ADWARE.WIN32.OPENCANDY.AA

October 31, 2018

Analysis by: Arvin Roi Macaraeg

ALIASES:

PUA:Win32/CandyOpen(Microsoft), not-a-virus:Downloader.Win32.OpenCandy.kw(Kaspersky), Win32/OpenCandy potentially unsafe(ESET-NOD32)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size: 3,390,816 bytes

File Type: EXE

Memory Resident: No

Initial Samples Received Date: 18 Jun 2012

Arrival Details

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Adware drops the following files:

%Program Files%\WinSCP\unins000.exe
%Program Files%\WinSCP\WinSCP.exe
%Program Files%\WinSCP\WinSCP.com
%Program Files%\WinSCP\WinSCP.ico
%Program Files%\WinSCP\licence
%Program Files%\WinSCP\DragExt.dll
%Program Files%\WinSCP\PuTTY\LICENCE
%Program Files%\WinSCP\PuTTY\putty.hlp
%Program Files%\WinSCP\PuTTY\pageant.exe
%Program Files%\WinSCP\PuTTY\puttygen.exe
%User Temp%\is-{random}.tmp\{Malware Name}.tmp
%User Temp%\is-{random}.tmp\_isetup\_RegDLL.tmp
%User Temp%\is-{random}.tmp\_isetup\_shfoldr.dll
%User Temp%\is-{random}.tmp\OCSetupHlp.dll
%Common Programs%\WinSCP\WinSCP.lnk
%Common Programs%\WinSCP\Key tools\PuTTYgen.lnk
%Common Programs%\WinSCP\Key tools\Pageant.lnk
%Desktop%\WinSCP.lnk
%Application Data%\Microsoft\Windows\SendTo\WinSCP (for upload).lnk
%Application Data%\winscp.rnd

Other System Modifications

This Adware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
Interface = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2
DefaultInterfaceInterface = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowAdvancedLoginOptions = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2
DefaultInterfaceShowAdvancedLoginOptions = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDExtEnabled = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Period = "7"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2
DefaultUpdatesPeriod = "7"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Directory\shellex\CopyHookHandlers\
WinSCPCopyHook
{Default} = "{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}"

HKEY_LOCAL_MACHINE\SOFTWARE\Martin Prikryl\
WinSCP 2\DragExt
Enable = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter = "34"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Setup Version = "5.4.3 (a)"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: App Path = "%Program Files%\WinSCP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
InstallLocation = "%Program Files%\WinSCP\"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Icon Group = "WinSCP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: User = "{PC name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Setup Type = "full"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Selected Components = "main,shellext,pageant,puttygen,transl,transl\eng"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Deselected Components = "transl\ch,transl\chs,transl\cs,transl\de,transl\es,transl\et,transl\fi,transl\fr,transl\hu,transl\it,transl\jp,transl\ko,transl\nl,transl\pl,transl\sk,transl\sv,transl\uk"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Selected Tasks = "enableupdates,desktopicon,desktopicon\user,sendtohook,urlhandler"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Deselected Tasks = "desktopicon\common,quicklaunchicon,searchpath"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup: Language = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
DisplayName = "WinSCP 4.3.8"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
DisplayIcon = "%Program Files%\WinSCP\WinSCP.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
UninstallString = ""%Program Files%\WinSCP\unins000.exe""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
QuietUninstallString = ""%Program Files%\WinSCP\unins000.exe" /SILENT"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
DisplayVersion = "4.3.8"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Publisher = "Martin Prikryl"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
URLInfoAbout = "http://winscp.net/"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
HelpLink = "http://winscp.net/forum/"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
URLUpdateInfo = "http://winscp.net/eng/download.php"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
InstallDate = "20181030"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
MajorVersion = "4"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
MinorVersion = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
EstimatedSize = "8325"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
winscp3_is1
Inno Setup CodeFile: SetupType = "typical"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP
{Default} = "URL: SCP Protocol"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP
URL Protocol = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP
EditFlags = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP
BrowserFlags = "8"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP\DefaultIcon
{Default} = ""%Program Files%\WinSCP\WinSCP.exe",0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SCP\shell\open\
command
{Default} = ""%Program Files%\WinSCP\WinSCP.exe" /unsafe "%1""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP
{Default} = "URL: SFTP Protocol"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP
URL Protocol = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP
EditFlags = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP
BrowserFlags = "8"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP\DefaultIcon
{Default} = ""%Program Files%\WinSCP\WinSCP.exe",0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SFTP\shell\open\
command
{Default} = ""%Program Files%\WinSCP\WinSCP.exe" /unsafe "%1""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
RandomSeedFile = "%25APPDATA%25%5Cwinscp.rnd"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttyRegistryStorageKey = "Software%5CSimonTatham%5CPuTTY"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmOverwriting = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmResume = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
AutoReadDirectoryAfterOp = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenAuto = "5000"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenBackground = "2000"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenTimeout = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TunnelLocalPortNumberLow = "50000"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TunnelLocalPortNumberHigh = "50099"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CacheDirectoryChangesMaxSize = "100"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowFtpWelcomeMessage = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
Logging = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogFileName = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogFileAppend = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogWindowLines = "100"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogProtocol = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogActions = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ContinueOnError = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmCommandSession = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeParams = "66"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeOptions = "5"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeModeAuto = "4294967295"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeMode = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
MaxWatchDirectories = "500"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
QueueTransfersLimit = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
QueueAutoPopup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
QueueRememberPassword = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttySession = "WinSCP%20temporary%20session"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttyPath = "%25PROGRAMFILES%25%5CPuTTY%5Cputty.exe"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PuttyPassword = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TelnetForFtpInPutty = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
IgnoreCancelBeforeFinish = "DF BC 9A 78 56 34 02 3F "

