Analysis by: Mohammed Malubay
ALIASES:

N/A;

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 1,956,576 bytes
File Type: EXE
Initial Samples Received Date: 27 Jan 2021

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application drops the following files:

  • %Application Data%\BitTorrent\BitTorrent.exe
  • %Application Data%\BitTorrent\bittorrent.lng
  • %Application Data%\BitTorrent\bittorrent.lng.new
  • %Application Data%\BitTorrent\settings.dat.new
  • %Application Data%\BitTorrent\updates.dat
  • %Application Data%\Microsoft\Windows\Start Menu\BitTorrent.lnk
  • %Desktop%\BitTorrent.lnk
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\br.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\de.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\en.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\es.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\fr.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\it.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\ko.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\pt.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\i18n\ru.json
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\images\bt_icon_48px.png
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\images\loading.gif
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\images\main_bittorrent.ico
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\images\main_icon.png
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\images\main_utorrent.ico
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\index.hta
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\install.{Random Numbers}.zip
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\scripts\common.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\scripts\es5-shim.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\scripts\initialize.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\scripts\install.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\scripts\uninstall.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\shell_scripts\check_if_cscript_is_working.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\shell_scripts\shell_install_offer.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\shell_scripts\shell_ping_after_close.js
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\styles\common.css
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\styles\installer.css
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\HTA\uninstall.hta
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\index.hta.log
  • %User Temp%\{Random Characters}.tmp.{Random Numbers}\sideLog.log
  • C:\hydra_tmp_{Random Numbers}\BitTorrent.lnk

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

  • "%System%\mshta.exe" "%User Temp%\{Random Characters}.tmp.{Random Numbers}\index.hta.log" /PID "{PID of running installer}" /CID "{Random Characters}" /VERSION "256619297" /BUCKET "0" /SSB "15" /COUNTRY "{Country of Machine}" /OS "6.1" /BROWSERS "{Browsers available in the machine}" --default http" /ARCHITECTURE "{Machine Architecture}" /LANG "{Machine Language}" /USERNAME "{User Name}" /SID "{SID}" /USERLANG "{Selected Language}" /CLIENT "bittorrent"
  • "%System%\cscript.exe" "shell_scripts/check_if_cscript_is_working.js"
  • "%System%\PING.EXE" 8.8.8.8 -n 2 -w 500
  • "%System%\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.{BLOCKED}h.{BLOCKED}nt.com/e?i=50&e={Random Characters}"
  • "%System%\cscript.exe" shell_scripts/shell_install_offer.js "%User Temp%/{Random Characters}.tmp.{Random Numbers}/sideLog.log" "lavasoft_securesearch" "http://webcompanion.com/nano_download.php?partner=BT170901" "--silent%20--partner%3DBT170901%20--homepage%3D11%20--search%3D7" "0" "{User name}" "{User name}"

Autostart Technique

This Potentially Unwanted Application adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
BitTorrent = %APPDATA%\BitTorrent\BitTorrent.exe

Other System Modifications

This Potentially Unwanted Application adds the following registry entries:

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe
shell = open

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe\shell
open = "%APPDATA%\BitTorrent\BitTorrent.exe" "%1"

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe\shell\open
command = "%APPDATA%\BitTorrent\BitTorrent.exe" "%1"

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe\shell\open\
command
(Default) = "%APPDATA%\BitTorrent\BitTorrent.exe" "%1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
DisplayName = BitTorrent

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
DisplayVersion = {BLOCKED}.{BLOCKED}.5.45857

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
DisplayIcon = %APPDATA%\BitTorrent\BitTorrent.exe,0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
UninstallString = "%APPDATA%\BitTorrent\BitTorrent.exe" /UNINSTALL

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
InstallLocation = %APPDATA%\BitTorrent

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
URLInfoAbout = http://www.{BLOCKED}rent.com/

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
Publisher = BitTorrent Inc.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
VersionMajor = 7

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
MajorVersion = 7

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
VersionMinor = 10

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
MinorVersion = 10

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
NoModify = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent
NoRepair = 1

HKEY_USERS\{SID}_CLASSES\.btapp
(Default) = BitTorrent

HKEY_USERS\{SID}_CLASSES\.btapp
Content Type = application/x-bittorrent-app

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-app
Extension = .btapp

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent\Content Type
(Default) = application/x-bittorrent-app

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent\shell
(Default) = open

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent
DefaultIcon = %APPDATA%\BitTorrent\images\bt_icon_48px.png

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent\shell\open
command = "%APPDATA%\BitTorrent\BitTorrent.exe" "%1"

HKEY_USERS\{SID}_CLASSES\.btinstall
(Default) = BitTorrent

HKEY_USERS\{SID}_CLASSES\.btinstall
Content Type = application/x-bittorrent-appinst

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-appinst
Extension = .btinstall

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent\Content Type
(Default) = application/x-bittorrent-appinst

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent\shell
(Default) = open

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent
DefaultIcon = %APPDATA%\BitTorrent\images\bt_icon_48px.png

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent\shell\open
command = "%APPDATA%\BitTorrent\BitTorrent.exe" "%1"

HKEY_USERS\{SID}_CLASSES\.btkey
(Default) = BitTorrent

HKEY_USERS\{SID}_CLASSES\.btkey
Content Type = application/x-bittorrent-key

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-key
Extension = .btkey

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent\Content Type
(Default) = application/x-bittorrent-key

