Adware.Win32.Downware_dd93a1049b
not-a-virus:AdWare.Win32.TenClicksDownloader.a (Kaspersky), Iminent (fs) (VIPRE), Adware.Downware.861 (DrWeb), Application.AdLoad (A) (Emsisoft), Artemis!DD93A1049B28 (McAfee), SecurityRisk.gen1 (Symantec), Generic.9C6 (AVG), NSIS:Oneclick-Z [PUP] (Avast), Adware.Win32.Downware.FD, Trojan.NSIS.StartPage.FD, AdwareDownware.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: dd93a1049b283e92bfdb5cb3111ad347
SHA1: 363f763c8ab434f50d6514f95f09a430772ce211
SHA256: 914e3c7e82084be6b3ca1ee37261fe93502c792e4326933b135dd3e09219fa5a
SSDeep: 6144:bsi1VeHdaUhBlUz8Xjld1itjiL5LupiFpOswc1Yl2HrL:r1dUhBlC8TldEtiLpi42l2HrL
Size: 263200 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7 SP1 32-bit
Summary:
Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):
No processes have been created.
The Adware injects its code into the following process(es):
%original file name%.exe:2060
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2060 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept3.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7C03.tmp (13338 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\decline.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\inetc3.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MainPackFA2703[1].htm (544 bytes)
The Adware deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7C02.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\gC0 (0 bytes)
Registry activity
The process %original file name%.exe:2060 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\dd93a1049b283e92bfdb5cb3111ad347_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\dd93a1049b283e92bfdb5cb3111ad347_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKCU\Software\1ClickDownload]
"UID" = "284555269"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\dd93a1049b283e92bfdb5cb3111ad347_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKCU\Software\1ClickDownload]
"LastInstall0" = "30596927"
[HKLM\SOFTWARE\Microsoft\Tracing\dd93a1049b283e92bfdb5cb3111ad347_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\dd93a1049b283e92bfdb5cb3111ad347_RASMANCS]
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| c17103ae9072a06da581dec998343fc1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\System.dll |
| 9d8ce05f532dc7b5742831ec8a63c2d8 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\inetc3.dll |
| c10e04dd4ad4277d5adc951bb331c777 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\nsDialogs.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
| .rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
| .data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
| .ndata | 147456 | 372736 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 520192 | 16592 | 16896 | 4.13874 | 8091b1378d82973015f802c93eb88bab |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 278
69a0a458647b3436892cf9f2f126c252
001db8cbf96225d919a485a19885a33a
0767ecf112448e3b22d8325486aa6cf6
2329d73d00220236952edad75666c739
bb35932afa8a4b4164d4537558306c04
1f4e2530a975661a020f12651151bb34
d8267d8ec19754fba636e7cc7cbcf5e8
434e4c67fba11c690e4deb2da7c6c779
be63a2ef33ae34e528e73e1a619f7003
f04de17e7401624a76378e9621e156d9
8a49b9a76bc29e04ad3434800b79f447
454e32f0492cfe345e27609419172b9a
c4666deee393783ffb4c606f1c6bbaaf
455ce4514cabc1886ccf44c60d262c23
79e91cc7bfc9d2978eb2c65c7482c98d
220d75bd346807f5e75be057e4bd00d8
41493bd334b04b124933a0395a535273
0592058d62e56072d9a3730ee9c845e6
1314df74c1152fa83b44e72e2e7f6345
0083b9cd57714f369f80bd3303d4fb07
549392eeb6b090fbdaa65501e8d7fac5
458b5456f8a3522a96514d0ad771be45
261c57be98cd4f2f8fd38bbd767820e3
5c7d2cefcf953e92831c3ee7e999262d
381bc1250be83e3e1262a589f03eef01
URLs
| URL | IP |
|---|---|
| hxxp://files.download1click.ws/MainPackFA2703.exe |  64.70.19.203 |
| data.downloadstarter.net | 146.148.42.217 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
Traffic
The Adware connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\nsDialogs.dll
ove_Me_HQ_480p_.magnet
ectly,Victoria_Justice_feat_Leon_Tell_Me_That_You_Love_Me_HQ_480p_.exe,us
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp
":.ft/
D/-6}
$ 19P.aRO0
Windows
3.tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s
ctoria_Justice_feat_Leon_Tell_Me_That_You_Love_Me_HQ_480p_.exe,us
1114438
iles\1ClickDownload\1ClickDownloader.exe
te=1clickdownloader_is_NOT_downloading_any_file_directly,Victoria_Justice_feat_Leon_Tell_Me_That_You_Love_Me_HQ_480p_.exe,us
284555269
06993752
9b283e92bfdb5cb3111ad347.exe
2845552
59532869
855967560
ownload.sweetpacks.com/simsdm/bundle/
ram Files\Internet Explorer\iexplore.exe
Justice_feat_Leon_Tell_Me_That_You_Love_Me_HQ_480p_.exe
601.17514
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\Desktop
%Program Files%\1ClickDownload
nsh7C13.tmp
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nss7C02.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://data.downloadstarter.net/
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://download.sterkly.com/yontoo-c4.exe
hXXp://download.sterkly.com/yontoo-c2.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/yontoo-c3.exe
hXXp://download.sterkly.com/yontoo-c5.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
638190174
1180002
3090537
trze7,magnet:?xt=urn:btih:WTXBBMUT5ZKBE4WSCY2M3RIV3AP37JUZ¬e=1clickdownloader_is_NOT_downloading_any_file_directly,Victoria_Justice_feat_Leon_Tell_Me_That_You_Love_Me_HQ_480p_.exe,us
1114430
1114602
ocmainpack.exe
520422586
923075433
1225065986
1048912
1577387084
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
554304976
-989199434
-1039531461
571082233
604636659
889849330
1074398336
-284556196
-2079717888
-636878051
2047477191
Victoria_Justice_feat_Leon_Tell_Me_That_You_Love_Me_HQ_480p_.exe
30596927
VVV.oneclickdownloader.com
sbiectrl.exe
vmtoolsd.exe
prl_cc.exe
coherence.exe
VirtualBox.exe
VBoxSVC.exe
DrWeb
%Program Files%\1ClickDownload\Victoria_Justice_feat_Leon_Tell_Me_That_You_Love_Me_HQ_480p_.magnet
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
%original file name%.exe_2060_rwx_10004000_00001000:
callback%d
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept3.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7C03.tmp (13338 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\decline.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\inetc3.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh7C13.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MainPackFA2703[1].htm (544 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
