Analysis by: Rhena Inocencio
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This adware may be manually installed by a user.

  TECHNICAL DETAILS

File Size: 8,244,624 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 12 Jun 2014

Arrival Details

This adware may be manually installed by a user.

Installation

This adware drops the following component file(s):

  • %Program Files%\Linkey\Helper.dll
  • %Program Files%\Linkey\IEExtension
  • %Program Files%\Linkey\IEExtension\iedll.dll
  • %Program Files%\Linkey\IEExtension\iedll64.dll
  • %Program Files%\Linkey\log.log
  • %Program Files%\Linkey\module.dll
  • %Program Files%\Linkey\module64.dll
  • %Program Files%\Linkey\Uninstall.exe
  • %Program Files%\LinkeyDeals\insthlp.dll
  • %Program Files%\LinkeyDeals\LinkeyDealsUninst.exe
  • %Program Files%\LinkeyDeals\msilnk.dll
  • %Program Files%\LinkeyDeals\msilnk.exe
  • %Program Files%\Settings Manager\systemk\favicon.ico
  • %Program Files%\Settings Manager\systemk\Helper.dll
  • %Program Files%\Settings Manager\systemk\Internet Explorer Settings.exe
  • %Program Files%\Settings Manager\systemk\sysapcrt.dll
  • %Program Files%\Settings Manager\systemk\syskldr.dll
  • %Program Files%\Settings Manager\systemk\syskldr_u.dll
  • %Program Files%\Settings Manager\systemk\systemk.dll
  • %Program Files%\Settings Manager\systemk\systemkbho.dll
  • %Program Files%\Settings Manager\systemk\systemkChrome.dll
  • %Program Files%\Settings Manager\systemk\systemkmgrc1.cfg
  • %Program Files%\Settings Manager\systemk\SystemkService.exe
  • %Program Files%\Settings Manager\systemk\systemku.exe
  • %Program Files%\Settings Manager\systemk\tbicon.exe
  • %Program Files%\Settings Manager\systemk\Uninstall.exe
  • {All Users Profile}\Application Data\systemk\coordinator.cfg
  • {All Users Profile}\Application Data\systemk\general.cfg
  • {All Users Profile}\Application Data\systemk\S-1-5-32.cfg
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\DnsBHO.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\Error404BHO.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\MainBHO.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\NativeHelper.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\NewTabBHO.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\overlay.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\overlay.xul
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\RelatedSearch.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\RequestPreserver.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\SearchBHO.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\content\SettingManager.js
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\components\SystemKHlpFF.xpt
  • %Application Data%\Mozilla\Firefox\Profiles\4wwmjcqo.default\extensions\{EB25CAE0-E5F3-E993-3950-E055FE755242}\components\SystemKHlpFF{number}.dll

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

  • %Program Files%\Linkey
  • %Program Files%\LinkeyDeals
  • %Program Files%\Settings Manager
  • %Program Files%\Settings Manager\systemk
  • {All Users Profile}\Application Data\systemk

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This adware adds the following registry entries to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
(Default) = "Linkey"

Other System Modifications

This adware adds the following registry keys:

HKEY_CURRENT_USER\"Software\Linkey"

HKEY_CURRENT_USER\Software\SystemK

HKEY_LOCAL_MACHINE\SOFTWARE\Linkey

HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Linkey.Linkey

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SettingsManagerIEHelper.DNSGuard

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SystemkService

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bitguard.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bprotect.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bpsvc.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserdefender.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserprotect.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browsersafeguard.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dprotectsvc.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jumpflip
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
protectedsearch.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchinstaller.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotection.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotector.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings64.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
snapdo.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst32.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst64.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
umbrella.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
utiljumpflip.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
volaro
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vonteera
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroids.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroidsservice.exe
debugger = "tasklist.exe"

Other Details

This adware connects to the following possibly malicious URL:

  • {BLOCKED}vice.{BLOCKED}yproject.com