Gen.Application.Parj.1_b9f47b2839
not-a-virus:AdWare.Win32.CrossRider.aaev (Kaspersky), Gen:Application.Parj.1 (AdAware), Trojan.NSIS.StartPage.FD, SearchProtectToolbar.YR (Lavasoft MAS)
Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: b9f47b283948665602f800dd2b310ff5
SHA1: e4afe9bf79873999d44fd7778da8221eca35086b
SHA256: 9f61db8d2a9710c3254c9dfdbcd7d53d8942b5d47b4420a668d29a696568ab8a
SSDeep: 49152:T6Gs9QZ4o0/mJyOGqbOsxg5JAI9PRPA6Hf/wLlKFrOYJ/: LO4o mEmtxM9hR74MT
Size: 2060267 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-04 15:55:02
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1192
Au_.exe:1376
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~nsu.tmp\Au_.exe (15019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp (13742 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
The process Au_.exe:1376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (13742 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 A5 08 E9 17 64 43 06 B3 AB 2A 2E 04 4D 2F 24"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process Au_.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 29 77 8B BC F5 63 1F 1B B1 15 A9 62 A9 35 FD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Cinema PlusV24.06
Product Name: CinemaPlus-3.2cV24.06
Product Version:
Legal Copyright: Copyright Cinema PlusV24.06
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.36.01.22
File Description: CinemaPlus-3.2cV24.06 Installer
Comments:
Language: English
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 34880 | 35328 | 4.13209 | c061a4f004f4d6347691f4655fa02103 |
| .data | 40960 | 140 | 512 | 0.818128 | a5a710a52d844b19513b2cab5693dbc3 |
| .rdata | 45056 | 9108 | 9216 | 4.0908 | 004265d16597098398ce8e06897dcd29 |
| .bss | 57344 | 252880 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 311296 | 4868 | 5120 | 3.64756 | 20f692042b54593897a705a64d67ce50 |
| .ndata | 319488 | 22355968 | 8192 | 0 | 0829f71740aab1ab98b33eae21dee122 |
| .rsrc | 22675456 | 28704 | 29184 | 3.77872 | 16a7ca548bcd8b5d5116716c2b3ee33d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 6
f0ec6966e49ccdf5675d0460cd9daf89
6b6e4aee8f4dc2540a48501791bcf85e
f847ac3d25ce36c67be65688f44fd60f
e366c83224101f5a91ab049edda84f9d
45e85d507a4f8005ec613bd165794ec9
4bd186bb0da0a901378eccc39cad0edf
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
0`.data
.rdata
[email protected]
.idata
.ndata
.rsrc
unpacking data: %d%%
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
*?|<>/":
%s=%s
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
<%U#U'1
msg>I
.rSO1
SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar
\Yontoo Layers\*.*
\Yontoo\*.*
\qualitink\*.*
\SecretSauce\*.*
\GrabRez\*.*
\PCTechHotline\*.*
\System Optimizer Pro\*.*
\PCFixSpeed\*.*
\InstallConverter\*.*
\Optimizer Pro\*.*
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GrabRez
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacFunction
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallConverter
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0B0DA25-DD15-4739-92A3-62D3424F043A}_is1SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT2700842
\Mozilla\Firefox\Profiles
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\*.*
\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\*.*
\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch\*.*
\Google\Chrome\User Data\Profile
\Extensions\gighmmpiobklfepjocnamgkkbiglidom\*.*
\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\*.*
\Extensions\ocifcklkibdehekfnmflempfgjhbedch\*.*
\Google\Chrome\User Data\Default\Extensions\bmagokdooijbeehmkpknfglimnifench\*.*
\Extensions\bmagokdooijbeehmkpknfglimnifench\*.*
Software\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Companion
Software\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Slider
Software\Microsoft\Windows\CurrentVersion\Uninstall\CouponDropDown
