SearchProtectToolbar_pcap_f3e090350f

by malwarelabrobot on April 18th, 2016 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: f3e090350f6550bb8fd7061f7e68b2fe
SHA1: 9dfcbef3def83de7b9fb48b98396e988291129ff
SHA256: 78ad8f8548b605646a0a5f9df63ec4218f7253c4c1bf93cad2d0a183cb49650c
SSDeep: 12288:nxpJ8w51xLA7jyEnDFQQJGFX2DWhK8fhbmPYLrB5VkRwXM:xpiwBc9nkFXiWhKKF3lPXM
Size: 757472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-22 21:07:51
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1380

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:1380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__web.xml (10968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\decline.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\back.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\accept.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\cancel.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaBridge.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\close.png (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\NotifyIcon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Env.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BundleInstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\definitions.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\extension.tlb (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\luacom.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UiState.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\ProcessFreeFile.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Sandbox.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\GuiInit.lua (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__localxml.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Downloads.lua (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\skin.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\CallbackProxy.lua (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (33139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\next.png (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 00 95 BC 69 73 CA 3F 6B F3 F9 6A AA A7 7E 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Dropped PE files

MD5	File path
1dcfa038b79b3df456a3c584d96b639c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\FloatingProgress.dll
1351244af9ca179c9081eda09662e904	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\System.dll
d02a497be5f89c44827f142c4662f591	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\UACInfo.dll
13c3a33c1f6e43f38de533fd0b766c98	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\lua51.dll
ed7f7857933b38e5d10daf828e79af19	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\luacom.dll
5694e7daf20c47c8d5e73d4a838c2ee6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\version.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23294	23552	4.47651	ad2ebf079e89cd95e3fda4bd0b869620
.rdata	28672	5272	5632	3.56156	45097a769b809e006a7e5c1f08e7cba2
.data	36864	109756	512	0.972488	4b5dfd97899e385b2193064eb045da6b
.ndata	147456	176128	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	323584	191848	192000	2.99234	24de0349c4b4c3db8bc05d6181371a77
.reloc	516096	2680	3072	0	d2a70550489de356a2cd6bfc40711204

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3149
6d3bbc565043d7929cd81a783602d884
121e3443904b8abf088d2f37dc2f3719
e992badadde4d9816291c17c0d4e0beb
b5553982c3390ce955f09aaed6ba0c38
0d123bc72d4fdeeb0e14376b09cdf0ba
df6146735ef60cea1609ea2e78cc94ad
0a3ae0930c9ecdc8efb97bd7a900aab2
ca6786fc57b18a37275494d9629110d2
9cf3fd03c0fdc2717972896115d2353d
eda01d6a05020287c5ab4ad05b2f2312
08270b2b8b911464ab3d1b6e3640532b
a83e2273a653eacf57054512f14b969d
40d294a8b6da1d805926476117558df6
bc406a3c6a79646978d95faf0d93336e
85ea2261afe931cfea2b0077d186204b
1c20b4b8882ad6a3fb5c5ab78b9825cc
2adb87a3c426d354719c9ed68a4d9077
a014cb7435bb24b95b4d5f048414cadf
9165faefd44a675f5c1849066d09331f
d6dbaef55a6a622e3bcdbb4b760df683
5e9f09920d70e7071ab951addc5940ba
90f04d8a51a0a3cdaff2a1f01d170cea
f30fc68ea9b4207c57c40d1965c5d702
2b93d36a95572e6965417e69e2464aa2
4187459c7ebd96538cb8b3138de6f16e

URLs

URL	IP
hxxp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US	50.22.63.140
hxxp://service.downloadadmin.com/env?productKey=&s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=UA	50.22.63.140

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /env?productKey=&s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=UA HTTP/1.1

connection: close, TE

x-exename: %original file name%.exe

x-webinstallurl: hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US

user-agent: Tightrope Bundle Manager(ref=[96c8658e7f7668f62e0bd317273129bbf93be52b];windows=5.1;uac=false;elevated=true;dotnet=4;startTime=1188421)

x-webinstallcode: complete url:hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US

te: trailers

host: service.downloadadmin.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Expires: 0

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Sun, 17 Apr 2016 10:35:19 GMT

Age: 0

Connection: close

X-Cache: MISS
001820..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&
lt;Installer><Environment><Entry name="over-threshold:Tapl
ika (GB)">true</Entry><Entry name="over-threshold:Yahoo Sm
artbar (UK)">true</Entry><Entry name="over-threshold:Searc
hProtect (GB) (Conduit Direct)">true</Entry><Entry name="o
ver-threshold:SearchProtect (CA) (Conduit Direct)">true</Entry&g
t;<Entry name="over-threshold:Snapdo (CA)">true</Entry><
;Entry name="over-threshold:Taplika (FR)">true</Entry><Ent
ry name="over-threshold:Yahoo Smartbar (FR)">true</Entry><
Entry name="over-threshold:CrimeWatch (GB)">true</Entry><E
ntry name="over-threshold:BubbleDock (GB)">true</Entry><En
try name="over-threshold:VuuPC (ClickMeIn) (GB)">true</Entry>
<Entry name="over-threshold:Wordproser (GB)">true</Entry>&
lt;Entry name="over-threshold:PicRec UK">true</Entry><Entr
y name="over-threshold:DesktopDock (GB) (Verti)">true</Entry>
<Entry name="over-threshold:Optimizer Pro (UK)">true</Entry&g
t;<Entry name="over-threshold:SystemOptimizerPro (GB)">true</
Entry><Entry name="over-threshold:Fixila (GB)">true</Entry
><Entry name="over-threshold:Registry Helper (SafeApp Software) 
(INTL)">true</Entry><Entry name="over-threshold:PCFixSpeed
 (GB)">true</Entry><Entry name="over-threshold:PremierOpin
ion (UK)">true</Entry><Entry name="over-threshold:Desk<<< skipped >>>

GET /install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US HTTP/1.1

connection: close, TE

x-exename: %original file name%.exe

x-webinstallurl: hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US

user-agent: Tightrope Bundle Manager(ref=[96c8658e7f7668f62e0bd317273129bbf93be52b];windows=5.1;uac=false;elevated=true;dotnet=4;startTime=1188421)

x-webinstallcode: complete url:hXXp://service.downloadadmin.com/install?s=arkglu0g15gbtpbpjdve9avqb6&c=ch&brand=mytopfreegames.com&pid=Kitara&aid=2685&bc=616473&country=US

te: trailers

host: service.downloadadmin.com


HTTP/1.1 200 OK

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Sun, 17 Apr 2016 10:35:13 GMT

Age: 0

Connection: close

X-TVAR:

X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <LinkBelowEula>fals
e</LinkBelowEula>.        <OptInDefault>false</OptInDef
ault>.        <ProductBinary embed="false" msioptions="" options
="/S">hXXp://download.mytopfreegames.net/da/latest</ProductBinar
y>.        <ProductEula comboPrimary="false" embed="false">ht
tp://mirror.downloadnet1210.com/products/BM2/628/kitara/mtfg/mtfg_628.
mht</ProductEula>.        <Primary>true</Primary>.  
      <ProductId>463831</ProductId>.        <ProductNam
e>MyTopFreeGames</ProductName>.        <Scramble>false&
lt;/Scramble>.    </Bundle>.    <Bundle>.        <Ca
tegory>search, home</Category>.        <CustomParameter Na
me="advertisername">SearchProtect</CustomParameter>.        &
lt;If>.            <Or>.                <Env property="cus
tom.region" op="=" value="US"/>.                <Env property="c
ustom.region" op="=" value="us"/>.            </Or>.        &
lt;/If>.        <Feature InitialState="checked" Name="TreasureAd
s" Options="-carrier_type=ctid -carrier_id=CT3328455 -platform=all -st
artpage=true -defaultsearch=true -locale=en-us -detection">.       
     <If>.                <Env property="custom.partner" op="
=" value="treasureads"/>.            </If>.        </Featu
re>.        <Feature InitialState="checked" Name="Not Treasu<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1380:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

uDSSh

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LuaBridge.dll

ss.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LuaBridge.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp

ns\UrlAssociations\http\UserChoice

:hHÌ

].uA;

..jjK

b0.zE

`'\%D,3

WININET.dll

GetProcessHeap

EnumChildWindows

OLEAUT32.dll

customnsWeb.dll

C:\Programming\GitHome\bm-core.git\25\Custom\Nsweb\Release\nsWeb.pdb

CustomNsWebForwarder

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

1 1$1(1,10141

All Files|*.*

COMDLG32.dll

nsDialogs.dll

.reloc

ButtonEvent.dll

C:\Nsis\Browser-%s

nswebForwarder

CustomNsWebContainer

Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb

#-,.mT:

!$"'(!((!$&

##-,#1.#0- !%

!  .76:76:*),

#" *#1.#1.!#&

nsg3.tmp

-exec

Games]],0x00040000) -- C:/BM/2.5/BINARIES/Bullet/Icy-AD/production/setup.exe.nsi:Line 1083.2

ction/setup.exe.nsi:Line 974.2

ction/setup.exe.nsi:Line 915.2

Tightrope Bundle Manager(ref=[96c8658e7f7668f62e0bd317273129bbf93be52b];windows=5.1;uac=false;elevated=true;dotnet=4;startTime=1188421)

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\bullet

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System vtightrope</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

com.build.date

2/28/2013

com.build.dir

C:\BM\2.5-Static\WebTemplates

com.build.id

com.build.machine

com.build.time

com.build.user

$%USER%

%original file name%.exe_1380_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__web.xml (10968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\decline.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\back.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\accept.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\cancel.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaBridge.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\close.png (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\NotifyIcon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Env.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BundleInstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\definitions.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\extension.tlb (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\common.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\luacom.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\UiState.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\ProcessFreeFile.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Sandbox.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\GuiInit.lua (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\__localxml.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\Downloads.lua (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaXml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\skin.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\CallbackProxy.lua (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (33139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\bullet\next.png (3 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_pcap_f3e090350f

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_pcap_f3e090350f

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet