Gen.Variant.Application.InstallCore.1_5906f31932

by malwarelabrobot on March 5th, 2014 in Malware Descriptions.

not-a-virus:HEUR:Tool.Win32.InstallCore.12563492.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Gen:Variant.Application.InstallCore.1 (AdAware), Trojan.Win32.Sasfis.FD, WebToolbar.Win32.InstallCore.FD, WebToolbarInstallCore.YR (Lavasoft MAS)
Behaviour: Trojan, WebToolbar


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Static Analysis
Relationships
Map
Removal Recommendations

MD5: 5906f3193220c5ad5d618e8f4c5cc407
SHA1: cf0bebeb5519f3c8963fdd2d80447e5f5147de83
SHA256: dabfce951d800c646f0b42aad76e02a405e7f39da8e1e287825a8c9a1699cfee
SSDeep: 12288:zGVEPcPZgv3saFLoSQLAd08auf71uwGxI2M35VnOECtXMMzD:zGVy6Zy3say7ALau2xIV35VnOEqMMzD
Size: 570376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1992

File activity

The process %original file name%.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\skip-button.png (1342 bytes)
%Program Files%\is922703.log (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\back-button.png (1322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_html.dat (3072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish_button.jpg (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\4380116.cfg (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_html.dat (9361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\blank.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button-over.png (1767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\progress-bg.png (2845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Software.png (30599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\license.txt (18520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\sdk\exceptlist.txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_code.dat (7706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\673479180.cfg (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\progress-bar.css (501 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Continue FoxTab PDF Creator Installation.lnk (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_code.dat (1958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\loader.gif (22379 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Bg.jpg (14232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\browse.css (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\close_button.png (1170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E0395.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E16CF.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (832520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\icon.png (6707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\ie6_main.css (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button.png (1768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\progress-bg.png (2845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish-button.png (1812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\buttons.css (1151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\main.css (3797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\bootstrap_24744.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E14DB.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\locale\EN.locale (1948 bytes)

The Trojan deletes the following file(s):

%Program Files%\is922703.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E16CF.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish918437\bootstrap_24744.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E14DB.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000E0395.log (0 bytes)

Registry activity

The process %original file name%.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Диагностика проблем подключения..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 1C 4D 4B E9 29 E2 5F 8D 83 40 BA B6 10 4B 62"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://os.solvefile.com/fx/v1.0.1/?v=2.0&c=868612504 207.189.109.121
hxxp://os.solvefile.com/Prod/PDFCreator-v2.cis
cdneu.solvefile.com 207.189.109.121
cdnus.solvefile.com 207.189.109.121


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 610304 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 614400 540672 538112 5.50065 2ea4f0df94f187b7abf167ba5a28d7ed
.rsrc 1155072 32768 29184 3.86347 bb746afeda6394a6af9782c16f99aef9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 37
c8b66fe9089f6bfe159059161782f2b7
1a5d25d6ff01291285c4e2e4f4d2b425
838754c9efbd5182e953dceae8c41b2c
7cae20b6a947550a19ff62d3c67ee30f
7aa69c3af34aa64869a5bc4185ee4761
c575400782de3812a827bbb8a0af6511
25de3682dd9b493f923e1ef78339842c
61ef01510c789e9a043292bee922f5ec
357cdaf5fe2436c1dcc5da8b7f852bff
d948939920e4405627b421b1c62e177a
905c97e4e1ace19c9e4d8608dd0b660b
e0599514701672d934cd2c38242f024a
f1eab853c4935b041300227033bbfa09
491a112b7995bc46ddb29d0205151ede
c9505ba55ed62ead97cd0f97b8f55aee
e6b3c7c0adc9c4a8629b309a54007f0e
3ac3e0bbee49b22d4074f09c40668d6d
4ccd5420d928f9b541e6a8898e912c3f
b990574765f9e30321b4a4ff60d7e7c7
b87b6e1981f25922d276b599dd9e33c5
73275045113583c92db1a4ec4b995cb6
b82971e60a34ffe112b305be38e3ffa0
19a75175907437d2d8bde989696d0d99
4502f61bb80c28bdfdb023a05f987538
574af5119297959b30fddb763d955685


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\skip-button.png (1342 bytes)
    %Program Files%\is922703.log (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\back-button.png (1322 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_html.dat (3072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish_button.jpg (1145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\4380116.cfg (218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_html.dat (9361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\blank.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button-over.png (1767 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\progress-bg.png (2845 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Software.png (30599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\license.txt (18520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\checkbox.css (190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\sdk\exceptlist.txt (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\US\offer_code.dat (7706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is1438683437\673479180.cfg (218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\progress-bar.css (501 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Continue FoxTab PDF Creator Installation.lnk (904 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\defaultOffer\offer_code.dat (1958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\loader.gif (22379 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\Bg.jpg (14232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\browse.css (318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\images\button-bg.png (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\close_button.png (1170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000E0395.log (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000E16CF.log (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (832520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\sdk-ui\button.css (417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\icon.png (6707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\ie6_main.css (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\next-button.png (1768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\progress-bg.png (2845 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\images\finish-button.png (1812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\buttons.css (1151 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\css\main.css (3797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\bootstrap_24744.html (156 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000E14DB.log (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ish918437\locale\EN.locale (1948 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now