Virus:Adware/InstallBrain.CX
Date discovered:23/01/2013
Type:Adware/Spyware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:7.11.58.92 - Wednesday, January 23, 2013
IVDF version:7.11.58.92 - Wednesday, January 23, 2013

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: Win32/InstallBrain.S potentially unwanted


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %temp%\PC Performer513405.exe
   • %appdata%\IBUpdaterService\ibsvc.exe



It deletes the following files:
   • %temp%\ibtmpc2f8301\component_140
   • %temp%\ibtmpc2f8301\component_600
   • %temp%\ibtmpc2f8301\config\js
   • %temp%\ibtmpc2f8301\config\ib
   • %temp%\ibtmpc2f8301\config\conditions
   • %temp%\ibtmpc2f8301\config
   • %temp%\ibtmpc2f8301



The following files are created:

– Temporary files that might be deleted afterwards:
   • %temp%\1.tmp
   • %temp%\2.tmp
   • %temp%\ibtmpc2f8301\config\ajax-loader.gif
   • %temp%\ibtmpc2f8301\config\ajax-loader2.gif
   • %temp%\ibtmpc2f8301\config\ib\arrow.gif
   • %temp%\ibtmpc2f8301\config\ib\b-bg.gif
   • %temp%\ibtmpc2f8301\config\ib\b3.gif
   • %temp%\ibtmpc2f8301\config\ib\b4.gif
   • %temp%\ibtmpc2f8301\config\ib\lbg-bottom.gif
   • %temp%\ibtmpc2f8301\config\ib\lbg-top.gif
   • %temp%\ibtmpc2f8301\config\ib\lbg.gif
   • %temp%\ibtmpc2f8301\config\ib\trust.gif
   • %temp%\ibtmpc2f8301\config\ib\center2.jpg
   • %temp%\ibtmpc2f8301\config\check.jpg
   • %temp%\ibtmpc2f8301\config\ib\mid.jpg
   • %temp%\ibtmpc2f8301\config\pb-bg-left.jpg
   • %temp%\ibtmpc2f8301\config\pb-bg-right.jpg
   • %temp%\ibtmpc2f8301\config\pb-bg.jpg
   • %temp%\ibtmpc2f8301\config\red-pb-act-left.jpg
   • %temp%\ibtmpc2f8301\config\red-pb-act-right.jpg
   • %temp%\ibtmpc2f8301\config\red-pb-act.jpg
   • %temp%\ibtmpc2f8301\config\ib\arrow.png
   • %temp%\ibtmpc2f8301\config\ib\btn.png
   • %temp%\ibtmpc2f8301\config\ib\btn2.png
   • %temp%\ibtmpc2f8301\config\ib\corn1.png
   • %temp%\ibtmpc2f8301\config\ib\corn2.png
   • %temp%\ibtmpc2f8301\config\ib\corn3.png
   • %temp%\ibtmpc2f8301\config\ib\corn4.png
   • %temp%\ibtmpc2f8301\config\page_1235_attr_3.png
   • %temp%\ibtmpc2f8301\config\page_1236_attr_3.png
   • %temp%\ibtmpc2f8301\config\page_1237_attr_3.png
   • %temp%\ibtmpc2f8301\config\template_40.png
   • %temp%\ibtmpc2f8301\config\page_1235_attr_46.bmp
   • %temp%\ibtmpc2f8301\config\page_1236_attr_46.bmp
   • %temp%\ibtmpc2f8301\config\page_1237_attr_46.bmp
   • %temp%\ibtmpc2f8301\config\1235.html
   • %temp%\ibtmpc2f8301\config\1236.html
   • %temp%\ibtmpc2f8301\config\1237.html
   • %temp%\ibtmpc2f8301\config\start.html
   • %temp%\ibtmpc2f8301\config\ib\main.css
   • %temp%\ibtmpc2f8301\config\conditions\conditions.js
   • %temp%\ibtmpc2f8301\config\js\config.js
   • %temp%\ibtmpc2f8301\config\js\jquery-1.7.min.js
   • %temp%\ibtmpc2f8301\config\js\jquery.noselect.min.js
   • %temp%\ibtmpc2f8301\config\js\smart.js
   • %temp%\ibtmpc2f8301\config\ib\Thumbs.db
   • %temp%\ibtmpc2f8301\intallLog
   • %HOME%\Desktop\Continue PC Performer installation.lnk

 Registry The following registry keys are added:

– [HKLM\SYSTEM\ControlSet001\Services\IBUpdaterService]
   • "Type"=dword:00000020
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="\"%appdata%\\IBUpdaterService\\ibsvc.exe\" /SERVICE"
   • "DisplayName"="Updater Service"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=hex:ff,ff,ff,ff,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\00,01,00,00,00,30,75,00,00
   • "Description"="Updater Service"

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch]
   • "Epoch"=dword:00000036

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   Updater Service]
   • "NoModify"=dword:00000001
   • "NoRepair"=dword:00000001
   • "DisplayName"="Updater Service"
   • "UninstallString"="\"%appdata%\\IBUpdaterService\\ibsvc.exe\" /UNINSTALL"
   • "DisplayVersion"="14,12,8,9"
   • "VersionMajor"=dword:0000000e
   • "VersionMinor"=dword:0000000c
   • "InstallLocation"="%appdata%\\IBUpdaterService"

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_IBUPDATERSERVICE\0000]
   • "Service"="IBUpdaterService"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Updater Service"

– [HKLM\SYSTEM\ControlSet001\Services\IBUpdaterService\Enum]
   • "0"="Root\\LEGACY_IBUPDATERSERVICE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

 Miscellaneous In order to check for its internet connection the following DNS servers are contacted:
   • s3.**********zonaws.com
   • www.ib**********o.com


Checks for an internet connection by contacting the following web site:
   • s3.**********zonaws.com/www.bit89.com/download/pcperformer/pcperformersetup03012012.exe

Description inserted by Wensin Lee on Friday, January 25, 2013
Description updated by Wensin Lee on Friday, January 25, 2013

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.