ADW_INSTALLREX.GB

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

As of this writing, the said sites are inaccessible.

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware adds the following folders:

• %User Temp%\{Generated ID}\x86
• %User Temp%\{Generated ID}\x64
• %User Temp%\{Generated ID}
• %Program Data%\InstallMate
• %Program Data%\InstallMate\{Genereted ID}

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following file(s)/component(s):

• %User Temp%\Tsu{Random 8 Alphanumeric Characters}.dll <- Loaded as Library responsible for dropping and download routine, deleted afterwards
• %User Temp%\_tin{random 4 numbers}.bat <- Deleted after execution
• %User Temp%\{Executed File's Name}.log <- will be renamed to %ProgramData%\InstallMate\{Generated ID}\{Current Date and Time}.log
• %User Temp%\{Random 8 Alphanumeric Characters}.dat
• %User Temp%\{Generated ID}\_Setup.dll
• %User Temp%\{Generated ID}\Setup.ico
• %User Temp%\{Generated ID}\Readme.txt
• %User Temp%\{Generated ID}\Custom.dll
• %User Temp%\{Generated ID}\Setup.exe
• %User Temp%\{Generated ID}\x86\regsvr32.exe
• %User Temp%\{Generated ID}\x64\regsvr32.exe
• %ProgramData%\InstallMate\{Generated ID}\_Setup.dll
• %ProgramData%\InstallMate\{Generated ID}\Setup.ico
• %ProgramData%\InstallMate\{Generated ID}\Readme.txt
• %ProgramData%\InstallMate\{Generated ID}\Custom.dll
• %ProgramData%\InstallMate\{Generated ID}\Setup.exe
• %ProgramData%\InstallMate\{Generated ID}\TsuDll.dll

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Generated ID}

Other System Modifications

This adware deletes the following folders:

• %User Temp%\{Generated ID} <- Deleted before terminating self
• %ProgramData%\InstallMate\{Random 8 Alphanumeric Characters}\cfg <- deleted on the execution of %User Temp%\_tin{Random 4 Numbers}.bat

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000

HKEY_LOCAL_MACHINE\Microsoft\Windows\
CurrentVersion\Uninstall\{Generated ID}

Download Routine

This adware accesses the following websites to download files:

• c1.{BLOCKED}oaddatamy.info/?step_id={Value}&installer_id={Value}&publisher_id={Value}&source_id={Value}&page_id={Value}&affiliate_id={Value}&country_code={Value}&locale={Value}&browser_id={Value}&download_id={Value}&external_id={Value}&session_id={Value}&hardware_id={Value}&filesize={Value}&product_name=SC-7415FF7415.rar&product_title=Billion+Uploads+File+Downloader+v1.3&installer_file_name=Download_Manager-SC-7415FF7415.rar&product_file_name=SC-7415FF7415.rar&product_download_url=http%3A%2F%2F192.96.205.172%3A182%2Fd%2Fl7artrf6lhzeh6kdz5rkvfcswoed632p7iflztvhv4hmmafcpgnf22xb%2FSC-7415FF7415.rar&reffer=http%3A%2F%2Fwww.billionuploads.com%2F&uuid=%252A
• c2.{BLOCKED}oaddatamy.info/?step_id={Value}&installer_id={Value}&publisher_id={Value}&source_id={Value}&page_id={Value}&affiliate_id={Value}&country_code={Value}&locale={Value}&browser_id={Value}&download_id={Value}&external_id={Value}&session_id={Value}&hardware_id={Value}&filesize={Value}&product_name=SC-7415FF7415.rar&product_title=Billion+Uploads+File+Downloader+v1.3&installer_file_name=Download_Manager-SC-7415FF7415.rar&product_file_name=SC-7415FF7415.rar&product_download_url=http%3A%2F%2F192.96.205.172%3A182%2Fd%2Fl7artrf6lhzeh6kdz5rkvfcswoed632p7iflztvhv4hmmafcpgnf22xb%2FSC-7415FF7415.rar&reffer=http%3A%2F%2Fwww.billionuploads.com%2F&uuid=%252A

As of this writing, the said sites are inaccessible.

Other Details

This adware does the following:

• Connects to the following sites to report its installation:
  • r2.{BLOCKED}icationmy.info/?report_version={Value}&
  • r1.{BLOCKED}icationmy.info/?report_version={Value}&
• Displays an Error Message and Terminates itself with the following conditions:
  • It does not contain "MZ" and "PE" in file header
  • It does not have ".tsustub" section
  • It failed to locate the Temp Path in the affected system