Skip to main content

notavirus.RiskTool.Win32.Agent.ihv_4340733a72


not-a-virus:RiskTool.Win32.Agent.ihv (Kaspersky), Program.Unwanted.29 (DrWeb), PUA.SpeedingUpMyPC (Ikarus), Generic.89B (AVG), GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4340733a72495ec5622e7a9eec58f627

SHA1: 60518e331825112e9901109edb3fb09ccd199dbc

SHA256: 1033f696517f468bb1abc2477593f1d3ac559f758a12fcd76c21f1c5b720e46f

SSDeep: 196608:bZBe8uvBNJFzYL/Zz4g48iQl3D6o5mG0W2odcrJklV5JT0nkACOf2Dh:u8afYDpZpBp5mG0OC8LJInNFeD

Size: 10595232 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphiv60v70_v2, BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6

Company: PC Utilities Software Limited

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The not-a-virus creates the following process(es):

Driver_Pro.exe:3820
DriverPro.exe:3224
Driver_Pro.tmp:2992
DPStartScan.exe:2212
%original file name%.exe:2508

The not-a-virus injects its code into the following process(es):

DPSchedule.exe:1008
DriverPro.exe:3560

File activity

The process Driver_Pro.exe:3820 makes changes in the file system.


The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-L4M2N.tmp\Driver_Pro.tmp (7386 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-L4M2N.tmp\Driver_Pro.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-L4M2N.tmp (0 bytes)

The process DPSchedule.exe:1008 makes changes in the file system.


The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DPSchedule.madExcept (0 bytes)

The process DriverPro.exe:3224 makes changes in the file system.


The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DriverPro.madExcept (0 bytes)

The process DriverPro.exe:3560 makes changes in the file system.


The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Driver Pro\Scan.ini (951 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\Devices.ini (24 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\PCInfo.ini (175 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DriverPro.madExcept (0 bytes)

The process Driver_Pro.tmp:2992 makes changes in the file system.


The not-a-virus creates and/or writes to the following file(s):

%Program Files%\Driver Pro\is-4MGE3.tmp (26 bytes)
%Program Files%\Driver Pro\is-UUU8E.tmp (31891 bytes)
%Documents and Settings%\%current user%\Desktop\Driver Pro.lnk (701 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Uninstall Driver Pro.lnk (708 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Help.lnk (713 bytes)
%Program Files%\Driver Pro\is-B4I62.tmp (54 bytes)
%Program Files%\Driver Pro\is-FQAJ0.tmp (5873 bytes)
%Program Files%\Driver Pro\is-DKHGK.tmp (56 bytes)
%Program Files%\Driver Pro\is-8NLL0.tmp (7433 bytes)
%Program Files%\Driver Pro\is-33N8R.tmp (12 bytes)
%Program Files%\Driver Pro\is-4UF8L.tmp (3361 bytes)
%Program Files%\Driver Pro\is-T5O74.tmp (7433 bytes)
%Program Files%\Driver Pro\unins000.dat (5536 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-HEU5S.tmp (61 bytes)
%Program Files%\Driver Pro\is-V1TF6.tmp (3073 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro.lnk (713 bytes)
%Program Files%\Driver Pro\unins000.msg (646 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro on the Web.lnk (708 bytes)
%Program Files%\Driver Pro\is-MONI6.tmp (547 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-K4CUJ.tmp (526038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5N9DJ.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\Driver Pro\is-IMKUO.tmp (5873 bytes)
%Program Files%\Driver Pro\is-07GIJ.tmp (29430 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-062OK.tmp (558848 bytes)
%Documents and Settings%\%current user%\Application Data\Driver Pro\is-E2JII.tmp (4 bytes)

The not-a-virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-5N9DJ.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5N9DJ.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5N9DJ.tmp\_isetup (0 bytes)

The process DPStartScan.exe:2212 makes changes in the file system.


The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:2508 makes changes in the file system.


The not-a-virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Driver_Pro.exe (75554 bytes)

Registry activity

The process Driver_Pro.exe:3820 makes changes in the system registry.


The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 5D 16 16 54 CF B9 79 AF 33 44 95 C3 AE 7C DE"

The process DPSchedule.exe:1008 makes changes in the system registry.


