Gen.Variant.Adware.Symmi.41092_bd17d95d0e

by malwarelabrobot on October 26th, 2014 in Malware Descriptions.

Gen:Variant.Adware.Symmi.41092 (BitDefender), Adware:Win32/BetterSurf (Microsoft), not-a-virus:AdWare.Win32.BetterSurf.b (Kaspersky), Adware.Bettersurf (fs) (VIPRE), Gen:Variant.Adware.Symmi.41092 (B) (Emsisoft), Artemis!BD17D95D0E5E (McAfee), Adware.BL (Symantec), Gen:Variant.Adware.Symmi.41092 (FSecure), Skodna.Generic_r.HW (AVG), NSIS:Amonetize-G [PUP] (Avast), TROJ_SPNR.0BCP14 (TrendMicro), Gen:Variant.Adware.Symmi.41092 (AdAware), Trojan-Downloader.Win32.Moure.FD (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bd17d95d0e5eb936e99f74151ea3681e
SHA1: d64e8e42637f94ea030190c6de6515d5e7ca1a6d
SHA256: 5e2ebb3bf7f4bf4a63ee7c45d13653d99868245289010eed77c0ee4950db87bf
SSDeep: 12288:D7QkCG4GjeZHkwuPikQ7lKH5p5H9x1meZHkwuLiDQTlKJ5p xWlfM:DOG4GjeZEXi37l6Br1meZEjiMTlmWslU
Size: 649721 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1096
gpupdate.exe:764
%original file name%.exe:1384

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome.manifest (149 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316.js (747 bytes)
%System%\GroupPolicy\Machine\Registry.pol (408 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\overlay.xul (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (224 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\install.rdf (788 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\default\MediaWatchV1home8316_32.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp\aminsis.dll (18748 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll (1467 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe (11397 bytes)
C:\extensions.ini (83 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ch\MediaWatchV1home8316.crx (1568 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\Thumbs.db (564 bytes)
%System%\GroupPolicy\gpt.ini (315 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316ffaction.js (678 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp\aminsis.dll (0 bytes)

Registry activity

The process regsvr32.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 89 FD 7B 94 B1 7F B3 33 2F EF DF C1 A6 6B 6F"

[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\InprocServer32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll"

[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}]
"(Default)" = "IMediaWatchV1home8316BHO"

[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\TypeLib]
"Version" = "1.1"

[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}]
"(Default)" = "MediaWatchV1home8316"

[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1]
"(Default)" = "MediaWatchV1home8316Lib"

[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\Version]
"(Default)" = "1.1"

[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1\HELPDIR]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie"

[HKCR\Interface\{36A74137-E66D-402D-9E75-C7A1D0320CA6}\TypeLib]
"(Default)" = "{FE98987B-878C-48A6-B681-1239F5D03F63}"

[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1\0\win32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll"

[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}\TypeLib]
"(Default)" = "{fe98987b-878c-48a6-b681-1239f5d03f63}"

[HKCR\TypeLib\{FE98987B-878C-48A6-B681-1239F5D03F63}\1.1\FLAGS]
"(Default)" = "0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8afda607-2367-462f-b161-becee009ecde}]
"(Default)" = "MediaWatchV1home8316"

"NoExplorer" = "1"

The process gpupdate.exe:764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 98 11 E7 FD 96 A3 15 95 65 7D 0D E1 D9 C4 74"

The process %original file name%.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"NoModify" = "1"

[HKLM\SOFTWARE\Google\Chrome\Extensions\ppmchhbfeheohajbnoogelfhonjabong]
"Version" = "1.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"DisplayIcon" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe"
"DisplayName" = "Media Watch"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1" = "ppmchhbfeheohajbnoogelfhonjabong"

[HKLM\SOFTWARE\MediaWatchV1home8316\Components]
"CH" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"UninstallString" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"Publisher" = "Media Watch"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ff"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"NoRepair" = "1"
"DisplayVersion" = "1.1"

[HKLM\SOFTWARE\MediaWatchV1home8316\Components]
"ie" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"gpupdate.exe" = "Microsoft® Group Policy Refresh Utility"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvB3.tmp\aminsis.dll,"

[HKLM\SOFTWARE\MediaWatchV1home8316]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316"

[HKLM\SOFTWARE\MediaWatchV1\Media Watch]
"Installed" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{8afda607-2367-462f-b161-becee009ecde}" = "51 66 7A 6C 4C 1D 3B 1B 17 B9 E7 97 54 72 43 0C"

[HKLM\SOFTWARE\MediaWatchV1home8316\Components]
"ff" = "1"

[HKLM\SOFTWARE\Google\Chrome\Extensions\ppmchhbfeheohajbnoogelfhonjabong]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home8316\ch\MediaWatchV1home8316.crx"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 E3 22 C5 C9 CB DC 82 12 66 5B 6E C3 90 48 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home8316]
"URLInfoAbout" = ""

[HKCR\CLSID\{8afda607-2367-462f-b161-becee009ecde}]
"(Default)" = "Media Watch"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{274D8D2F-EAC4-420F-B5FA-2028E87CB89E}User]

Dropped PE files

MD5 File path
51ba1095f0ae45a2d444bea506cb9ad4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvB3.tmp\aminsis.dll
a0c88a2e2b84896a3bef110746662bed c:\Program Files\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll
f986ae5d5a445b51d7c680e5516f85b8 c:\Program Files\MediaWatchV1\MediaWatchV1home8316\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Media Watch
Product Name: Media Watch home 8316
Product Version: 1.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 45056 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 237568 3120 3584 2.92164 813e5a36ad046c0e3f27fadc0a3fbee1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 921
66840532e694f3313495d419a8de01d3
843604fa73df1c46cdf81c87cbb180ea
e36fb129673e7b52096f40f3b850c687
dc87bbc730b0c5838a1cde61ed835d51
158f2ccb716304c727b06d988ceaac0b
eb28c2a06fcfc69d405b7d7b19d76a69
3f1782d3393e6953f7bbbb02e6a55048
fb23bc26230b6c36024878c018e8601a
4d5f46b65f2f609a682d5524ca6dc60c
002f72c934bc04a02244435a7293a831
bbf3653c95900c95ad3bc40769234903
4feb3e46c0e80a2c926babd6b764b09a
650fba80462cb8553381a92989eba87d
8d8fe08878652bee0f2794cc8f021f82
0229becf239707ea1ca8d86215dc33ab
322e0c3eed8db63cbb179026c951c04b
40b65d02f87e33a20e633877c31f8a97
898d5ed5eff308af6b381627e574e27a
03e29863f924d46b672c192188fef174
df5fc4dea8a2266bff8314b0693ac540
76affeb516b57062b88d6874474017fa
2756ee04e3082ac2813b83f7c136f45b
3cdc4ddb5f6ba60d1ab75685e4bcbb0e
e986f15ea9d4355f7577d511187e7d7f
f1bb36543560036033170282a6196536

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

wuauclt.exe_540:

.text
`.data
.rsrc
@.reloc
wuauclt.pdb
GetProcessHeap
KERNEL32.dll
_wcmdln
_amsg_exit
msvcrt.dll
ntdll.dll
ole32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
USER32.dll
OLEAUT32.dll
SHLWAPI.dll
zcÁ
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ShowWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
wucltui.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
kernel32.dll
WUWeb
Report
7.6.7600.256
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
shell32.dll
%s: %s [
%s: %s
%s\%s
= Module: %s
= Module: <failed with %d>
= Process: %s
= Process: <failed with %d>
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Done enumerating windows
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
hd-hd-hd%chd:hd:hd:hd
%WinDir%
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
Windows
Operating System


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1096
    gpupdate.exe:764
    %original file name%.exe:1384

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome.manifest (149 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316.js (747 bytes)
    %System%\GroupPolicy\Machine\Registry.pol (408 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\overlay.xul (344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (224 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\install.rdf (788 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\default\MediaWatchV1home8316_32.png (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp\aminsis.dll (18748 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ie\MediaWatchV1home8316.dll (1467 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\uninstall.exe (11397 bytes)
    C:\extensions.ini (83 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ch\MediaWatchV1home8316.crx (1568 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\icons\Thumbs.db (564 bytes)
    %System%\GroupPolicy\gpt.ini (315 bytes)
    %Program Files%\MediaWatchV1\MediaWatchV1home8316\ff\chrome\content\ffMediaWatchV1home8316ffaction.js (678 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now