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
BeepOnFinish = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
BeepOnFinishAfter = "17 6C C1 16 6C C1 36 3F "

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SynchronizeBrowsing = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
KeepUpToDateChangeDelay = "500"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ChecksumAlg = "md5"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionReopenAutoIdle = "5000"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
AddXToDirectories = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
Masks = "%2A.%2Ahtml"%20%2A.htm"%20%2A.txt"%20%2A.php"%20%2A.php3"%20%2A.cgi"%20%2A.c"%20%2A.cpp"%20%2A.h"%20%2A.pas"%20%2A.bas"%20%2A.tex"%20%2A.pl"%20%2A.js"%20.htaccess"%20%2A.xtml"%20%2A.css"%20%2A.cfg"%20%2A.ini"%20%2A.sh"%20%2A.xml"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
FileNameCase = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
PreserveReadOnly = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
PreserveTime = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
PreserveRights = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
IgnorePermErrors = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
Text = "rw-r--r--"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
TransferMode = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ResumeSupport = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ResumeThreshold = "00 90 01 00 00 00 00 00 "

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ReplaceInvalidChars = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
LocalInvalidChars = "/%5C:%2A%3F"<>|"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
CalculateSize = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ExcludeFileMask = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
NegativeExclude = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
ClearArchive = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
CPSLimit = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
Queue = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
QueueNoConfirmation = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
QueueIndividually = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
NewerOnly = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
CopyParam
CopyParamList = "4294967295"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
NewDirectory2
Valid = "00 "

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
Interface = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowAdvancedLoginOptions = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmExitOnCompletion = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogView = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
SynchronizeChecklist
WindowParams = "0"-1"-1"600"450"0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
SynchronizeChecklist
ListParams = "1"1|150,1"100,1"80,1"130,1"25,1"100,1"80,1"130,1|0"1"2"3"4"5"6"7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
FindFile
WindowParams = "646,481"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
FindFile
ListParams = "3"1|125,1"181,1"80,1"122,1|0"1"2"3"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
ConsoleWin
WindowSize = "570,430"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CopyOnDoubleClick = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CopyOnDoubleClickConfirmation = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDAllowMove = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDAllowMoveInit = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDTransferConfirmation = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDTemporaryDirectory = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDWarnLackOfTempSpace = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDWarnLackOfTempSpaceRatio = "9A 99 99 99 99 99 F1 3F "

