ADW_TSUPLOADER

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware adds the following mutexes to ensure that only one of its copies runs at any one time:

• {random guid}

Other System Modifications

This adware deletes the following files:

• %User Temp%\down.{Random Numbers}.{Random Values}.{Random File Extension}.part

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Web Browser Home Page and Search Page Modification

This adware modifies the Internet Explorer Zone Settings.

Dropping Routine

This adware drops the following files:

• %TEMP%\Tsu{random value}.dll
• %TEMP%\{Random GUID}\Custom.dll
• %TEMP%\{Random GUID}\Readme.txt
• %TEMP%\{Random GUID}\Setup.exe
• %TEMP%\{Random GUID}\Setup.ico
• %TEMP%\{Random GUID}\_Setup.dll
• %All Users Profile%\Application Data\InstallMate\{random values}\cfg\{random name}.ini
• %User Temp%\{Random GUID}\general_logo.bmp
• %User Temp%\{Random GUID}\v_grey.jpg
• %TEMP%\TSULoader.log
• %TEMP%\~{random values}.tmp

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Download Routine

This adware downloads the file from the following URL and renames the file when stored in the affected system:

• http://{BLOCKED}nnermyall.ru/* - downloads ext_setup.exe, extIE_setup.exe, ytab_setup.exe, ytbmk_setup.exe, browsecoupon_setup.exe
• http://{BLOCKED}downloads.info/* - saves as newtab_setup.exe
• http://i1.{BLOCKED}un.info/images/general_logo.bmp - saves as general_logo.bmp
• http://i1.{BLOCKED}un.info/addons/agent2.exe - saves as helper_setup.exe
• http://i1.{BLOCKED}\un.info/addons/ezdownloader.exe - saves as EzDownloader_setup.exe
• http://i1.{BLOCKED}un.info/addons/search_installer.exe - saves as search_intaller.exe
• http://i1.{BLOCKED}un.info/addons/dfndr/180/sprotector_x86_x64.exe - saves as assistant_v3.exe

Other Details

This adware performs DNS requests to the following sites:

• http://r1.{BLOCKED}licationmy.info/?report_version=5&
• http://c1.{BLOCKED}licationmy.info/*
• http://{BLOCKED}wnloadscan.info/get/* - requested by assistant_v3.exe
• http://{BLOCKED}tectionsoft.info/get/* - requested by assistant_v3.exe

NOTES:

This adware pretends to be a Quickset Installer but is actually a serial key generator for J. River Media Center version 19.0.66.

The files are temporarily named as %TEMP%\down.{random numbers}.{random name}.{random extension}.part and are renamed and saved in %User Temp%\Addons\{given name}.

The downloaded files are detected by Trend Micro as ADW_MULTIPLUG.

It executes the downloaded files. After installation, it deletes all dropped components and downloaded files.