¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Virus:ADWARE/InstallCo.HA
Date discovered:03/09/2013
Type:Adware/Spyware
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:7.11.100.84 - Tuesday, September 3, 2013
IVDF version:7.11.100.84 - Tuesday, September 3, 2013

 General ADWARE/ - Adware

This class of detection flags software that display ads, usually in the internet browser by modifying displayed pages or opening aditional pages with ads. These adware programs are usually installed by the users themselves or come with other software that the users install themselves (usually in exchange for using the software for free or as a default install option).

Users might be unaware that this software was installed or of its behaviour. This detection is meant to flag the file and the behaviour as part of legitimate ad displaying software.

This detection can be disabled and is recommended if the user is aware of the software installed on his/her system and doesn't want this type of software to be detected.
Method of propagation:
   • No own spreading routine


Aliases:
   •  Eset: Win32/InstallCore.CH
   •  DrWeb: Trojan.Packed.24524


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Downloads files
   • Registry modification


Right after execution the following information is displayed:


 Files The following files are created:

– Non malicious files:
   • %Temp%\ISH605~1\css\main.css; %Temp%\ISH605~1\css\sdk-ui\browse.css;
      %Temp%\ISH605~1\css\sdk-ui\button.css;
      %Temp%\ISH605~1\css\sdk-ui\checkbox.css;
      %Temp%\ISH605~1\css\sdk-ui\images\button-bg.png;
      %Temp%\ISH605~1\css\sdk-ui\images\progress-bg-corner.png;
      %Temp%\ISH605~1\css\sdk-ui\images\progress-bg.png;
      %Temp%\ISH605~1\css\sdk-ui\images\progress-bg2.png;
      %Temp%\ISH605~1\css\sdk-ui\progress-bar.css; %Temp%\ISH605~1\csshover3.htc;
      %Temp%\ISH605~1\DAT\DSiteU.dat; %Temp%\ISH605~1\images\BG.gif;
      %Temp%\ISH605~1\images\Close.png; %Temp%\ISH605~1\images\Close_Hover.png;
      %Temp%\ISH605~1\images\Color_Button.png;
      %Temp%\ISH605~1\images\Color_Button_Hover.png;
      %Temp%\ISH605~1\images\Grey_Button.png;
      %Temp%\ISH605~1\images\Grey_Button_Hover.png;
      %Temp%\ISH605~1\images\icon.png; %Temp%\ISH605~1\images\Loader.gif;
      %Temp%\ISH605~1\images\Progress.png;
      %Temp%\ISH605~1\images\ProgressBar.png;
      %Temp%\ISH605~1\images\ssClose_Hover.png;
      %Temp%\ISH605~1\images\xxClose.png;
      %Temp%\ISH605~1\images\xxProgressBar.png; %Temp%\ISH605~1\locale\EN.locale;
      %Temp%\ICReinstall_aa.exe; %Temp%\is357113909\OpenItSetup.exe;
      %Temp%\IS3571~1\2065610808.cfg; %Temp%\IS3571~1\1925532573.cfg;
      %Temp%\IS3571~1\1451939730.cfg; %Temp%\IS3571~1\1832554189.cfg;
      %Temp%\IS3571~1\759788433.cfg; %Temp%\IS3571~1\374812452.cfg;
      %Temp%\isf_607163.flat; %Temp%\IS3571~1\WebConnect.exe;
      %Temp%\IS3571~1\607105_Setup.CIS; %Temp%\isf_607189.flat;
      %Temp%\IS3571~1\uninstaller.exe; %Temp%\IS3571~1\607093_Setup.CIS;
      %Temp%\isf_607319.flat; %Temp%\IS3571~1\MetaCrawlerSetup.exe;
      %Temp%\314.88548853076895_Update.exe

– Temporary files that might be deleted afterwards:
   • %TEMP%\00093D5B.log
   • C:\PROGRA~1\is606656.log
   • %TEMP%\0009425C.log
   • %TEMP%\000942BA.log
   • %TEMP%\000942C9.log
   • %TEMP%\ish605546\bootstrap_7947.html
   • %TEMP%\00097449.log
   • %TEMP%\isf_607035.flat
   • %TEMP%\000BD098.log
   • %TEMP%\000BD0D7.log
   • %TEMP%\000BD2FA.log
   • %TEMP%\000BD367.log
   • %TEMP%\000BD54C.log
   • %TEMP%\000BD58A.log
   • %TEMP%\000BDEF0.log
   • %TEMP%\isf_607163.flat
   • %TEMP%\000BE3A3.log
   • %TEMP%\isf_607189.flat
   • %TEMP%\000BE8E3.log
   • %TEMP%\000BF14F.log
   • %TEMP%\isf_607319.flat
   • %TEMP%\000C1AD0.log
   • %TEMP%\ICReinstall_aa.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   • "Del788218"="cmd.exe /Q /D /c del "%temp%\0.del""
   • "Del791343"="cmd.exe /Q /D /c del "%temp%\0.del""



