Gen.Variant.Adware.Zugo.4_39d3ea9125

by malwarelabrobot on September 1st, 2017 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Gen:Variant.Adware.Zugo.4 (B) (Emsisoft), Gen:Variant.Adware.Zugo.4 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 39d3ea9125c2af65c9638dd40b6656fd
SHA1: dcc0095b96be6abd79aa4fc71af1112703b7a932
SHA256: 1b617ca993da0702b80fc0750c9250b666cf7c53763968e819681cfe1eb70b4d
SSDeep: 6144:1tiy9Dq0nLwhOZcpgGHmOQzrS CXoQnHRtGA oS:1NFLwwZnGNQzrS CdRaoS
Size: 216576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company:
Created at: 2011-06-28 16:15:29
Analyzed on: Windows7 SP1 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):

2748:3036
%original file name%.exe:2748
CheckLockedWSFiles.exe:2356

The PUP injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 2748:3036 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe (3406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\CustomLicense.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\ioSpecial.ini (907 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcp80.dll (19096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcr80.dll (21216 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscA969.tmp (563482 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\Whitesmoke_EULA.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\modern-wizard.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\Microsoft.VC80.CRT.manifest (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\System.dll (23 bytes)

The PUP deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsmA958.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp (0 bytes)

The process %original file name%.exe:2748 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2748 (1779376 bytes)

The process CheckLockedWSFiles.exe:2356 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcp80.dll (557 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcr80.dll (634 bytes)

Registry activity

The process 2748:3036 makes changes in the system registry.
The PUP deletes the following value(s) in system registry:
The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WhiteSmoke"

"WhiteSmoke Installer"

Dropped PE files

MD5 File path
ab390ac492056f5d672d578045e6930d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\2748
aded98da2bdabb157965ecf70ed8b056 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe
0b3595a4ff0b36d68e5fc67fd7d70fdc c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcp80.dll
c9564cf4976e7e96b4052737aa2492b4 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcr80.dll
ae97fd89eec5000b400e6bc7e8db0e56 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\CustomLicense.dll
a78507ea1078cadaa8b2ec1a2e1d874f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\System.dll
e301e0184786c5c75b4b34e4d04608eb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\nsDialogs.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 458752 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 462848 217088 214016 5.54348 a0a9954c531466b27eb053d1b81fdf5e
.rsrc 679936 4096 1536 2.67913 41b8ee76a633442ed55c30ba0afd6de1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://track.zugo.com/getCountry/?pid=3637&channel=5225&bdate=20110421T152810&bversion=1.6 64.20.54.66
hxxp://web1.whitesmoke.com/dl/tools/sono_shoptowin.exe
hxxp://web1.whitesmoke.com/index.html
hxxp://web1.whitesmoke.com/WhiteSmokeWriterTrial.exe
hxxp://get.whitesmoke.com/index.html 54.213.61.28
hxxp://get.whitesmoke.com/dl/tools/sono_shoptowin.exe 54.213.61.28
hxxp://get.whitesmoke.com/WhiteSmokeWriterTrial.exe 54.213.61.28


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /dl/tools/sono_shoptowin.exe HTTP/1.1
Connection: Keep-Alive
Host: get.whitesmoke.com


HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 31 Aug 2017 17:23:23 GMT
Location: hXXp://get.whitesmoke.com/index.html
Server: Apache
Content-Length: 220
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://get.whitesmoke.com/index.html">here</a>.</p&g
t;.</body></html>.....


GET /index.html HTTP/1.1


Connection: Keep-Alive
Host: get.whitesmoke.com


HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Thu, 31 Aug 2017 17:23:23 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: hXXp://get.whitesmoke.com/WhiteSmokeWriterTrial.exe
Pragma: no-cache
Server: Apache
Set-Cookie: PHPSESSID=jc2dgrc6uf2qthflecr0ba7q17; path=/
Set-Cookie: freeUserID=4466882215; expires=Tue, 30-Aug-2022 17:23:23 GMT; path=/; domain=.whitesmoke.com
Set-Cookie: freeUserIDExpires=1661880203; expires=Tue, 30-Aug-2022 17:23:23 GMT; path=/; domain=.whitesmoke.com
Set-Cookie: freeUserIDSetTime=1504200203; expires=Tue, 30-Aug-2022 17:23:23 GMT; path=/; domain=.whitesmoke.com
X-Powered-By: PHP/5.1.6
Content-Length: 0
Connection: keep-alive
....


