Nome del virus:Adware/InstallRex.A
Scoperto:21/11/2012
Tipo:Adware/Spyware
In circolazione (ITW):No
Numero delle infezioni segnalate:Medio-Basso
Potenziale di propagazione:Basso
Potenziale di danni:Basso
Versione VDF:7.11.50.196 - mercoledì 21 novembre 2012
Versione IVDF:7.11.50.196 - mercoledì 21 novembre 2012

 Generale Metodo di propagazione:
   • Nessuna propria procedura di propagazione


Alias:
   •  Eset: Win32/InstalleRex.E.Gen application


Piattaforme / Sistemi operativi:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Effetti secondari:
   • Modifica del registro


Giusto dopo l'esecuzione viene visualizzata la seguente informazione:


 File Vengono creati i seguenti file:

– File “non maligni”:
   • %temp%\88.log
   • %temp%\3946B197.dat
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\_Setup.dll
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Setup.ico
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Readme.txt
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\_Setupx.dll
   • %temp%\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Setup.exe

– Un file ad uso temporaneo che può essere cancellato in seguito:
   • %temp%\Tsu55A4AB9A.dll

 Registro Vengono aggiunte nel registro le seguenti chiavi con lo scopo di caricare i servizi dopo il riavvio:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   • "LoadAppInit_DLLs"="dword:0x00000001"

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\Tsu3F3FC0E0.dll"



Vengono aggiunte le seguenti chiavi di registro:

– [HKCR\CLSID\{3F0B614B-A408-43C7-FEC1-4EBBED7257D7}]
   • "(Default)"="continuetosave"

– [HKCR\CLSID\{3F0B614B-A408-43C7-FEC1-4EBBED7257D7}\ProgID]
   • "(Default)"="continuetosave.1"

– [HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave\50eb7f9eb5e3c.tlb"

– [HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave"

– [HKCU\Software\AppDataLow\SProtector\_09b71135]
   • "date"="1357669189"

– [HKCU\Software\AppDataLow\SProtector\_09b71135\eae10f9d]
   • "0c230bcb"="///%"
   • "340d3099"="/P////%%"
   • "37b7a6d8"="UlAp/X2/blAh/XD/a/Am/Xh/FPAh/XJ/UlAl/Xx/b//k/YV/b/Af/X6/c/Au/XV/c/Ak/YZ/UxAl/Xx/b/////%%"
   • "414bc593"="///%"
   • "51d2f2ea"="PlAk/X2/c/Ap/X2/cPAu/WP/alAI/XD/cxAu/B//VP/j/CF/Mx////%%"
   • "72758a5d"="/P////%%"
   • "b10ed930"="///%"
   • "d94388d2"="clA1/Yb/UxAh/YZ/FPAs/Xm/axAm/B2/HPAj/XF/al////%%"
   • "e46c271e"="///%"
   • "f0bf0bde"="///%"

– [HKCU\Software\AppDataLow\SProtector\_09b71135]
   • "uiid"="844804067"
   • "upid"="538"
   • "usid"="952665102"
   • "uuid"="b6826bde-d88147f2-be999560-01cdedcc"

– [HKLM\SOFTWARE\Classes\CLSID\
   {3F0B614B-A408-43C7-FEC1-4EBBED7257D7}]
   • "(Default)"="continuetosave"

– [HKLM\SOFTWARE\Classes\CLSID\{3F0B614B-A408-43C7-FEC1-4EBBED7257D7}\
   ProgID]
   • "(Default)"="continuetosave.1"

– [HKLM\SOFTWARE\Classes\TypeLib\
   {E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave\50eb7f9eb5e3c.tlb"