The following registry keys are added:

– [HKCR\AppID\{0FA5C13C-4EDA-488A-A8EB-B84CD7395A79}\Instl\Data]
   • "aflt"="ironmc2"
   • "afltId"="ironmc2"
   • "autoRvrt"="false"
   • "cd"="2XzuyEtN2Y1L1QzutDtD0A0BtB0FtD0CyEtAyCzytB0E0BtCtN0D0Tzu0CyCtCtAtN1L2XzutBtFtBtFyCtFtCtDzyyBtN1L1Czu"
   • "cr"="1975664190"
   • "dpblck"=""
   • "dpk"=""
   • "excTlbr"="false"
   • "hp_url"="http://i.search.**********crawler.com/?f=1&a=ironmc2&cd=2XzuyEtN2Y1L1QzutDtD0A0BtB0FtD0CyEtAyCzytB0E0BtCtN0D0Tzu0CyCtCtAtN1L2XzutBtFtBtFyCtFtCtDzyyBtN1L1Czu&cr=1975664190&ir="
   • "hrdId"="00AB2F0C43692EB1"
   • "instlDay"="dword:0x00003e51"
   • "instlRef"=""
   • "smplGrp"="none"
   • "ThrdId"="00AB2F0C43692EB1"
   • "tlbrId"="base"
   • "vrsni"="1.8.19.0"
   • "vrsnTs"="1.8.19.010:23:28"

– [HKCR\CLSID\{721A6090-B720-41C0-A87D-96EAF7F9435D}\LocalServer32]
   • "(Default)"=""%PROGRAM FILES%\metaCrawler\1.8.19.0\metacrawlersrv.exe""
   • "ThreadingModel"="apartment"

– [HKCR\CLSID\{43C39959-5EED-4F54-8C1B-931C2215FCB3}\InprocServer32]
   • "(Default)"="%PROGRAM FILES%\metaCrawler\1.8.19.0\metacrawlerEng.dll"
   • "ThreadingModel"="apartment"

– [HKCR\CLSID\{721A6090-B720-41C0-A87D-96EAF7F9435D}\ProgID]
   • "(Default)"="esrv.metacrawlerESrvc.1"

– [HKCR\CLSID\{7EACAC38-B7F6-4514-9DC1-3428A7964ABD}]
   • "(Default)"="metacrawler Toolbar"
   • "AppID"="{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

– [HKCR\CLSID\{7EACAC38-B7F6-4514-9DC1-3428A7964ABD}\InprocServer32]
   • "(Default)"="%PROGRAM FILES%\metaCrawler\1.8.19.0\metacrawlerTlbr.dll"
   • "ThreadingModel"="apartment"

– [HKCU\Software\DSiteProducts]
   • "TM"="0123"
   • "U_DT"="20130905"
   • "U_SDT"=""
   • "U_TM"="0123"
   • "U_VER"="2.01"

– [HKCU\Software\InstallCore\1I1T1Q1S]
   • "name"="0O1S1D1N0A2Y1Q1D1G"
   • "reg"="0O1S1D1N0A2Y1Q1D1G"

– [HKCU\Software\InstallCore]
   • "ds"="0O1S1D1N0A2Y1Q1D1G"
   • "hp"="0O1S1D1N0A2Y1Q1D1G"

– [HKCU\Software\InstallCore\metaCrawler]
   • "aflt"="ironmc2"
   • "c_ver"="2.2.6.1097"
   • "insDate"="20130905102328498"
   • "instlRef"=""

– [HKCU\Software\metacrawler\metacrawler\dpkLst]
   • "0"="[3654782829,1334533236,1121012847,231756876,1895130307,603719297,4288797614,3754950497,426401714,3046281807,752626116,1657571787,3224935090,2597085128,1828564131,3396905322,2787570089,1850357963,3855095921,1516386922,3836221436,2015489896,270173904,3729539987,424611005,965674394,609003582,2041931190,3874294282,2774755777,931959409,398575749,3999997753,1104451911,1233863968,4280856088,1554076246,1949401179,1770772786,3253391265,3778438159,1649478750,2848156272,2476712966,3103989719,475488147,1715867073,3594694113,3774606882,4036647035,1593922001,4110151693,2941033654,3206511613]
   • "

