ADWARE_BHO_SEP.GA

 Analysis by: Pearl Charlaine Espejo

 ALIASES:

Trojan.Win32.Septic.a (Kaspersky); Trojan.Win32.Septic.irdi (NANO-Antivirus); W32/Septic.A!tr (Fortinet); Adware.SideSearch (Symantec); Application.Win32.Adware.SideSearch (Comodo)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages.

  TECHNICAL DETAILS

File Size:

184,325 bytes

File Type:

DLL

Memory Resident:

No

Initial Samples Received Date:

07 Mar 2015

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives as a component bundled with malware/grayware packages.

Other System Modifications

This adware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search.1\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4E627A1E-BC4B-4FAF-8DE8-1D9A54D37DA3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3A951AF0-53F8-4803-A565-0E1DEE4B11F5}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AF286CEA-635D-40C5-A891-B40A0F520539}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band.1
= "Band Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band.1\CLSID
= "{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band
= "Band Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band\CLSID
= "{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Band\CurVer
= "Sep.Band.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}
= "Band Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\ProgID
= "Sep.Band.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\VersionIndependentProgID
= "Sep.Band"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\InprocServer32
= "{malware path and filename}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}\TypeLib
= "{4E627A1E-BC4B-4FAF-8DE8-1D9A54D37DA3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search.1
= "Search Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search.1\CLSID
= "{C30793AF-14B2-4300-8B5D-4BFA3987050E}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search
= "Search Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search\CLSID
= "{C30793AF-14B2-4300-8B5D-4BFA3987050E}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Sep.Search\CurVer
= "Sep.Search.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}
= "Search Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\ProgID
= "Sep.Search.1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\VersionIndependentProgID
= "Sep.Search

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\InprocServer32
ThreadingModel = "Free"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{C30793AF-14B2-4300-8B5D-4BFA3987050E}\TypeLib
= "{4E627A1E-BC4B-4FAF-8DE8-1D9A54D37DA3}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{4E627A1E-BC4B-4FAF-8DE8-1D9A54D37DA3}\1.0\
0\win32
= "{malware path and filename}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{3A951AF0-53F8-4803-A565-0E1DEE4B11F5}
= "IBand"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AF286CEA-635D-40C5-A891-B40A0F520539}
= "ISepSearch"