Analysis by: Jimelle Monteser
ALIASES:

AdWare.Win32.OutBrowse.g (Kaspersky)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This adware may be downloaded by other malware/grayware/spyware from remote sites. It may be manually installed by a user.

It does not have any propagation routine.

It does not have any backdoor routine.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 19 Jun 2014
Payload: Downloads files

Arrival Details

This adware may be downloaded by other malware/grayware/spyware from remote sites.

It may be manually installed by a user.

Installation

This adware drops the following component file(s):

  • %User Temp%\f.exe - also detected as ADW_DOWNWARE.GA

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following non-malicious files:

  • %User Temp%\instructionsBv3.dat - deleted afterwards
  • %User Temp%\{random}.tmp\Convert.dll - deleted afterwards
  • %User Temp%\obhhelper.txt - deleted afterwards
  • %User Temp%\{random}.tmp - deleted afterwards

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This adware adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}
(Default) = "CBrowserExternal Class"

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
LocalServer32
(Default) = "%User Temp%\f.exe"

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
LocalServer32
ServerExecutable = "%User Temp%\f.exe"

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
TypeLib
(Default) = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
Version
(Default) = "1.0"

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
LocalServer32

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
Programmable

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
TypeLib

HKEY_CLASSES_ROOT\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\
Version

Propagation

This adware does not have any propagation routine.

Backdoor Routine

This adware does not have any backdoor routine.

NOTES:

It executes the dropped file %User Temp%\f.exe (also detected as ADW_DOWNWARE.GA) using the following commands and parameters:

  • %User Temp%\f.exe /PID={value} /SUBPID={value} /DISTID={value} /NETWORKID={value} /CID={value} /PRODUCT_ID={value} /SERVER_URL=http://installer.apps-track.com /CLICKID={value} /D1={value} /D2={value} /D3={value}/D4={value} /D5={value} /PRODUCT_NAME={value} /PRODUCT_EULA={value} /PRODUCT_PRIVACY={value} /EXE_URL={value} /EXE_CMDLINE={value} /HOST_BROWSER={value} /IS_RUNTIME={value} /THANKYOU_URL={value} /RETURNING_USER_DAYS={value} /VM={value}

It gathers the following information that will be used for survey and advertising purposes:

  • Operating system
  • Internet Explorer version
  • Google Chrome version
  • MAC address
  • CPU bit count
  • Computer's GUID
  • Bios serial number
  • Bios version

It connects to the following URL to send and receive information:

  • http://{BLOCKED}ller.{BLOCKED}-track.com/Installer/Flow?pubid={value}&distid={value}&productid={value}&subpubid={value}&campaignid={value}&networkid={value}&dfb={value}&os={value}&iev={value}&ffv={value}&chromev={value}&macaddress={value}&netv={value}&d1={value}&d2={value}&d3={value}&d4={value}&d5={value}&ds1={value}&hb={value}&systembit={value}&vm={value}&machineguid={value}&diskserial={value}&version={value}

The information it receives are the following:

  • Source URL where to download the contents of the installer interface
  • Source URL of main and optional software installers
  • Data that will be used for advertising routine

Here is a sample of URL where it will download the main software installer:

    http://{BLOCKED}n.{BLOCKED}ad2desktop.com/ApprovedApps/vlc.exe

Here are samples of URLs where it will download the optional software installers:

  • http://{BLOCKED}n.{BLOCKED}ad4desktop.com/Installer/Focusbase/focusbaseSetup.exe
  • http://{BLOCKED}l.{BLOCKED}demoserv.com/ob23/all/hds/row/setup.exe
  • http://{BLOCKED}l.{BLOCKED}emoserv.com/outil/fuully/styi2/savepass.exe

It saves the software installers using the following names:

  • %User Temp%\{number}_Offer_{number}.exe

It executes the downloaded files and installs them silently in the background.

It displays the following samples of installation interface or windows:

After installation, it opens a "Thank you" web page that contains advertisements:

  • http://{BLOCKED}r.{BLOCKED}-track.com/installer/thankyou?productid={value}&pubid={value}&distid={value}&countryid={value}&reqid={value}&sysbit={value}&d1={value}&dfb={value}&hb={value}

It does not have rootkit capabilities.

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine: 9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

 
  • In HKEY_CLASSES_ROOT\CLSID
    • {6D4506CE-F855-4657-AA38-DB6B1F733982}

Step 3

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.  
  • %User Temp%\{number}_Offer_{number}.exe

Step 4

Scan your computer with your Trend Micro product to delete files detected as ADW_DOWNWARE.GA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Remove the main and/or optional software using its own Uninstall option by following these steps:

  1. Click Start > Control Panel.
  2. Double-click on Programs and Features (Windows Vista and higher versions) or Add/Remove Programs (Versions lower than Windows Vista).
  3. In the displayed list, choose the software you installed.
  4. Click on Change/Remove.
  5. Follow the instructions on the dialog box that appears.
  6. Repeat step 3 for the remaining software you installed.
  7. Close the Programs and Features or Add/Remove Programs window, and the Control Panel window.


Did this description help? Tell us how we did.