Software\Microsoft\Windows\CurrentVersion\Uninstall\Deal Boat
Software\Microsoft\Windows\CurrentVersion\Uninstall\Deal Slider
Software\Microsoft\Windows\CurrentVersion\Uninstall\DealCola
Software\Microsoft\Windows\CurrentVersion\Uninstall\DealDropDown
Software\Microsoft\Windows\CurrentVersion\Uninstall\Deals Plugin
Software\Microsoft\Windows\CurrentVersion\Uninstall\DropinSavings
Software\Microsoft\Windows\CurrentVersion\Uninstall\Giant Savings
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 2
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 3
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 4
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 5
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 6
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This Premium
Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This Suite
Software\Microsoft\Windows\CurrentVersion\Uninstall\Instant Savings App
Software\Microsoft\Windows\CurrentVersion\Uninstall\Just In Time Savings
Software\Microsoft\Windows\CurrentVersion\Uninstall\Monster Savings
Software\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcade
Software\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcadeSuite
Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings App
Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings App Pro
Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Plugin
Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Sidekick
Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Slider
Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Wave
Software\Microsoft\Windows\CurrentVersion\Uninstall\SavingsApp
Software\Microsoft\Windows\CurrentVersion\Uninstall\Shopping Sidekick
Software\Microsoft\Windows\CurrentVersion\Uninstall\Surf and Save
Software\Microsoft\Windows\CurrentVersion\Uninstall\TextEnhance
Software\Microsoft\Windows\CurrentVersion\Uninstall\Vid-Saver
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bee Coupons
Software\AdvertisingSupport
87dfd1ac-4f39-4588-8688-6e7c058a3699
87dfd1ac-4f39-4588-8688-6e7c058a3699.exe
8661392d-d3a6-445b-a06f-c9aed5175b12
8661392d-d3a6-445b-a06f-c9aed5175b12.exe
\Mozilla Firefox\wsock32.dll
\Mozilla Firefox\params.txt
err_extrating_firefox_agent
err_unmixing_firefox_agent_
\FirefoxUninstaller72893.exe
err_copying_firefox_agent&lsterr=
/installerversion=1_36_01_22 /installerfullversion=1.36.01.22 /installationtime=
/statsdomain=hXXp://stats.buffernavpose.com /errorsdomain=hXXp://errors.buffernavpose.com /waitforbrowser=300 /[email protected] /extensionversion=0.95 /prefsbranch=ad4db60df25f14dae9dd18185c395f9e794c9ab86be3ebcom72893 /defbro=
518a705e-34db-4d1f-9c71-f84a88d4b653-4
518a705e-34db-4d1f-9c71-f84a88d4b653-4.exe
\FirefoxUninstaller72893.exe /rawdata=
\kkfqyk.dll
518a705e-34db-4d1f-9c71-f84a88d4b653-3
518a705e-34db-4d1f-9c71-f84a88d4b653-3.exe
518a705e-34db-4d1f-9c71-f84a88d4b653-11
518a705e-34db-4d1f-9c71-f84a88d4b653-11.exe
err_extrating_chrome_agent
err_unmixing_chrome_agent_
\58285bb5-9bb8-4041-8d6e-41527e964588-uninstaller.exe
err_copying_chrome_agent&lsterr=
/statsdomain=hXXp://stats.buffernavpose.com /errorsdomain=hXXp://errors.buffernavpose.com /waitforbrowser=300 /defbro=
/extensionid=papbadoldddalgcjcicnikcfenodpghp /extensionversion=1.26.85 /sid=
/maxextid={16b4fc89-d196-4cc8-951c-cf86fc769fa4}/maxextfilename='1293297481.mxaddon'
\58285bb5-9bb8-4041-8d6e-41527e964588-uninstaller.exe /rawdata=
518a705e-34db-4d1f-9c71-f84a88d4b653-6
518a705e-34db-4d1f-9c71-f84a88d4b653-6.exe
518a705e-34db-4d1f-9c71-f84a88d4b653-64.exe
\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\22a27727-cda4-455f-8669-d775e3b56da6.dll
\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\e8f41166-57f3-4dbf-879c-b912e33c7fc4.dll
\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\
518a705e-34db-4d1f-9c71-f84a88d4b653-7
