Full description

Virus:	Adware/Multplug.A.1
Date discovered:	14/06/2012
Type:	Adware/Spyware
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low
Static file:	No
VDF version:	7.11.32.234 - Thursday, June 14, 2012
IVDF version:	7.11.32.234 - Thursday, June 14, 2012

General Methods of propagation:
   • No own spreading routine

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Files The following files are created:

– Non malicious files:
   • %ALLUSERSPROFILE%\DownloadnSave\settings.ini;
      %ALLUSERSPROFILE%\DownloadnSave\content.js;
      %ALLUSERSPROFILE%\DownloadnSave\background.html;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\install.rdf;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\indexeddb.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\jquery.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\jsext.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\lsdb.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\prfdb.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\splite.js;
      %HOME%\Appdata\Mozilla\Firefox\Profiles\profile.default\extensions\staged\4f8662a6705f5@4f8662a6705f5.info\content\wx.xul

– %ALLUSERSPROFILE%\DownloadnSave\bhoclass.dll Further investigation pointed out that this file is malware, too.

Registry It registers a browser helper object (BHO) by adding the following keys:

– HKCR\bhoclass.bho.bhoclass.bho.1.0\(Default)
   • DownloadnSave

– HKCR\bhoclass.bho.bhoclass.bho.1.0\CLSID\(Default)
   • 61D05725-DBC0-429E-A994-1DB1323499D9

– HKCR\bhoclass.bho.bhoclass.bho\(Default)
   • DownloadnSave

– HKCR\bhoclass.bho.bhoclass.bho\CLSID\(Default)
   • 61D05725-DBC0-429E-A994-1DB1323499D9

– HKCR\bhoclass.bho.bhoclass.bho\CurVer\(Default)
   • bhoclass.bho.1.0

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\(Default)
   • DownloadnSave Class

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\ProgID\(Default)
   • bhoclass.bho.1.0

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\
   VersionIndependentProgID\(Default)
   • bhoclass.bho

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\InprocServer32\
   (Default)
   • %ALLUSERSPROFILE%\Appdata\DownloadnSave\bhoclass.dll
   •

– HKCR\CLSID\{61D05725-DBC0-429E-A994-1DB1323499D9}\InprocServer32\
   ThreadingModel
   • Apartment

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{61D05725-DBC0-429E-A994-1DB1323499D9}\
   (Default)
   • DownloadnSave

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{61D05725-DBC0-429E-A994-1DB1323499D9}\
   NoExplorer
   • 0x00000001

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\(Default)
   • Injector 1.0 Type Library

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\
   (Default)
   • 0

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\
   (Default)
   • %ALLUSERSPROFILE%\Appdata\DownloadnSave\bhoclass.dll
   •

– HKCR\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\
   (Default)
   • %ALLUSERSPROFILE%\Appdata\DownloadnSave

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\(Default)
   • IInjectorBHO

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\
   ProxyStubClsid\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\
   ProxyStubClsid32\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\
   (Default)
   • {C2CF0D01-7657-48AA-98C9-AE5E64757FCC}

– HKCR\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\
   Version
   • 1.0

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\(Default)
   • ILocalStorage

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\
   ProxyStubClsid\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\
   ProxyStubClsid32\(Default)
   • {00020424-0000-0000-C000-000000000046}

– HKCR\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\
   (Default)
   • {C2CF0D01-7657-48AA-98C9-AE5E64757FCC}

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\
   {61D05725-DBC0-429E-A994-1DB1323499D9}
   • 1

Description inserted by Jan-Eric Herting on Saturday, June 16, 2012
Description updated by Carlos Valero Llabata on Saturday, June 16, 2012

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Need to fix your PC?

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools