Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Adware/Multplug.A.1
Date discovered:14/06/2012
Type:Adware/Spyware
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low
Static file:No
VDF version:7.11.32.234 - Thursday, June 14, 2012
IVDF version:7.11.32.234 - Thursday, June 14, 2012

 General Methods of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

 Files The following files are created:

– Non malicious files:
   • %ALLUSERSPROFILE%\DownloadnSave\settings.ini;
      %ALLUSERSPROFILE%\DownloadnSave\content.js;
      %ALLUSERSPROFILE%\DownloadnSave\background.html;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\install.rdf;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\indexeddb.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\jquery.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\jsext.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\lsdb.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\prfdb.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\splite.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\wx.xul

– %ALLUSERSPROFILE%\DownloadnSave\bhoclass.dll Further investigation pointed out that this file is malware, too.

 Registry It registers a browser helper object (BHO) by adding the following keys:

– HKCR\bhoclass.bho.bhoclass.bho.1.0\(Default)
   • DownloadnSave

– HKCR\bhoclass.bho.bhoclass.bho.1.0\CLSID\(Default)
   • 61D05725-DBC0-429E-A994-1DB1323499D9

– HKCR\bhoclass.bho.bhoclass.bho\(Default)
   • DownloadnSave

– HKCR\bhoclass.bho.bhoclass.bho\CLSID\(Default)
   • 61D05725-DBC0-429E-A994-1DB1323499D9

– HKCR\bhoclass.bho.bhoclass.bho\CurVer\(Default)
   • bhoclass.bho.1.0

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\(Default)
   • DownloadnSave Class

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\ProgID\(Default)
   • bhoclass.bho.1.0

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\
   VersionIndependentProgID\(Default)
   • bhoclass.bho

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\InprocServer32\
   (Default)
   • %ALLUSERSPROFILE%\Appdata\DownloadnSave\bhoclass.dll
   •

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\InprocServer32\
   ThreadingModel
   • Apartment

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{61D05725-DBC0-429E-A994-1DB1323499D9}\
   (Default)
   • DownloadnSave

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{61D05725-DBC0-429E-A994-1DB1323499D9}\
   NoExplorer
   • 0x00000001

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\(Default)
   • Injector 1.0 Type Library

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\
   (Default)
   • 0

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\
   (Default)
   • %ALLUSERSPROFILE%\Appdata\DownloadnSave\bhoclass.dll
   •

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\
   (Default)
   • %ALLUSERSPROFILE%\Appdata\DownloadnSave

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\(Default)
   • IInjectorBHO

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\
   ProxyStubClsid\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\
   ProxyStubClsid32\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\
   (Default)
   • {C2CF0D01-7657-48AA-98C9-AE5E64757FCC}

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\
   Version
   • 1.0

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\(Default)
   • ILocalStorage

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\
   ProxyStubClsid\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\
   ProxyStubClsid32\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\
   (Default)
   • {C2CF0D01-7657-48AA-98C9-AE5E64757FCC}

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\
   {61D05725-DBC0-429E-A994-1DB1323499D9}
   • 1

Description inserted by Jan-Eric Herting on Saturday, June 16, 2012
Description updated by Carlos Valero Llabata on Saturday, June 16, 2012

Back . . . .