– [HKCU\Software\metacrawler\metacrawler\iestrg]
   • "actvtyrpttime"="0"
   • "aflt"="ironmc2"
   • "afterinstallrpt"="0"
   • "cntry"="MY"
   • "dfltlng"="en"
   • "dfltsrch"="false"
   • "envrmnt"="production"
   • "hmpg"="false"
   • "hrdid"="00AB2F0C43692EB1"
   • "id"=""
   • "instlday"=""
   • "instlref"=""
   • "isdcmntcmplt"="false"
   • "keywordurl"=""
   • "mntrvrsn"="1.3.1"
   • "monitorreport"="true"
   • "newtab"="false"
   • "newtaburl"=""
   • "prdct"="metacrawler"
   • "prtnrid"="metacrawler"
   • "savedVrsnTs"="1.8.19.010:23:28"
   • "sg"="none"
   • "smplgrp"="none"
   • "srch"=""
   • "srchprvdr"=""
   • "tlbrid"="base"
   • "tlbrsrchurl"=""
   • "vrsn"="1%2E8%2E19%2E0"
   • "vrsni"="1%2E8%2E19%2E0"
   • "vrsnts"="1%2E8%2E19%2E010%3A23%3A28"

– [HKCU\Software\Microsoft\Internet Explorer\SearchScopes\
   {33CCE3D1-AE10-C0F1-491E-3212FFFF8CBD}]
   • "(Default)"="metaCrawler"
   • "DisplayName"="metaCrawler"
   • "FaviconPath"="http://i.**********cdn.net/mc/favicon.ico"
   • "FaviconURL"="http://i.**********cdn.net/mc/favicon.ico"
   • "FaviconURLFallback"="http://i.**********cdn.net/mc/favicon.ico"
   • "TopResultURLFallback"="http://i.search.**********crawler.com/results.php?f=4&q={searchTerms}&a=ironmc2&cd=2XzuyEtN2Y1L1QzutDtD0A0BtB0FtD0CyEtAyCzytB0E0BtCtN0D0Tzu0CyCtCtAtN1L2XzutBtFtBtFyCtFtCtDzyyBtN1L1Czu&cr=1975664190&ir="
   • "URL"="http://i.search.**********crawler.com/results.php?f=4&q={searchTerms}&a=ironmc2&cd=2XzuyEtN2Y1L1QzutDtD0A0BtB0FtD0CyEtAyCzytB0E0BtCtN0D0Tzu0CyCtCtAtN1L2XzutBtFtBtFyCtFtCtDzyyBtN1L1Czu&cr=1975664190&ir="

– [HKLM\SOFTWARE\Classes\AppID\{0FA5C13C-4EDA-488A-A8EB-B84CD7395A79}\
   Instl\Data]
   • "aflt"="ironmc2"
   • "afltId"="ironmc2"
   • "autoRvrt"="false"
   • "cd"="2XzuyEtN2Y1L1QzutDtD0A0BtB0FtD0CyEtAyCzytB0E0BtCtN0D0Tzu0CyCtCtAtN1L2XzutBtFtBtFyCtFtCtDzyyBtN1L1Czu"
   • "cr"="1975664190"
   • "dpblck"=""
   • "dpk"=""
   • "excTlbr"="false"
   • "hp_url"="http://i.search.**********crawler.com/?f=1&a=ironmc2&cd=2XzuyEtN2Y1L1QzutDtD0A0BtB0FtD0CyEtAyCzytB0E0BtCtN0D0Tzu0CyCtCtAtN1L2XzutBtFtBtFyCtFtCtDzyyBtN1L1Czu&cr=1975664190&ir="
   • "hrdId"="00AB2F0C43692EB1"
   • "instlDay"="dword:0x00003e51"
   • "instlRef"=""
   • "smplGrp"="none"
   • "ThrdId"="00AB2F0C43692EB1"
   • "tlbrId"="base"
   • "vrsni"="1.8.19.0"
   • "vrsnTs"="1.8.19.010:23:28"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{D4EF7D75-52C9-4BCE-B6DC-0976EFAB4B0B}]
   • "(Default)"="metacrawler Helper Object"
   • "NoExplorer"="dword:0x00000001"



The following registry key is changed:

Internet Explorer's start page:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Start Page"="about:blank"
   New value:
   • "Start Page"="http://i.search.**********crawler.com/?f=1&a=ironmc2&cd=2XzuyEtN2Y1L1QzutDtD0A0BtB0FtD0CyEtAyCzytB0E0BtCtN0D0Tzu0CyCtCtAtN1L2XzutBtFtBtFyCtFtCtDzyyBtN1L1Czu&cr=1975664190&ir="

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • cdnus.the**********openerfun.com
   • cdneu.the**********openerfun.com
   • counter.d.ada**********.com
   • install.webcon**********.co
   • cdn.mont**********.com
   • wac.edge**********cdn.net

Descripción insertada por Wensin Lee el jueves, 5 de septiembre de 2013
Descripción actualizada por Wensin Lee el jueves, 5 de septiembre de 2013

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.