PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

APROPOS is a malware family of adware and Trojans used to download other malware mostly rootkit malware onto already infected systems. As such, this causes further malware infection.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Downloads files

Installation

This adware drops the following files:

  • %Program Files%\CxtPls\ace.dll
  • %User Temp%\~compoundinst0\auto_update_loader.exe
  • %Program Files%\CxtPls\AI_12-02-2013.log
  • %Program Files%\CxtPls\atl.dll
  • %Program Files%\CxtPls\CxtPls.dll
  • %Program Files%\CxtPls\CxtPls.exe
  • %Program Files%\CxtPls\data.bin
  • %Program Files%\CxtPls\libexpat.dll
  • %Program Files%\CxtPls\ProxyStub.dll
  • %Program Files%\CxtPls\uninstaller.exe
  • %Program Files%\CxtPls\WinGenerics.dll
  • %system%\ipcir.exe
  • %System%\ippdec.exe
  • %System%\ipcir.exe

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It creates the following folders:

  • %User Temp%\~compoundinst0
  • %Program Files%\CxtPls

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This adware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AutoLoaderAproposClient = "{malware path}\{malware name}"

Other System Modifications

This adware adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
LoadUrl = "http://download.{BLOCKED}tplus.net/apropos/client/WB.POP/<>/AproposClientInstaller.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
TempFile = "%User Temp%\auf0.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Parameters =

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Attempts = "{number}"

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Trust = "{number}"

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Total = "{number}"

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient
Downloaded = "{number}"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Apropos

HKEY_LOCAL_MACHINE\SOFTWARE\Apropos\
Client

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
AproposClient

HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\
EnvoloAutoUpdater

HKEY_LOCAL_MACHINE\SOFTWARE\Envolo

Download Routine

This adware saves the files it downloads using the following names:

  • %User Temp%\auf0.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This adware connects to the following possibly malicious URL:

  • http://download.{BLOCKED}tplus.net/apropos/client/WB.POP/1/AproposClientInstaller.exe
  • http://download.{BLOCKED}tplus.net/apropos/client/WB.POP/<>/AproposClientInstaller.exe
  • http://download.{BLOCKED}tplus.net/shared/AutoUpdaterInstaller.exe
  • http://download.{BLOCKED}tplus.net/shared/Msvcp60Installer.exe
  • http://{BLOCKED}2.ocslab.com/shared/AutoUpdaterInstaller.exe
  • http://{BLOCKED}2.ocslab.com/shared/Msvcp60Installer.exe
  • http://{BLOCKED}2.ocslab.com/test/shared/AutoUpdaterInstaller.exe
  • http://{BLOCKED}2.ocslab.com/test/shared/Msvcp60Installer.exe