GET /WhiteSmokeWriterTrial.exe HTTP/1.1


Connection: Keep-Alive
Host: get.whitesmoke.com
Cookie: freeUserIDSetTime=1504200203; freeUserIDExpires=1661880203; freeUserID=4466882215; PHPSESSID=jc2dgrc6uf2qthflecr0ba7q17


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Thu, 31 Aug 2017 17:23:24 GMT
Last-Modified: Mon, 31 Mar 2014 04:32:44 GMT
Server: Apache
Content-Length: 7538072
Connection: keep-alive
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Type: application/octet
-stream..Date: Thu, 31 Aug 2017 17:23:24 GMT..Last-Modified: Mon, 31 M
ar 2014 04:32:44 GMT..Server: Apache..Content-Length: 7538072..Connect
ion: keep-alive..MZ......................@............................
...................!..L.!This program cannot be run in DOS mode....$..
.....A{.{...(...(...(.b\(...(.bL(...(...(...(..u(...(..E(...(..B(...(R
ich...(........................PE..L...T.GO.................l...*...".
..8............@..................................ms...@..............
...................L............2..........p.r.(......................
......................................................................
text...2k.......l.................. ..`.rdata........... ...p.........
.....@..@.data...\...........................@....ndata...............
....................rsrc....2.......4..................@..@.reloc.....
.........................@..B.........................................
......................................................................
......................................................................
......................................................................
.............................................................U....\.}.
.t .}.F.E.u..H....l.D..H.P.u..u..u...p.@..K...SV.5t.D.W.E.P.u...t.@..e
...E..E.P.u...x.@..}..e....D.@........FR..VV..U... M..........M.......
.E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H
.@..E..P.E..E.P.u...|.@..u....E..9}...n....~X.te.v4..L.@..E...tU.}
<<< skipped >>>


GET /getCountry/?pid=3637&channel=5225&bdate=20110421T152810&bversion=1.6 HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
Host: track.zugo.com
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 31 Aug 2017 17:19:18 GMT
Server: Apache/2.2.22 (Unix)
X-Powered-By: PHP/5.2.17
Content-Length: 2
Vary: User-Agent
Connection: close
Content-Type: text/plain; charset=UTF-8
UA..

The PUP connects to the servers at the folowing location(s):

2748_3036:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
uDSSh
<iu2.iu
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
Kernel32.DLL
PSAPI.DLL
%s=%s
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
ers\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp
modern-wizard.bmp
i%Sy\K
%s<.=7>T
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
.reloc
callback%d
kernel32.dll
System.dll
2#2'2 2/23272;2
4.3 Licensor is not responsible for problems associated with or caused by incompatible operating systems or equipment, or for problems in the interaction of the Software with software not furnished by Licensor. DURING THE INSTALLATION PROCESS OF THE TRIAL VERSION OF THE SOFTWARE, THE USER HAS AN OPTION OF INSTALLING A TOOLBAR FOR USE WITH THE SOFTWARE. INSTALLING THE TOOLBAR TOGETHER WITH THE TRIAL VERSION OF THE SOFTWARE IS OPTIONAL. . In the course of installation process, Licensees will be prompted to provide an email address.
(v) condition the continuation of the License on your accepting Product improvements, corrections, adaptations, or changes, or accepting revised or new terms of License, as will be made available on or through the WhiteSmoke website. WhiteSmoke shall notify its users through the Software, by e-mail or through the WhiteSmoke website of changes in this Agreement.
5.2 IN NO EVENT SHALL LICENSOR BE LIABLE TO YOU OR ANY THIRD PARTY FOR THE USE OR INABILITY TO USE, OR THE QUALITY OF, OF THE SOFTWARE OR SERVICES. IN NO EVENT SHALL LICENSOR BE LIABLE FOR ANY DIRECT OR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE OR EXEMPLARY LOSS OR DAMAGE WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF DATA, DELAYS, LOSS OF BUSINESS OR PROFITS OR BUSINESS INTERRUPTION), OR FOR LOST DATA, DAMAGE TO OTHER SOFTWARE, COMPUTER FAILURE, OR MALFUNCTION, OR DOWNTIME, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR NOT
nsxB5C9.tmp
File: skipped: "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\nsDialogs.dll" (overwriteflag=1)
p\nsDialogs.dll"
ata\Local\Temp\nsxB5C9.tmp\ioSpecial.ini
sers\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp
-1425407142
%Program Files%\WhiteSmoke
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsmA958.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2748
1879704702
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.4-ANSI</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
04090000
1.00.6034.13143


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    2748:3036
    %original file name%.exe:2748
    CheckLockedWSFiles.exe:2356

  2. Delete the original PUP file.
  3. Delete or disinfect the following files created/modified by the PUP:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\CheckLockedWsFiles.exe (3406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\CustomLicense.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\ioSpecial.ini (907 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcp80.dll (19096 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\msvcr80.dll (21216 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscA969.tmp (563482 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\Whitesmoke_EULA.txt (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\modern-wizard.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WhiteSmoke\Microsoft.VC80.CRT.manifest (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxB5C9.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2748 (1779376 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now