– [HKLM\SOFTWARE\Classes\TypeLib\
   {E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR]
   • "(Default)"="%ALLUSERSPROFILE%\Application Data\continuetosave"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {83C2D41C-5B78-4EE8-AC03-135A5821F6EA}]
   • "CategoryName"="ContinueToSave"
   • "DisplayIcon"="%ALLUSERSPROFILE%\Application Data\InstallMate\{83C2D41C-5B78-4EE8-AC03-135A5821F6EA}\Setup.ico"
   • "DisplayName"="ContinueToSave"
   • "InstallLocation"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp"
   • "InstallSource"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons"
   • "ModifyPath"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{83C2D~1\Setup.exe /q0"
   • "QuietUninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{83C2D~1\Setup.exe /remove /q"
   • "TinFolder"="%ALLUSERSPROFILE%\Application Data\InstallMate\{83C2D41C-5B78-4EE8-AC03-135A5821F6EA}"
   • "TinVersion"="7026"
   • "TizPath"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons\uninstaller_setup.exe"
   • "UninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{83C2D~1\Setup.exe /remove /q0"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {C1C6816E-CBB3-A748-85F9-A8B47B68985B}]
   • "CategoryName"="ContinueToSave"
   • "DisplayIcon"="%ALLUSERSPROFILE%\Application Data\continuetosave\uninstall.exe"
   • "UninstallString"=""%ALLUSERSPROFILE%\Application Data\continuetosave\uninstall.exe" /path=%ALLUSERSPROFILE%\Application Data\continuetosave"
   • "URLInfoAbout"="http://continuetosave.info/"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {CFE9DCA9-6AAF-294D-751F-E9BB5579F2C0}]
   • "TizPath"="c:\sample.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   ContinueToSave]
   • "CategoryName"="ContinueToSave"
   • "DisplayIcon"="%ALLUSERSPROFILE%\Application Data\InstallMate\ContinueToSave\Setup.ico"
   • "DisplayName"=""
   • "DisplayVersion"="1.0"
   • "EstimatedSize"="dword:0x000000e4"
   • "InstallDate"="20120108"
   • "InstallLocation"="%ALLUSERSPROFILE%\Application Data\Premium\ContinueToSave"
   • "InstallSource"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons"
   • "Language"="dword:0x00000409"
   • "ModifyPath"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\CONTIN~1\Setup.exe /q0"
   • "Publisher"="Premium"
   • "QuietUninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\CONTIN~1\Setup.exe /remove /q"
   • "TinFolder"="%ALLUSERSPROFILE%\Application Data\InstallMate\ContinueToSave"
   • "TinVersion"="7025"
   • "TizPath"="C:\DOCUME~1\VANCIE~1\LOCALS~1\Temp\{1F23EA60-4881-4EDC-AC37-00A3C4C0C896}\Addons\agent_setup.exe"
   • "TSAware"="dword:0x00000001"
   • "UninstallString"="C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\CONTIN~1\Setup.exe /remove /q0"
   • "Version"="dword:0x01000000"
   • "VersionMajor"="dword:0x00000001"
   • "VersionMinor"="dword:0x00000000"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   SP_09b71135]
   • "UninstallString"=""%PROGRAM FILES%\ContinueToSave\uninstall.exe" /FULLPATH="%PROGRAM FILES%\ContinueToSave""

– [HKLM\SOFTWARE\SP Global]
   • "9c193b40"="c:\progra~1\contin~1\sprote~1.dll"

– [HKLM\SOFTWARE\SProtector\_09b71135]
   • "date"="1357669189"

– [HKLM\SOFTWARE\SProtector\_09b71135\eae10f9d]
   • "0c230bcb"="///%"
   • "340d3099"="/P////%%"
   • "37b7a6d8"="UlAp/X2/blAh/XD/a/Am/Xh/FPAh/XJ/UlAl/Xx/b//k/YV/b/Af/X6/c/Au/XV/c/Ak/YZ/UxAl/Xx/b/////%%"
   • "414bc593"="///%"
   • "72758a5d"="/P////%%"
   • "b10ed930"="///%"
   • "d94388d2"="clA1/Yb/UxAh/YZ/FPAs/Xm/axAm/B2/HPAj/XF/al////%%"
   • "e46c271e"="///%"
   • "f0bf0bde"="///%"

– [HKLM\SOFTWARE\SProtector\_09b71135]
   • "Install_Dir"="%PROGRAM FILES%\ContinueToSave"
   • "state"="dword:0x00000000"
   • "uiid"="844804067"
   • "upid"="538"
   • "usid"="952665102"
   • "uuid"="b6826bde-d88147f2-be999560-01cdedcc"
   • "version"="dword:0x0142046d"



Viene cambiata la seguente chiave di registro:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Valore precedente:
   • "AppInit_DLLs"=""
   Nuovo valore:
   • "AppInit_DLLs"="c:\progra~1\contin~1\sprote~1.dll"

 Varie Per verificare la propria connessione internet, vengono contattati i seguenti server DNS:
   • r1.stora**********l1.info
   • c1.stora**********l1.info
   • plu**********es.info

Description inserted by Wensin Lee on 8 Ocak 2013 Salı
Description updated by Wensin Lee on 8 Ocak 2013 Salı

Geri . . . .

© 2013 Avira Operations GmbH & Co. KG. Her hakkı saklıdır.

Hesabım

https:// Bu pencere güvenlik amacıyla şifrelenmiştir.