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent\shell
(Default) = open

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent
DefaultIcon = %APPDATA%\BitTorrent\images\bt_icon_48px.png

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent\shell\open
command = "%APPDATA%\BitTorrent\BitTorrent.exe" "%1"

HKEY_USERS\{SID}_CLASSES\.btskin
BitTorrent =

HKEY_USERS\{SID}_CLASSES\.btskin
Content Type = application/x-bittorrent-skin

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-skin
Extension = .btskin

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent\Content Type
(Default) = application/x-bittorrent-skin

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent\shell
(Default) = open

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent
DefaultIcon = %APPDATA%\BitTorrent\images\bt_icon_48px.png

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent\shell\open
command = "%APPDATA%\BitTorrent\BitTorrent.exe" "%1"

HKEY_USERS\{SID}_CLASSES\bittorrent
(Default) = bittorrent URI

HKEY_USERS\{SID}_CLASSES\bittorrent
URL Protocol =

HKEY_USERS\{SID}_CLASSES\bittorrent\
Content Type
(Default) = application/x-bittorrent

HKEY_USERS\{SID}_CLASSES\bittorrent
Content Type = application/x-bittorrent-protocol

HKEY_USERS\{SID}_CLASSES\bittorrent\
shell
(Default) = open

HKEY_USERS\{SID}_CLASSES\bittorrent\
DefaultIcon
(Default) = %APPDATA%\BitTorrent\images\bt_icon_48px.png

HKEY_USERS\{SID}_CLASSES\bittorrent\
shell\open\command
(Default) = "%APPDATA%\BitTorrent\BitTorrent.exe" %1 /SHELLASSOC

HKEY_USERS\{SID}_CLASSES\utorrent
(Default) = utorrent URI

HKEY_USERS\{SID}_CLASSES\utorrent
URL Protocol =

HKEY_USERS\{SID}_CLASSES\utorrent\
Content Type
(Default) = application/x-bittorrent

HKEY_USERS\{SID}_CLASSES\utorrent
Content Type = application/x-bittorrent-protocol

HKEY_USERS\{SID}_CLASSES\utorrent\
shell
(Default) = open

HKEY_USERS\{SID}_CLASSES\utorrent\
DefaultIcon
(Default) = %APPDATA%\BitTorrent\images\bt_icon_48px.png

HKEY_USERS\{SID}_CLASSES\utorrent\
shell\open\command
(Default) = "%APPDATA%\BitTorrent\BitTorrent.exe" %1 /SHELLASSOC

Other Details

This Potentially Unwanted Application adds the following registry keys:

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe\shell

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe\shell\open

HKEY_USERS\{SID}_CLASSES\Applications\
BitTorrent.exe\shell\open\
command

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
BitTorrent

HKEY_USERS\{SID}_CLASSES\.btapp

HKEY_USERS\{SID}_CLASSES\MIME

HKEY_USERS\{SID}_CLASSES\MIME\
Database

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-app

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent\Content Type

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent\shell

HKEY_USERS\{SID}_CLASSES\.btapp\
BitTorrent\shell\open

HKEY_USERS\{SID}_CLASSES\.btinstall

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-appinst

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent\Content Type

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent\shell

HKEY_USERS\{SID}_CLASSES\.btinstall\
BitTorrent\shell\open

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-key

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent\Content Type

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent\shell

HKEY_USERS\{SID}_CLASSES\.btkey\
BitTorrent\shell\open

HKEY_USERS\{SID}_CLASSES\.btskin

HKEY_USERS\{SID}_CLASSES\MIME\
Database\Content Type\application/x-bittorrent-skin

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent\Content Type

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent\shell

HKEY_USERS\{SID}_CLASSES\.btskin\
BitTorrent\shell\open

HKEY_USERS\{SID}_CLASSES\bittorrent

HKEY_USERS\{SID}_CLASSES\bittorrent\
Content Type

HKEY_USERS\{SID}_CLASSES\bittorrent\
shell

HKEY_USERS\{SID}_CLASSES\bittorrent\
DefaultIcon

HKEY_USERS\{SID}_CLASSES\bittorrent\
shell\open

HKEY_USERS\{SID}_CLASSES\bittorrent\
shell\open\command

HKEY_USERS\{SID}_CLASSES\utorrent

HKEY_USERS\{SID}_CLASSES\utorrent\
Content Type

HKEY_USERS\{SID}_CLASSES\utorrent\
shell

HKEY_USERS\{SID}_CLASSES\utorrent\
DefaultIcon

HKEY_USERS\{SID}_CLASSES\utorrent\
shell\open

HKEY_USERS\{SID}_CLASSES\utorrent\
shell\open\command

It connects to the following possibly malicious URL:

  • {BLOCKED}i.com
  • i-50.b-000.XYZ.{BLOCKED}h.{BLOCKED}nt.com
  • {BLOCKED}panion.com

It does the following:

  • Opens a new browser tab/window of the following URL:
    • https://www.bittorrent.com/prodnews/?v={Random Characters}

  SOLUTION

Minimum Scan Engine: 9.800
SSAPI PATTERN File: 2.375.00
SSAPI PATTERN Date: 28 Jan 2021

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Remove PUA.Win32.BitTorrent.A by using its own Uninstall option

[ Learn More ]
To uninstall the grayware process

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as PUA.Win32.BitTorrent.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.