Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:ADWARE/Graftor.77543
Date discovered:21/09/2013
Type:Adware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:7.11.103.136 - Saturday, September 21, 2013
IVDF version:7.11.103.136 - Saturday, September 21, 2013

 General Method of propagation:
   • No own spreading routine


Aliases:
     AVG: Generic5.AFXS.dropper
   •  Eset: Win32/Preloader.A application
     GData: Gen:Variant.Adware.Graftor.114031
     DrWeb: Trojan.Crossrider.3


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7
   • Drops files

 Files It tries to execute the following file:

Filename:
   • %appdata%\savensharee\luH6SFa7py.exe"


Filename:
   • "%appdata%\savensharee\Cw1e4Kf7x.dll"

 Registry The following registry key is added:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}]
   • "@"="savensharee"
   • NoExplorer=hex:01

[HKCR\savenshare.savenshare.5.10]
   • "@"="savensharee"

[HKCR\savenshare.savenshare.5.10\CLSID]
   • "@"="{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}"

[HKCR\savenshare.savenshare]
   • "@"="savensharee"

[HKCR\savenshare.savenshare\CLSID]
   • "@"="{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}"

[HKCR\savenshare.savenshare\CurVer]
   • "@"="savenshare.5.10"

[HKCR\CLSID\{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}]
   • "@"=savensharee"

[HKCR\CLSID\{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}\ProgID]
   • "@"="savenshare.5.10"

[HKCR\CLSID\{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}\
   VersionIndependentProgID]
   • "@"="savenshare"

[HKCR\CLSID\{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}\InprocServer32]
   • "%appdata%\savensharee\Cw1e4Kf7x.dll"
   • "ThreadingModel"="Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
   • "{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}"="1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}]
   • "@"="{5535C82A-FF89-1430-AEB0-E5B7E2D57A17}"
   • "NoExplorer"=hex:01

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0]
   • "@"="IEPluginLib"

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS]
   • "@"="0"

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32]
   • "@"="%appdata%\savensharee\Cw1e4Kf7x.tlb"

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR]
   • "@"="%appdata%\savensharee"

[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}]
   • "@"="IIEPluginMain"

[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\
   ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib]
   • "@"="{E2343056-CC08-46AC-B898-BFC7ACF4E755}"

[HKCR\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib]
   • "Version"="1.0"

[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}]
   • "@"="ILocalStorage"

[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\
   ProxyStubClsid]
   • "@"="{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\
   ProxyStubClsid32]
   • "@"="{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib]
   • "@"="{E2343056-CC08-46AC-B898-BFC7ACF4E755}"

[HKCR\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib]
   • "Version"="1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {62D82EC1-0D3A-DF54-8E3E-07E1337A5311}]
   • "UninstallString"=""%appdata%\savensharee\luH6SFa7py.exe" /s /n /i:"ExecuteCommands;UninstallCommands" """

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {62D82EC1-0D3A-DF54-8E3E-07E1337A5311}]
   • SilentUninstall=""%appdata%\savensharee\luH6SFa7py.exe" /s /n /i:"ExecuteCommands;UninstallCommands" """

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {62D82EC1-0D3A-DF54-8E3E-07E1337A5311}]
   • "DisplayName"="savensharee"
   • "URLInfoAbout"="http://34stateshare.com"
   • "URLUpdateInfo"="http://34stateshare.com"
   • "Publisher"="savenshare"
   • "DisplayVersion"="1.2.0.1190"
   • "NoRepair"=hex:01
   • "NoModify"=hex:01
   • "CategoryName"="SaveShare"
   • "InstallDate"="%date%"
   • "DisplayIcon"="%SYSDIR%\msiexec.exe"
   • "_In"="%date%"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Soe-liang Tan on Monday, September 23, 2013
Description updated by Soe-liang Tan on Monday, September 23, 2013

Back . . . .