubm.exe -i
• %Program Files%\Uniblue\RegistryBooster\rbmonitor.exe -i
• %Program Files%\Uniblue\RegistryBooster\Launcher.exe
• %Program Files%\Uniblue\RegistryBooster\registrybooster.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
RegistryBooster = %Program Files%\uniblue\registrybooster\launcher.exe

Other Details

This Potentially Unwanted Application adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Uniblue

HKEY_LOCAL_MACHINE\SOFTWARE\MimarSinan

It connects to the following possibly malicious URL:

• http://rb.{BLOCKED}e.com.s3.amazonaws.com/latest_updates/application.txt

However, as of this writing, the said sites are inaccessible.

It adds the following scheduled tasks:

• Task Name: RegistryBooster
• Task to be run: %Program Files%\uniblue\registrybooster\rbmonitor.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)