518a705e-34db-4d1f-9c71-f84a88d4b653-7.exe
hXXp://stats.buffernavpose.com/apps.gif?action=uninstall&browser=chrome&browserver=
518a705e-34db-4d1f-9c71-f84a88d4b653-1-6
518a705e-34db-4d1f-9c71-f84a88d4b653-1-6.exe
518a705e-34db-4d1f-9c71-f84a88d4b653-1-7
518a705e-34db-4d1f-9c71-f84a88d4b653-1-7.exe
hXXp://stats.buffernavpose.com/apps.gif?action=uninstall&browser=ie&browserver=
518a705e-34db-4d1f-9c71-f84a88d4b653-10_user
518a705e-34db-4d1f-9c71-f84a88d4b653-10.exe
518a705e-34db-4d1f-9c71-f84a88d4b653-5
518a705e-34db-4d1f-9c71-f84a88d4b653-5_user
518a705e-34db-4d1f-9c71-f84a88d4b653-5.exe
Software\globalUpdate\Update\Clients\{7f442311-045e-4d30-b7dd-62681bc52771}{430FD4D0-B729-4F61-AA34-91526481799D}nomsgboxinsilentuninstall
\jaxsmyhxc.dll
\fkpur.dll
Software\CinemaPlus-3.2cV24.06\Chrome
\Software\CinemaPlus-3.2cV24.06\Chrome
Software\CinemaPlus-3.2cV24.06\Firefox
\CinemaPlus-3.2cV24.06\Firefox
BundledFirefox
1.26.85
BundledChromePolicy
Software\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-3.2cV24.06
\Software\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-3.2cV24.06
\CinemaPlus-3.2cV24.06.lnk
Software\518a705e-34db-4d1f-9c71-f84a88d4b653
Software\58285bb5-9bb8-4041-8d6e-41527e964588
Software\1bc902e9-874c-43a3-940f-bf05e3bbf344
Software\ee15e17c-33f9-48e9-aeb8-78f4590f401b
Software\22a27727-cda4-455f-8669-d775e3b56da6
Software\e8f41166-57f3-4dbf-879c-b912e33c7fc4
Software\6e4256e2-c981-4516-be02-3a897c1a61c5
Software\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a
\Software\518a705e-34db-4d1f-9c71-f84a88d4b653
\Software\58285bb5-9bb8-4041-8d6e-41527e964588
\Software\1bc902e9-874c-43a3-940f-bf05e3bbf344
\Software\ee15e17c-33f9-48e9-aeb8-78f4590f401b
\Software\22a27727-cda4-455f-8669-d775e3b56da6
\Software\e8f41166-57f3-4dbf-879c-b912e33c7fc4
\Software\6e4256e2-c981-4516-be02-3a897c1a61c5
\Software\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a
hXXp://logs.buffernavpose.com/monetization.gif?event=5&ibic=
Software\Microsoft\Windows\CurrentVersion\Uninstall\Information
\Software\Microsoft\Windows\CurrentVersion\Uninstall\Information
u_.exe
u_.exe"
$$\wininit.ini
`.rdata
@.data
.reloc
r.exe
aol.exe
BaiduBrowser.exe
\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
\Software\Classes\http\shell\open\command\
http\shell\open\command
268435456
67108864
33554432
134217728
536870912
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
1048576
16777216
360Chrome
1073741824
2147483648
Google Chrome
Google Chrome SxS
SeaMonkey
2097152
Firefox Developer Edition
Web Bar
8388608
Dr.Web Anti-virus for Windows
4194304
lbar for Chrome
\Microsoft Visual Studio 9.0\*.*
\Microsoft Visual Studio 10.0\*.*
\Microsoft Visual Studio 11.0\*.*
\Microsoft Visual Studio 12.0\*.*
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\Ebon\ebon.exe
"\Ebon\ebon.exe
\UnicoBrowser\Application\unicobrowser.exe
\WebBar\*.*
"\WebBar\*.*
Software\WebBar
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2
{95B7759C-8C7F-4BF1-B163-7RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyExA
GetWindowsDirectoryA
SHFileOperationA
ShellExecuteA
ExitWindowsEx
ADVAPI32.dll
COMCTL32.DLL
GDI32.dll
KERNEL32.dll
ole32.dll
SHELL32.DLL
USER32.dll
VERSION.dll
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp
Au_.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe
((((1112666:777?;;;@555=7776111,&&&"
9&&&<(((=""";
JJJ%XXX
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Gather yourselves together, and</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>04090000
1.36.01.22
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1192
Au_.exe:1376 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\~nsu.tmp\Au_.exe (15019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp (13742 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (13742 bytes)
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
