Modified by: Jennifer Gumban

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 07 Sep 2013

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware drops the following non-malicious files:

  • %User Profile%\Application Data\{name}\msvcr100.dll
  • %User Profile%\Application Data\{name}\System.dll
  • %Program Files%\{name}\{config name}.ini

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It drops the following copies of itself into the affected system:

  • %User Profile%\Application Data\{name}\{file name}.exe
  • %Program Files%\{name}\{file name}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It creates the following folders:

  • %User Profile%\Application Data\{name}
  • %User Profile%\{name}
  • %User Temp%\{random values}.tmp
  • %Program Files%\{name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This adware adds and runs the following services:

  • Service Name: {name}
  • Display Name: {name}
  • Start Type: SERVICE_AUTO_START
  • Binary Pathname: "%User Profile%\Application Data\{name}\{file name}.exe" or "%Program Files%\{name}\{file name}.exe"

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Other Details

This adware connects to the following possibly malicious URL:

  • http://www.{BLOCKED}ch123.com/logic/z.php
  • http://{BLOCKED}.{BLOCKED}oud.com/v4/sof-everything/{url path}
  • http://www.{BLOCKED}3.com/inf/eve/SSFK?ver={version}
  • http://{BLOCKED}.{BLOCKED}5.com/everything/up?{url path}
  • http://www.{BLOCKED}lage.com/searchprotect/up?{url path}