Adware.Win32.Downware_405c6bb921

by malwarelabrobot on June 26th, 2017 in Malware Descriptions.

not-a-virus:HEUR:AdWare.NSIS.TornTV.gen (Kaspersky), Iminent (fs) (VIPRE), Adware.Downware.861 (DrWeb), Application.AdLoad (A) (Emsisoft), Adware-SweetIM (McAfee), SecurityRisk.gen1 (Symantec), NSIS:Oneclick-Z [PUP] (AVG), NSIS:Oneclick-Z [PUP] (Avast), TROJ_GEN.R08NC0PFF17 (TrendMicro), Adware.Win32.Downware.FD, Trojan.NSIS.StartPage.FD, AdwareDownware.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 405c6bb9214786328fb1ae19ad61072a
SHA1: 501b684d382365f2e7d546bb05167df2f020e570
SHA256: f8379ba0f2f16d43ba1c9fc461274fa3898786310fdfd45b98fd137e9aaeea0a
SSDeep: 6144:Isi1 EBoh/5bygR1seT3RX4PjpuL/jZ/3wRj:S1HoDyh9e/jdwF
Size: 263408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7 SP1 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):
No processes have been created.
The Adware injects its code into the following process(es):

%original file name%.exe:3676

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnF096.tmp (14124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\decline.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\MainPackFA2703[1].htm (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\inetc3.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept3.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept.bmp (784 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnF095.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\gC0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp (0 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\405c6bb9214786328fb1ae19ad61072a_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\405c6bb9214786328fb1ae19ad61072a_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\405c6bb9214786328fb1ae19ad61072a_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\405c6bb9214786328fb1ae19ad61072a_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\1ClickDownload]
"UID" = "284555269"

[HKLM\SOFTWARE\Microsoft\Tracing\405c6bb9214786328fb1ae19ad61072a_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\405c6bb9214786328fb1ae19ad61072a_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\405c6bb9214786328fb1ae19ad61072a_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\1ClickDownload]
"LastInstall0" = "30600655"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
c17103ae9072a06da581dec998343fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\System.dll
9d8ce05f532dc7b5742831ec8a63c2d8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\inetc3.dll
c10e04dd4ad4277d5adc951bb331c777 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\nsDialogs.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 372736 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 520192 16592 16896 4.13874 8091b1378d82973015f802c93eb88bab

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 280
69a0a458647b3436892cf9f2f126c252
6ec0e16ca501058760d560098cf5df00
dd93a1049b283e92bfdb5cb3111ad347
001db8cbf96225d919a485a19885a33a
0767ecf112448e3b22d8325486aa6cf6
2329d73d00220236952edad75666c739
bb35932afa8a4b4164d4537558306c04
1f4e2530a975661a020f12651151bb34
d8267d8ec19754fba636e7cc7cbcf5e8
434e4c67fba11c690e4deb2da7c6c779
be63a2ef33ae34e528e73e1a619f7003
f04de17e7401624a76378e9621e156d9
8a49b9a76bc29e04ad3434800b79f447
454e32f0492cfe345e27609419172b9a
c4666deee393783ffb4c606f1c6bbaaf
455ce4514cabc1886ccf44c60d262c23
79e91cc7bfc9d2978eb2c65c7482c98d
220d75bd346807f5e75be057e4bd00d8
41493bd334b04b124933a0395a535273
0592058d62e56072d9a3730ee9c845e6
1314df74c1152fa83b44e72e2e7f6345
0083b9cd57714f369f80bd3303d4fb07
549392eeb6b090fbdaa65501e8d7fac5
458b5456f8a3522a96514d0ad771be45
261c57be98cd4f2f8fd38bbd767820e3

URLs

URL IP
hxxp://files.download1click.ws/MainPackFA2703.exe 64.70.19.203
data.downloadstarter.net 146.148.42.217


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /MainPackFA2703.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: files.download1click.ws
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200
Server: nginx/1.6.3
Date: Sun, 25 Jun 2017 16:21:14 GMT
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 544
Connection: keep-alive
<html>.<head>..<title>WEBSITE.WS - Your Internet Add
ress For Life™</title>.</head>.<frameset rows="10
0%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.world
site.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" sc
rolling="auto">..<noframes>...<p> Your browser does not
 support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-
orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://www
.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraff
ic</a>.</p>..</noframes>.</frameset>.</html
>HTTP/1.1 200..Server: nginx/1.6.3..Date: Sun, 25 Jun 2017 16:21:14
 GMT..Content-Type: text/html; charset=ISO-8859-1..Content-Length: 544
..Connection: keep-alive..<html>.<head>..<title>WEBS
ITE.WS - Your Internet Address For Life™</title>.</head
>.<frameset rows="100%,*" border="0" frameborder="0">..<fr
ame src="hXXps://VVV.wo..

The Adware connects to the servers at the folowing location(s):

%original file name%.exe_3676:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp
`%XFa'
e:\0%Ref
Qkt%U8
j).Ak
q/.wi`L
Windows
7.tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s
1049112
iles\1ClickDownload\1ClickDownloader.exe
p.exe,au
et Explorer\iexplore.exe
284555269
33168444
214786328fb1ae19ad61072a.exe
2845552
59532869
-117111677
ownload.sweetpacks.com/simsdm/bundle/
ram Files\Internet Explorer\iexplore.exe
nt specified.torrent
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\Desktop
%Program Files%\1ClickDownload
nsdF0A7.tmp
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsnF095.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://data.downloadstarter.net/
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://download.sterkly.com/yontoo-c4.exe
hXXp://download.sterkly.com/yontoo-c2.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/yontoo-c3.exe
hXXp://download.sterkly.com/yontoo-c5.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
ocmainpack.exe
Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
2030701158
1442386
1049060
1049192
3090537
,,DownloadSetup.exe,au
No torrent specified.torrent
hXXp://o/No torrent specified.torrent
1258620082
1157957093
436536515
-1190853860
2884250
1311316
1049178
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
621413898
638190101
772408855
889849287
-1375075520
2030699210
1426720638
571083323
604636669
-989197828
822741385
DownloadSetup.exe
30600655
VVV.oneclickdownloader.com
sbiectrl.exe
vmtoolsd.exe
prl_cc.exe
coherence.exe
VirtualBox.exe
VBoxSVC.exe
DrWeb
%Program Files%\1ClickDownload\DownloadSetup.magnet
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_3676_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Adware file.
  3. Delete or disinfect the following files created/modified by the Adware:

    %Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\skip.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\save.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnF096.tmp (14124 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\decline.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept1.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\MainPackFA2703[1].htm (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept2.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\inetc3.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\anon.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\1clogo.bmp (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept3.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdF0A7.tmp\accept.bmp (784 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now