Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADWARE/Bandoo.F
Date discovered:08/05/2013
Type:Adware/Spyware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:7.11.77.12 - Wednesday, May 8, 2013
IVDF version:7.11.77.12 - Wednesday, May 8, 2013

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Eset: Win32/Toolbar.SearchSuite application


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification
   • Redirects to an infected website


Right after execution the following information is displayed:


 Files The following files are created:

– Temporary files that might be deleted afterwards:
   • %temp%\nsiA.tmp\UserInfo.dll
   • %temp%\nsiA.tmp\System.dll
   • %temp%\nsiA.tmp\modern-header.bmp
   • %temp%\nsiA.tmp\UAC.dll
   • %temp%\nsiA\license.txt
   • %temp%\nsiA\Helper.dll
   • %temp%\nsiA\Uninstall.exe
   • %temp%\nsiA\TorchBackground.bmp
   • %appdata%\iLivid\log.log
   • %temp%\nsiA\nshB.tmp\SetupDataMngr_iLivid.exe
   • %temp%\nsiA\nshB.tmp\pack.exe
   • %temp%\nsiA\nshB.tmp\vlcpack.exe
   • %temp%\nsiA\nshB.tmp\python.exe
   • %temp%\nsiA\nshB.tmp\TorchSetupFull.exe
   • %temp%\nsiA\nshB.tmp\pack.exe
   • %temp%\nsiA\nshB.tmp\vlcpack.exe
   • %temp%\nsiA\nshB.tmp\python.exe
   • %temp%\nsiA\nshB.tmp\xbmc.exe
   • %temp%\nsiA\nshB.tmp\fantasticgamespack.exe
   • %temp%\nsiA\nshB.tmp\nsiC.exe
   • %temp%\nsiA\license.txt
   • %temp%\nsiA.tmp\FindProcDLL.dll
   • %temp%\nsiA.tmp\modern-header.bmp
   • %temp%\nsiA.tmp\MoreInfo.dll
   • %temp%\nsiA.tmp\nsDialogs.dll
   • %temp%\nsiA.tmp\nsExec.dll
   • %temp%\nsiA.tmp\nsisXML.dll
   • %temp%\nsiA.tmp\System.dll
   • %temp%\nsiA.tmp\UAC.dll
   • %temp%\nsiA.tmp\UserInfo.dll

 Registry The following registry keys are added:

– [HKCR\.bmp\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.dib\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.flv]
   • "(Default)"="TorchFlvPlayer.flv"
   • "TorchFlvPlayer.flv_backup"=""

– [HKCR\.gif\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.htm]
   • "(Default)"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"

– [HKCR\.htm\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.htm\OpenWithProgids]
   • "TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"=""

– [HKCR\.html]
   • "(Default)"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"

– [HKCR\.html\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.html\OpenWithProgids]
   • "TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"=""

– [HKCR\.ico\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.jfif\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.jpe\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.jpg\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.mfp\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.pdf\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.png\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.shtml]
   • "(Default)"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"

– [HKCR\.shtml\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.shtml\OpenWithProgids]
   • "TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"=""

– [HKCR\.torrent]
   • "(Default)"="Torch.torrent"
   • "Torch.torrent_backup"=""

– [HKCR\.URL\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.webm\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.xht]
   • "(Default)"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"

– [HKCR\.xht\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.xht\OpenWithProgids]
   • "TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"=""

– [HKCR\.xhtml]
   • "(Default)"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"

– [HKCR\.xhtml\OpenWithList\Torch.exe]
   • "(Default)"="(value not set)"

– [HKCR\.xhtml\OpenWithProgids]
   • "TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"=""

– [HKCR\Applications\aa.exe]
   • "IsHostApp"=""

– [HKCR\Applications\Torch.exe\shell\Read\command]
   • "(Default)"=""%appdata%\Torch\Application\torch.exe" "%1""

– [HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard\CurVer]
   • "(Default)"="SearchQUIEHelper.UrlHelper.1"

– [HKLM\SOFTWARE\Classes\TorchFlvPlayer.flv\DefaultIcon]
   • "(Default)"="%appdata%\Torch\Plugins\Video\TorchFlvPlayer\TorchFlvPlayer.exe,0"

– [HKLM\SOFTWARE\Classes\TorchFlvPlayer.flv\shell\open\command]
   • "(Default)"="%appdata%\Torch\Plugins\Video\TorchFlvPlayer\TorchFlvPlayer.exe %L"

– [HKLM\SOFTWARE\Clients\StartMenuInternet\
   Torch.XCQBLRGJQC2RGXUAMFUXL3LCOU\Capabilities\FileAssociations]
   • ".htm"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • ".html"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • ".shtml"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • ".xht"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • ".xhtml"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "ftp"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "http"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "https"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "irc"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "mailto"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "mms"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "news"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "nntp"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "sms"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "smsto"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "tel"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "urn"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"
   • "webcal"="TorchHTML.XCQBLRGJQC2RGXUAMFUXL3LCOU"

– [HKLM\SOFTWARE\Clients\StartMenuInternet\
   Torch.XCQBLRGJQC2RGXUAMFUXL3LCOU\Capabilities\Startmenu]
   • "StartMenuInternet"="Torch.XCQBLRGJQC2RGXUAMFUXL3LCOU"

– [HKLM\SOFTWARE\Clients\StartMenuInternet\
   Torch.XCQBLRGJQC2RGXUAMFUXL3LCOU\DefaultIcon]
   • "(Default)"="%appdata%\Torch\Application\torch.exe,0"

– [HKLM\SOFTWARE\Clients\StartMenuInternet\
   Torch.XCQBLRGJQC2RGXUAMFUXL3LCOU\InstallInfo]
   • "HideIconsCommand"=""%appdata%\Torch\Application\torch.exe" --hide-icons"
   • "IconsVisible"="dword:0x00000001"

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • anx.apn**********tics.com
   • service.band**********.com
   • preved.band**********.com
   • www.ml**********.com
   • www.torchbrow**********.com

Description inserted by Wensin Lee on Thursday, May 9, 2013
Description updated by Wensin Lee on Thursday, May 9, 2013

Back . . . .