SearchProtectToolbar_pcap_736b69a5bb

by malwarelabrobot on June 24th, 2017 in Malware Descriptions.

not-a-virus:Downloader.Win32.DownloAdmin.gen (Kaspersky), WebInstall (fs) (VIPRE), Trojan.Vittalia.81 (DrWeb), Application.AdLoad (A) (Emsisoft), Trojan.Gen.2 (Symantec), Win32:DownloadAdmin-Q [PUP] (AVG), Win32:DownloadAdmin-Q [PUP] (Avast), Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan, PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 736b69a5bb6ab3526e53091a06654b32
SHA1: 69a80dedc4c2769d8dcf8963c2cc2580f4b00eae
SHA256: 4a3d5c8e0d6aa2e6f4197197c17deca57f883c8d3028b170497e2543334928c2
SSDeep: 12288:LnIMo/tqzXtBPqaXAFaQEFDPbxiD8mPLnIgq9cThn1nDe:LIMotSLPqaXqE9Pbxi3sitnle
Size: 637080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-22 21:07:51
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

un.package.exe:3784

The Trojan injects its code into the following process(es):

%original file name%.exe:3644

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\cancel.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\nextStepGrey.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\UiState.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\definitions.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaBridge.dll (1588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\headicon.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\DownloadThread.lua (581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\luacom.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\NotifyIcon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\GuiInit.lua (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\CustomBrandingURL.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\later.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaXml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\customNsWeb.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\BundleInstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\decline.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\common.js (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\lua51.dll (6527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\bg.gif (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Env.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\close.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\ProcessFreeFile.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\accept.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\__localxml.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\step1of4.png (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\CallbackProxy.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\progress.gif (769 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\iconCheck.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\progressPlay.gif (511 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\finish.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\progressPause.gif (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\nextStep.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017062320170624\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\EagerInstall.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\SkinDownloadDotCom.html.pack (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\installNow.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\DownloadList.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\extension.tlb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\AdvancedTests.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\loading.gif (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\un.package.exe (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Sandbox.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\version.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\anchoreFreeToolbar.gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz2694.tmp (40696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\ButtonEvent.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaXml_lib.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Downloads.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\installOpen.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\__web.xml (3848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj2683.tmp (0 bytes)

The process un.package.exe:3784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\SkinDownloadDotCom.html (4152 bytes)

Registry activity

The process %original file name%.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1340388471"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062320170624]
"CachePrefix" = ":2017062320170624:"

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062320170624]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017062320170624"

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062320170624]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\736b69a5bb6ab3526e53091a06654b32_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062320170624]
"CacheOptions" = "11"
"CacheLimit" = "8192"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
fad9d09fc0267e8513b8628e767b2604	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\ButtonEvent.dll
e4c1b74859c17671ffe1c0602fd56b44	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\CustomBrandingURL.dll
1dcfa038b79b3df456a3c584d96b639c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\FloatingProgress.dll
1dc95602a95e97f45a2bed37c5ac2c41	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\System.dll
d02a497be5f89c44827f142c4662f591	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\UACInfo.dll
f5df7ac1a25795cbaca7244729763a0e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\customNsWeb.dll
13c3a33c1f6e43f38de533fd0b766c98	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\lua51.dll
ed7f7857933b38e5d10daf828e79af19	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\luacom.dll
692479f7c07a64a6a632148e382f0e22	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\nsisunz.dll
5694e7daf20c47c8d5e73d4a838c2ee6	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\version.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23294	23552	4.47651	ad2ebf079e89cd95e3fda4bd0b869620
.rdata	28672	5272	5632	3.56156	45097a769b809e006a7e5c1f08e7cba2
.data	36864	109756	512	0.972488	4b5dfd97899e385b2193064eb045da6b
.ndata	147456	167936	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	315392	37704	37888	4.2409	5ad4f6244598c1dd974258f23a21e438
.reloc	356352	2680	3072	3.86498	bd33af9438036e756fe3734a5dc7bcc6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 27
58f415c56e7ea566abf42d2fad67fea9
b4bd9ad36f830ade300fe3f193987135
c696636e16288e63cafcafc108eac7f3
0de3236a7b929e32e8b000fdbd5b6e2d
fca44598e48603deb3b010b0ebd01744
7a12d43997e4f6a55d5d37cecff3ef92
18f075ff56d627b870461478c1d7be93
74901636ba70f9ce7e8bc673000f7c3f
f65d0354d14d2101a7db20d61a6f38cf
9ebddc1bfaad180df3cff25c696bdda3
6b8a31577995d0692870015fb391bd9b
99c69813c861cce94683029bad0f1d66
226f13fd8981ca11b535ed3c44b291dd
b4d4a7a424b28d765e5a9ad5e62914c8
29c15f71e1b915c4d0c745c3d5cf293b
bd78e05ee69d49aa759dbc40dd14fcaa
88ce0efa473d6aece45a59abb5f38508
f5ed51977f81ceba51b7d14c32d2b7da
d992959bd7ed2ac1454de801a6592733
631fdb92b5a70e3944a2ed00b86d3c97
b9fe0ef8aeefa9906e69d016370dac8f
d139752672368da637eaebc3a4984036
868402cb51abecd8c126a0440d127ec8
8206d15da1ae753570ed033048c06cd7
9d7e4e4cd9b02e8f1fbee605dda49656

URLs

URL	IP
hxxp://download.webinstall.com/install?s=fivemill&c=SEM&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=US	50.97.63.220
hxxp://service.downloadadmin.com/env?productKey=&s=fivemill&c=SEM&variation=&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=UA	50.22.63.140
hxxp://a1742.c.akamai.net/s/software/10/82/14/07/PDF_Print_Pro_Setup.exe?token=1430428824_f4601ab40d74a65e09943c74b8889d73
hxxp://software-files-a.cnet.com/s/software/10/82/14/07/PDF_Print_Pro_Setup.exe?token=1430428824_f4601ab40d74a65e09943c74b8889d73	87.245.196.105

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /s/software/10/82/14/07/PDF_Print_Pro_Setup.exe?token=1430428824_f4601ab40d74a65e09943c74b8889d73 HTTP/1.1

host: software-files-a.cnet.com

te: trailers

connection: close, TE

user-agent: Tightrope Bundle Manager(ref=[9a820e905496a02b1edc5595cd40f32fef4524fe refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 403 Forbidden

Server: AkamaiGHost

Mime-Version: 1.0

Content-Type: text/html

Content-Length: 175

Expires: Fri, 23 Jun 2017 10:53:05 GMT

Date: Fri, 23 Jun 2017 10:53:05 GMT

Connection: close

GET /env?productKey=&s=fivemill&c=SEM&variation=&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=UA HTTP/1.1

connection: close, TE

x-exename: %original file name%.exe

x-webinstallurl: hXXp://download.webinstall.com/install?s=fivemill&c=SEM&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=US

user-agent: Tightrope Bundle Manager(ref=[9a820e905496a02b1edc5595cd40f32fef4524fe refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)

x-webinstallcode: complete url:hXXp://download.webinstall.com/install?s=fivemill&c=SEM&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=US

te: trailers

host: service.downloadadmin.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Expires: 0

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Fri, 23 Jun 2017 10:53:00 GMT

Age: 0

Connection: close

X-Cache: MISS
007d4..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&l
t;Installer><Environment><Entry name="over-threshold:Searc
hProtect (US) (Direct)">true</Entry><Entry name="over-thre
shold:The Answer Finder (US)">true</Entry><Entry name="ove
r-threshold:QuickRef (US)">true</Entry><Entry name="over-t
hreshold:Security Alert (US)">true</Entry><Entry name="ove
r-threshold:Useful Program (US)">true</Entry><Entry name="
over-threshold:Shopperz (US)">true</Entry><Entry name="ove
r-threshold:Shopperz (US) (2)">true</Entry><Entry name="ov
er-threshold:MyPcBackup (US) (EULA)">true</Entry><Entry na
me="over-threshold:KNCTR">true</Entry><Entry name="over-th
reshold:SearchProtect (US) (Direct)">true</Entry><Entry na
me="over-threshold:The Answer Finder (US)">true</Entry><En
try name="over-threshold:QuickRef (US)">true</Entry><Entry
 name="over-threshold:Security Alert (US)">true</Entry><En
try name="over-threshold:Useful Program (US)">true</Entry><
;Entry name="over-threshold:Shopperz (US)">true</Entry><En
try name="over-threshold:Shopperz (US) (2)">true</Entry><E
ntry name="over-threshold:MyPcBackup (US) (EULA)">true</Entry>
;<Entry name="over-threshold:KNCTR">true</Entry><Entry 
name="over-threshold:Useful Program (Tier 2)">true</Entry><
;Entry name="over-threshold:Useful Program (Tier 2b)">true</<<< skipped >>>

GET /install?s=fivemill&c=SEM&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=US HTTP/1.1

connection: close, TE

x-exename: %original file name%.exe

x-webinstallurl: hXXp://download.webinstall.com/install?s=fivemill&c=SEM&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=US

user-agent: Tightrope Bundle Manager(ref=[9a820e905496a02b1edc5595cd40f32fef4524fe refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)

x-webinstallcode: complete url:hXXp://download.webinstall.com/install?s=fivemill&c=SEM&brand=Download.com&pid=dlcom_sem&aid=download_pdf_printere&bc=67110&country=US

te: trailers

host: download.webinstall.com


HTTP/1.1 200 OK

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Fri, 23 Jun 2017 10:52:58 GMT

Age: 0

Connection: close

X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <CustomParameter Name=
"ProductSetId">10821406</CustomParameter>.        <CustomP
arameter Name="ProductId">10821407</CustomParameter>.        
<CustomParameter Name="ProductName">PDF Printer - 1</CustomPa
rameter>.        <CustomParameter Name="FileName">PDF_Print_P
ro_Setup.exe</CustomParameter>.        <CustomParameter Name=
"Name">PDF Printer - 1</CustomParameter>.        <CustomPa
rameter Name="Category">Downloads^Business Software^Business Applic
ations</CustomParameter>.        <CustomParameter Name="Categ
oryId">2064</CustomParameter>.        <CustomParameter Nam
e="PublishDate">2008-04-03</CustomParameter>.        <Cust
omParameter Name="FileSize">10598647</CustomParameter>.      
  <CustomParameter Name="DownloadLink">hXXp://software-files-a.c
net.com/s/software/10/82/14/07/PDF_Print_Pro_Setup.exe?token=143042882
4_f4601ab40d74a65e09943c74b8889d73</CustomParameter>.        <
;CustomParameter Name="License">Free</CustomParameter>.      
  <CustomParameter Name="ProductVersion">1</CustomParameter&g
t;.        <LinkBelowEula>false</LinkBelowEula>.        &l
t;OptInDefault>false</OptInDefault>.        <ProductBinary
 embed="false" msioptions="" options="">hXXp://software-files-a.cne
t.com/s/software/10/82/14/07/PDF_Print_Pro_Setup.exe?token=1430428<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3644:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

uDSSh

Gw2.Hw

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

ers\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaBridge.dll

Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\SkinDownloadDotCom.html.pack" "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\SkinDownloadDotCom.html" "B"

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaBridge.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp

s\UrlAssociations\http\UserChoice

ml.pack

nload.com

BL.bt

[ggc-""W_!WebcUbk!Vb`"h"%##(%$,"7bja_bTW!Vb`"Wbja_bTW!Vb`Rcebgb!ZXb!k`_

$##*%,%(

$$*(&%()

All Files|*.*

GetProcessHeap

COMDLG32.dll

nsDialogs.dll

shell32.dll

8kc_beXe

[ggc-""_bVT_[bfg"2gTeZXg0[ggc-""W_!WebcUbk!Vb`"h"%##(%$,"7bja_bTW!Vb`"bYYXeRfVeXXa!`[g2TfWTf0%

%#$$ #& #$

CNET Download.com

nse2750.tmp

-exec

/BM/2.5/_WEBINSTALL/BINARIES/downloadcom/production/setup.exe.nsi:Line 1509.2

NARIES/downloadcom/production/setup.exe.nsi:Line 1507.2

on/setup.exe.nsi:Line 1105.2

tall":true,"unfinished_shortcut":true,"allow_ie6":true,"allow_install_pause":true,"is_downloaddotcom":true}]] -- C:/BM/2.5/_WEBINSTALL/BINARIES/downloadcom/production/setup.exe.nsi:Line 953.2

rope Bundle Manager(ref=[9a820e905496a02b1edc5595cd40f32fef4524fe refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)

42536152

Download.com

c:\%original file name%.exe

download.com

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsj2683.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com

IE.HTTP

%.sLu&oG

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System vtightrope</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

com.build.date

12/12/2012

com.build.dir

C:\BM\2.5\WebTemplates

com.build.id

com.build.machine

com.build.time

com.build.user

$%USER%

%original file name%.exe_3644_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

un.package.exe:3784
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\cancel.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\nextStepGrey.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\UiState.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\definitions.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaBridge.dll (1588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\headicon.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\DownloadThread.lua (581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\luacom.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\NotifyIcon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\GuiInit.lua (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\CustomBrandingURL.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\later.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaXml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\customNsWeb.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\BundleInstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\decline.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\common.js (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\lua51.dll (6527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\bg.gif (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Env.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\close.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\ProcessFreeFile.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\accept.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\__localxml.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\step1of4.png (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\CallbackProxy.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\progress.gif (769 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\iconCheck.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\progressPlay.gif (511 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\finish.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\progressPause.gif (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\nextStep.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017062320170624\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\EagerInstall.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\SkinDownloadDotCom.html.pack (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\installNow.gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\DownloadList.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\extension.tlb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\AdvancedTests.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\loading.gif (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\un.package.exe (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Sandbox.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\version.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\anchoreFreeToolbar.gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz2694.tmp (40696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\ButtonEvent.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaXml_lib.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\Downloads.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\download.com\installOpen.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\__web.xml (3848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse2750.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_pcap_736b69a5bb

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_pcap_736b69a5bb

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet