Adware.Win32.Cydoor.AD

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Diese Malware hat keine Verbreitungsroutine.

Diese Malware hat keine Backdoor-Routine.

Verbindet sich mit einer bestimmten Website, um Daten zu versenden und zu empfangen.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Ordner hinzu:

• %Program Files%\Babylon
• %Program Files%\Babylon\Gloss
• %Program Files%\Babylon\Help
• %Program Files%\Babylon\Updates
• %Program Files%\Babylon\Utils
• %Program Files%\Babylon\Data
• %Program Files%\Babylon\Data\BGLs
• %User Temp%\{Random Characters}
• %User Temp%\{Random Characters}\adverck
• %User Temp%\{Random Characters}.tmp
• %System%\AdCache

(Hinweis: %Program Files%ist der Standardordner 'Programme', normalerweise C:\Programme.. %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Schleust die folgenden Dateien ein:

• Upon execution:
  • %User Temp%\{Random Characters}.tmp\Uninstbb.exe
  • %User Temp%\{Random Characters}.tmp\bab_cht.bgl
  • %User Temp%\{Random Characters}.tmp\bab_dut.bgl
  • %User Temp%\{Random Characters}.tmp\bab_eng.bgl
  • %User Temp%\{Random Characters}.tmp\bab_fre.bgl
  • %User Temp%\{Random Characters}.tmp\bab_ger.bgl
  • %User Temp%\{Random Characters}.tmp\bab_heb.bgl
  • %User Temp%\{Random Characters}.tmp\bab_ita.bgl
  • %User Temp%\{Random Characters}.tmp\bab_jpn.bgl
  • %User Temp%\{Random Characters}.tmp\bab_ptg.bgl
  • %User Temp%\{Random Characters}.tmp\bab_spa.bgl
  • %User Temp%\{Random Characters}.tmp\bab_swe.bgl
  • %User Temp%\{Random Characters}.tmp\babylon.exe
  • %User Temp%\{Random Characters}.tmp\b-update.exe
  • %User Temp%\{Random Characters}.tmp\captlib.dll
  • %User Temp%\{Random Characters}.tmp\convert.dat
  • %User Temp%\{Random Characters}.tmp\features.dat
  • %User Temp%\{Random Characters}.tmp\rates.dat
  • %User Temp%\{Random Characters}.tmp\bab_chs.bgl
  • %User Temp%\{Random Characters}.tmp\LICENSE.TXT
  • %User Temp%\{Random Characters}.tmp\SHLHOOK.EXE
  • %User Temp%\{Random Characters}.tmp\OleLoad.dll
  • %User Temp%\{Random Characters}.tmp\ImageLoad.dll
  • %User Temp%\{Random Characters}.tmp\babylon.chm
  • %User Temp%\{Random Characters}.tmp\Setup30.exe
  • %User Temp%\{Random Characters}.tmp\PSAPI.DLL
  • %User Temp%\{Random Characters}.tmp\cd_install_167.exe
  • %User Temp%\{Random Characters}.tmp\Cydoor.txt
• During installation:
  • %Program Files%\Babylon\DeIsL1.isu
  • %Program Files%\Babylon\Updates\b-update.exe
  • %Program Files%\Babylon\Updates\convert.dat
  • %Program Files%\Babylon\Updates\rates.dat
  • %Program Files%\Babylon\Utils\Shlhook.exe
  • %Program Files%\Babylon\Utils\OleLoad.dll
  • %Program Files%\Babylon\Utils\ImageLoad.dll
  • %Program Files%\Babylon\Utils\Psapi.dll
  • %Program Files%\Babylon\Help\babylon.chm
  • %Program Files%\Babylon\features.dat
  • %Program Files%\Babylon\babylon.exe
  • %Program Files%\Babylon\captlib.dll
  • %Program Files%\Babylon\Data\BGLs\bab_eng.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_chs.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_cht.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_dut.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_fre.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_ger.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_heb.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_ita.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_jpn.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_ptg.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_spa.bgl
  • %Program Files%\Babylon\Data\BGLs\bab_swe.bgl
  • %User Temp%\_adA304.dll
  • %User Temp%\{Random Characters}\_adA304.adx
  • %User Temp%\{Random Characters}\_adA304.rtp
  • %User Temp%\{Random Characters}\adverck\B_{Random Numbers}.gif
  • %User Temp%\{Random Characters}\adverck\cd_clint.dll
  • %User Temp%\{Random Characters}\adverck\cd_load.exe
  • %User Temp%\{Random Characters}\adverck\Start.cdi
  • %User Temp%\{Random Characters}\B_{Random Numbers}.gif
  • %User Temp%\{Random Characters}\cd_clint.dll
  • %User Temp%\{Random Characters}\cd_load.exe
  • %User Temp%\{Random Characters}\Start.cdi
  • %System%\cd_clint.dll
  • %System%\cd_load.exe
  • %System%\AdCache\b_249400.GIF
  • %System%\AdCache\b_202200.GIF
  • %System%\AdCache\b_217000.GIF
  • %System%\AdCache\b_205800.GIF
  • %System%\AdCache\b_217300.GIF
  • %System%\AdCache\b_217100.GIF
  • %Common Programs%\Babylon.lnk
  • %Windows%\uninstbb.exe
• After running the installed program:
  • %Program Files%\Babylon\oc_stack.txt
  • %Program Files%\Babylon\log_file.txt
  • %Program Files%\Babylon\banmng.ban
  • %Program Files%\Babylon\ocr_data
  • %Program Files%\Babylon\Gloss\bab_eng_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_chs_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_cht_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_dut_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_fre_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_ger_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_heb_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_ita_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_jpn_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_ptg_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_spa_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_swe_{Random Numbers}.dat
  • %Program Files%\Babylon\Gloss\bab_eng_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_chs_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_cht_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_dut_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_fre_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_ger_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_heb_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_ita_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_jpn_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_ptg_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_spa_{Random Numbers}.bdc
  • %Program Files%\Babylon\Gloss\bab_swe_{Random Numbers}.bdc

(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %Windows% ist der Windows Ordner, normalerweise C:\Windows oder C:\WINNT.)

Fügt die folgenden Prozesse hinzu:

• Upon execution:
  • %User Temp%\{Random Characters}.tmp\setup30.exe
• During installation:
  • "%User Temp%\{Random Characters}.tmp\cd_install_167.exe"
  • "%User Temp%\{Random Characters}\cd_load.exe" i r
• After running the installed program:
  • "%Program Files%\Babylon\babylon.exe"
  • %System%\CD_Load.exe

(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Autostart-Technik

Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Babylon Translator = %Program Files%\Babylon\Babylon.exe

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge hinzu:

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users\Default\
Options
TranslateWithShift = 2

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users\Default\
Settings
Interface = 0
AllowedExt = JPG BMP GIF TXT HTM HTML WAV MP3 PNG

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users\Default\
GlossInst
gls0 = %Program Files%\babylon\data\bgls\bab_eng.bgl,1{BLOCKED}.com
gls1 = %Program Files%\babylon\data\bgls\bab_chs.bgl,1{BLOCKED}n.com
gls2 = %Program Files%\babylon\data\bgls\bab_cht.bgl,1{BLOCKED}n.com
gls3 = %Program Files%\babylon\data\bgls\bab_dut.bgl,1{BLOCKED}n.com
gls4 = %Program Files%\babylon\data\bgls\bab_fre.bgl,1{BLOCKED}n.com
gls5 = %Program Files%\babylon\data\bgls\bab_ger.bgl,1{BLOCKED}n.com
gls6 = %Program Files%\babylon\data\bgls\bab_heb.bgl,1{BLOCKED}n.com
gls7 = %Program Files%\babylon\data\bgls\bab_ita.bgl,1{BLOCKED}n.com
gls8 = %Program Files%\babylon\data\bgls\bab_jpn.bgl,1{BLOCKED}n.com
gls9 = %Program Files%\babylon\data\bgls\bab_ptg.bgl,1{BLOCKED}n.com
gls10 = %Program Files%\babylon\data\bgls\bab_spa.bgl,1{BLOCKED}n.com
gls11 = %Program Files%\babylon\data\bgls\bab_swe.bgl,1{BLOCKED}n.com

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2022
Url = www.{BLOCKED}r.com/BestDeals

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2494
Url = http://www.{BLOCKED}.com/track/track.dll?
AID=1143761&PID=190859&URL=http%3A%2F%2Ffxnetworks%2Ecom%2Fshows%2Foriginals%2Fthesight%2Findexcj%2Ehtml

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2170
Url = http://{BLOCKED}t.com/bfast/click?bfmid=1429031&siteid=8854274&bfpage=homelinks

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2058
Url = http://www.{BLOCKED}e.com/promo/cydoor

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2173
Url = http://s{BLOCKED}.com/bfast/click?bfmid=1429031&siteid=8854274&bfpage=homelinks

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2171
Url = http://www.c{BLOCKED}n.com/track/track.dll?
AID=1143760&PID=190859&URL=http%3A%2F%2Ffxnetworks%2Ecom%2Fshows%2Foriginals%2Fthesight%2Findexcj%2Ehtml

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167
LastDate = {Installation Date}
ExistFile = %Program Files%\Babylon\babylon.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Prod.Cap
Index = {Hex Values}
Index3 = {Hex Values}
Usage = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Babylon
UninstallString = C:\Windows\uninstbb.exe
DisplayName = Babylon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Babylon.exe
{Default} = %Program Files%\Babylon\Babylon
Path = %Program Files%\Babylon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = 37

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\WebSearch
S0 = 08
S2 = http://search.excite.com/search.gw?search=+ÿExcite
S3 = http://www.lycos.com/cgi-bin/pursuit?cat=dir&query=+ÿLycos
S4 = http://infoseek.go.com/Titles?qt=+ÿInfoseek
S5 = http://www.altavista.com/cgi-bin/query?q=+ÿAlta Vista
S6 = http://www.askjeeves.com/main/askJeeves.asp?ask=+ÿAsk Jeeves
S7 = http://www.northernlight.com/nlquery.fcg?cb=0&qr=+ÿNorthern Light
S8 = http://www.google.com/search?q=+ÿGoogle
S9 = http://hotbot.lycos.com/?MT=+ÿHotBot
SA = http://www.webcrawler.com/cgi-bin/WebQuery?searchText=+ÿWebCrawler
SB = http://results.searchopolis.com/cgi-bin/britannica_results.cgi?firstResult=0&displayfirstResult=1&act.search=search&request=+ÿBritannica.com
R2 = http://search.britannica.com/bcom/search/results/1,5843,,00.html?p_query0=+ÿBritannica.com
R3 = http://www.encarta.com/find/search.asp?tr=122&search=+ÿEncarta Online
R4 = http://www.infoplease.com/search.php3?in=all&query=+ÿInfoPlease
R5 = http://www.encyclopedia.com/cgi-bin/search.cgi?search=+ÿEncyclopedia.Com

HKEY_CURRENT_USER\Software\Cydoor
PrxyEnable = 0
PrxyUrl = pµ&

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss
{Default} = Babylon Glossary

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss\DefaultIcon
{Default} = %Program Files%\Babylon\Babylon.exe,2

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss\shell\open\
command
{Default} = "%Program Files%\Babylon\Babylon.exe" %1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.bgl
{Default} = BabyGloss
Content Type = application/bgl

HKEY_LOCAL_MACHINE\SOFTWARE\Cydoor
%Program Files%\Babylon\babylon.exe = 167

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MIME\Database\Content Type\
application/bgl
Extension = .bgl

HKEY_LOCAL_MACHINE\SOFTWARE\Babylon\
Babylon Translator\b1
IndexByData = {Hex Values}
IndexByExport = {Hex Values}

Verbreitung

Diese Malware hat keine Verbreitungsroutine.

Backdoor-Routine

Diese Malware hat keine Backdoor-Routine.

Andere Details

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_CURRENT_USER\Software\Babylon

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\WebSearch

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users\Default

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users\Default\
GlossInst

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users\Default\
Options

HKEY_CURRENT_USER\Software\Babylon\
Babylon Translator\Users\Default\
Settings

HKEY_CURRENT_USER\Software\Cydoor

HKEY_CURRENT_USER\Software\Cydoor\
Seqn_2173

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2022

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2058

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2170

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2171

HKEY_CURRENT_USER\Software\Cydoor\
Adwr_167\Loct_0\Level_4\
Seqn_2494

HKEY_LOCAL_MACHINE\SOFTWARE\Cydoor

HKEY_LOCAL_MACHINE\SOFTWARE\Babylon

HKEY_LOCAL_MACHINE\SOFTWARE\Babylon\
Babylon Translator

HKEY_LOCAL_MACHINE\SOFTWARE\Babylon\
Babylon Translator\b1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.bgl

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Prod.Cap

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss\DefaultIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss\shell

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss\shell\open

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BabyGloss\shell\open\
command

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MIME\Database\Content Type\
application/bgl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
Babylon.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
Babylon

Verbindet sich mit der folgenden Website, um Daten zu versenden und zu empfangen:

• http://{BLOCKED}n.co.il/gloss/gloss.cgi

Es macht Folgendes:

• It displays the following installation GUI upon executing the malware:
  
• It identifies itself as an adware before asking the user to install the program:
  
• When running the installed program, it is minimized as a system tray icon with the following context menu:
  
• Double clicking the system tray icon enables or disables the program.
• The system tray icon context menu does the following:
  • Configuration → customize the functionality of the program:
    
    • General → option to launch the program at startup, always use last user-defined window size, and minimize Babylon when mouse moves
    • Find → setup a hotkey to activate Babylon and customize search results
    • Appearance → customize font settings
    • Connection → setup connection type, proxy settings, and automatic updates
    • Voice → setup voice and text-to-speech features
  • Glossary Options → customize how the program accesses and manages its glossary:
    • Add from Babylon index → connects to the following URL: http://www.{BLOCKED}n.com/redirects/redir.cgi?type=index
    • Open from Babylon builder → connects to the following URL: http://www.{BLOCKED}n.com/redirects/redir.cgi?type=builder
    • Install from Disk
  • User Default → Create, modify, and delete users of the program
  • Menu Language → change menu language using the following languages:
    • English
    • Chinese
    • Japanese
    • Dutch
    • French
    • German
    • Hebrew
    • Italian
    • Korean
    • Portuguese
    • Spanish
    • Swedish
  • Recommend Babylon → send email to a designated email address which includes ads or promotions along with the sender's personal message:
    
  • Visit our site → redirects to the following sites depending on the user's choice:
    • Upgrade Babylon → connects to the following URL: http://www.{BLOCKED}n.com/redirects/update.cgi?lang=-1&BabyVer=32.-1.2.50.31.32
    • Send feedback → connects to the following URL: http://www.{BLOCKED}n.com/eng/contact/
    • Babylon message board → connects to the following URL: http://www.{BLOCKED}n.com/redirects/redir.cgi?lang=eng&type=forum30
    • What's New? → connects to the following URL: http://www.{BLOCKED}n.com/redirects/redir.cgi?lang=eng&type=whatsnew30
  • Help → contains instructions on how to use the installed program:
    • Contents → opens an CHM Help file by executing the following process:
      • "%Windows%\hh.exe" %Program Files%\babylon\Help\Babylon.chm
    • Frequently asked questions → connects to the following URL: http://www.{BLOCKED}n.com/redirects/redir.cgi?lang=eng&type=faq30
    • About Babylon → displays the product version, company, and registration status
    • Registration: registers a user to receive preferred contents and access more features
      
      Requires to fillup the following:
      • Email add
      • Country
      • Occupation
      • Gender
      • Age group
  • Purchase Babylon-Pro... → option to purchase Pro version of Babylon:
    
  • Enable/Disable → Enable or disable Babylon program
  • Exit: terminates the program