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DeleteToRecycleBin = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DimmHiddenFiles = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
RenameWholeName = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SelectDirectories = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SelectMask = "%2A.%2A"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowHiddenFiles = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ShowInaccesibleDirectories = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmTransferring = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmDeleting = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmRecycling = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmClosingSession = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
AutoStartSession = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
UseLocationProfiles = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
UseSharedBookmarks = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
LocaleSafe = "1033"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDExtEnabled = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DDExtTimeout = "1000"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
DefaultDirIsHome = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TemporaryDirectoryAppendSession = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TemporaryDirectoryAppendPath = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
TemporaryDirectoryCleanup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
ConfirmTemporaryDirectoryCleanup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PreservePanelState = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
Theme = "OfficeXP"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
PathInCaption = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
MinimizeToTray = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
BalloonNotifications = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
NotificationsTimeout = "10"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
NotificationsStickTime = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
CopyParamAutoSelectNotice = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
SessionToolbarAutoShown = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
LockToolbars = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
AutoOpenInPutty = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
LastMonitor = "4294967295"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface
VersionHistory = "403081771,stable"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontName = "Courier%20New"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontHeight = "4294967284"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontStyle = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FontCharset = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
WordWrap = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FindTextA = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
ReplaceTextA = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FindMatchCase = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FindWholeWord = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
FindDown = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
TabSize = "7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
MaxEditors = "500"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
EarlyClose = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
SDIShellEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor
WindowParams = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
Height = "100"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
Layout = "70,160,160,80,80,80"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
Show = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
LastHideShow = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
QueueView
ToolBar = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Period = "7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
LastCheck = "00 00 00 00 00 00 00 00 "

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
HaveResults = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ShownResults = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
BetaVersions = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ConnectionType = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ProxyHost = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ProxyPort = "8080"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
ForVersion = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Version = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Message = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Critical = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Release = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Disabled = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
Url = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Updates
UrlButton = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
DirViewParams = "0"1"0|150,1"70,1"101,1"79,1"62,1"55,1"20,0"150,0"125,0|0"1"8"2"3"4"5"6"7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
LastLocalTargetDirectory = "C:%5CUsers%5C{PC name}%5CDocuments"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
WindowParams = "-1"-1"600"400"0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
ViewStyle = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
ShowFullAddress = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
DriveView = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Explorer
DriveViewWidth = "180"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
CurrentPanel = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
LocalPanelWidth = "00 00 00 00 00 00 E0 3F "

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
SwappedPanels = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
WindowParams = "-1"-1"850"650"0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
ExplorerStyleSelection = "2"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
PreserveLocalDirectory = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
CompareByTime = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
CompareBySize = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
FullRowSelect = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander
TreeOnLeft = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DirViewParams = "0"1"0|150,1"70,1"101,1"79,1"62,1"55,0|0"1"2"3"4"5"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DriveView = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DriveViewHeight = "100"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\LocalPanel
DriveViewWidth = "100"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DirViewParams = "0"1"0|150,1"70,1"101,1"79,1"62,1"55,0"20,0"150,0"125,0|0"1"8"2"3"4"5"6"7"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
StatusBar = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DriveView = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DriveViewHeight = "100"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Commander\RemotePanel
DriveViewWidth = "100"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogWindowOnStartup = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Logging
LogWindowParams = "-1"-1"500"400"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Security
UseMasterPassword = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Security
MasterPasswordVerifier = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
FileMask = "%2A.%2A"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
Editor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
ExternalEditor = ""

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
ExternalEditorText = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
SDIExternalEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\0
DetectMDIExternalEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
FileMask = "%2A.%2A"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
Editor = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
ExternalEditor = "notepad.exe"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
ExternalEditorText = "1"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
SDIExternalEditor = "0"

HKEY_CURRENT_USER\Software\Martin Prikryl\
WinSCP 2\Configuration\Interface\
Editor\1
DetectMDIExternalEditor = "0"

Other Details

This Adware connects to the following possibly malicious URL:

http://opencandy.{BLOCKED}p.net/?clientv=31&cltzone=480&language=en,en&method=get_offers&mstime=0.109&os=WIN6.1SP1&product_key=c8223ec7b782bba155ed4a5f24e87c75&v=1.0&signature=f22b2fc2bf60bb9affdbfc564408b399

SOLUTION

Minimum Scan Engine: 9.850

SSAPI PATTERN File: 2.112.44

SSAPI PATTERN Date: 25 Oct 2018

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Remove ADWARE.WIN32.OPENCANDY.AA by using its own Uninstall option

[ Learn More ]

To uninstall the grayware processDATA_GENERIC

Click on Remove or Uninstall depending on the currently running Windows version.

Follow the instructions on the dialog box that appears.

Close the Programs window, and the Control Panel window.

Step 4

Scan your computer with your Trend Micro product to delete files detected as ADWARE.WIN32.OPENCANDY.AA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Did this description help? Tell us how we did.

ADWARE.WIN32.OPENCANDY.AA

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

ADWARE.WIN32.OPENCANDY.AA

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific