not-a-virus:AdWare.Win32.BetterSurf.b (Kaspersky), Dropped:Adware.Generic.938376 (B) (Emsisoft), Dropped:Adware.Generic.938376 (AdAware)Behaviour: Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 10ec5943f7a2346a9e8704ddf8242fd9
SHA1: e76ad45de2b0d05958644d682427c68a901802f4
SHA256: 100bbfa02c856ff8b852116888649fcb7cb269cecc059736adbc1a9021c44f06
SSDeep: 12288:Co1tIFG4GqaXeXZgMupahP2vvOVJqReZtsfzdq4duClJupeeXZgMuFmahP2RvOV2:Co1iFG4GtMgMugcWVJqRWG7dvdDK3gM5
Size: 670846 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1780
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1780 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\aminsis.dll (14303 bytes)
The Dropped deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\aminsis.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1780 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB FD 8C ED E7 DA 1C 59 6D 89 11 1C 57 78 E1 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl2.tmp\aminsis.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
7379711a5fcffcafbdc13dd927745bd1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl2.tmp\aminsis.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1780
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\aminsis.dll (14303 bytes)
Static Analysis
VersionInfo
Company Name: Media Buzz
Product Name: Media Buzz mode 6731
Product Version: 1.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1
File Description:
Comments:
Language: English (United States)
Company Name: Media BuzzProduct Name: Media Buzz mode 6731Product Version: 1.1Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 45056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 237568 | 3120 | 3584 | 2.92476 | 1e1a4c69f1a90405b1fc7ef695496717 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1263
494f66872273077cfef685f5e4c17654
9b3bde4d4c901830ef87098054f47fa0
f6a269e86b80a4b05a041896b80c1856
c2d9f0e2ebb69ac1ab61d7208b41452c
f6ccf2af126a8e776e9f320023835760
5ebbf9975047e2a29b8900c972a258cc
6950292ced9c8af97a00ed253705816d
ba6ab89636b9efe693b2ff0d62a52f01
b87d5d501feec88e35f5b7c4186032ad
e35f2c6e2105ac11b9d53608416c2587
3b4bf665874c0524c08e5f609f97b88a
bc3c4eb3cbafe6e3fac050933901aee8
94f3c125120315c21aa7e72596e74b0b
28597754269ad1978d39b6b35ee314e5
39dd7044083d432dd50491500c168f26
3fb4ec07b110976ff595329ee58deb2d
29d4af582614451ac873de46296f9e89
a8b6c078674a829f7cd88a6303f8ba97
5af74ddb493e492e4ae3b4d61fce6c83
e788e3a97659578685b3806643a97883
432b2fcc57eeea99d508d4319e9fa9e6
399582b61784638c31c9fdb2f51c59fa
a595d9f678d1ab5e613765b9cdbb4d18
0a4f0fb62fa43c5f51d7813886987ce9
bca5d5e0bdd7f680969169ff6752e4b1
cda644e88cf8c9dd1eb1321add8b76c0
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):