The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 5F 7A E1 3E 58 B4 AE 86 49 A5 44 70 7F D8 7D"

The process DriverPro.exe:3224 makes changes in the system registry.


The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 CB EC 80 E6 85 6D 1E 6E B3 AF 6B 27 C9 10 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process DriverPro.exe:3560 makes changes in the system registry.


The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Driver Pro]
"s_Enable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Driver Pro]
"UpdateWindowShown" = "0"
"InstallStat" = "1"
"BackupPath" = "%Documents and Settings%\%current user%\My Documents\Driver Pro\Backup\"
"CloseToTray" = "0"
"s_SmartScan" = "1"
"Feedback1" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Driver Pro]
"ShowAlertMessages" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Driver Pro]
"ShowUpdateWindow" = "0"
"LastUpdate" = "B9 8A B1 34 5A 68 E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Driver Pro]
"ProxyPassword" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Driver Pro]
"s_SmartMode" = "2"
"LastScan" = "1D AF 7B 35 5A 68 E4 40"
"TotalDrivers" = "61"
"DownloadPath" = "%Documents and Settings%\%current user%\My Documents\Driver Pro\Drivers\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Driver Pro]
"ProxyPort" = ""
"ScanAtStartup" = "0"
"ForceUpdate" = "0"
"ProxyAddress" = ""
"OutdatedDrivers" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"LastDatabaseCheck" = "84 2D B1 34 5A 68 E4 40"
"nDownloads" = "3"
"DatabaseDate" = "00 00 00 00 80 52 E4 40"
"ShowSRPMessage" = "1"
"ScanExecuted" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Driver Pro]
"s_Mode" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 56 EA CF DF 03 5B 6C 8A 47 2A 71 75 D7 68 22"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Driver Pro]
"DPSchedule.exe" = "Driver Pro Schedule"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"AppStart" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Driver Pro]
"UseProxy" = "0"
"QuerryDate" = "54 ED 85 35 5A 68 E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"ShowRebootMessage" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Driver Pro]
"ProxyLogin" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Driver_Pro.tmp:2992 makes changes in the system registry.


The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"DisplayVersion" = "3.1"
"NoRepair" = "1"
"Inno Setup: Language" = "en"
"MajorVersion" = "3"
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"URLUpdateInfo" = "http://www.pcutilitiespro.com"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Inno Setup: Icon Group" = "Driver Pro"
"Inno Setup: Setup Version" = "5.5.3 (u)"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"UninstallString" = "%Program Files%\Driver Pro\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"DisplayName" = "Driver Pro v3.1"
"Inno Setup: App Path" = "%Program Files%\Driver Pro"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"InstallLocation" = "%Program Files%\Driver Pro\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"URLInfoAbout" = "http://www.pcutilitiespro.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Driver Pro]
"Language" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"HelpLink" = "http://www.pcutilitiespro.com"
"InstallDate" = "20140604"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Publisher" = "PC Utilities Software Limited"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 BF 40 1F A8 28 41 52 6E 71 27 02 6D E7 13 9C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"Inno Setup: Selected Tasks" = "desktopicon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"QuietUninstallString" = "%Program Files%\Driver Pro\unins000.exe /SILENT"
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Pro_is1]
"MinorVersion" = "1"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Driver Pro" = "%Program Files%\Driver Pro\DPLauncher.exe"

The process DPStartScan.exe:2212 makes changes in the system registry.


The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Driver Pro]
"SupportURL" = "http://support.pcutilitiespro.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Driver Pro]
"MachineGuid" = "C671226F-F2F5-7826-0F3E-780A8A57284E"
"UninstallURL" = "https://safecart.com/pcutilitiespro/.dp-xsell-special/purchase?sid=121001356-US-003"
"DelayedStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Driver Pro]
"UseAds" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Driver Pro]
"OS" = "102"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Driver Pro]
"BuyNowURL" = "http://pcup4.pcutilitiespro.revenuewire.net/driverpro/xsell?121001356-US-003_C671226F-F2F5-7826-0F3E-780A8A57284E"

"Querry" = "http://bi.softservers.net/t/dp?sid=121001356-US-003&dt=%dt%&gid=%GID%&tz=%tz%&ln=%ln%&lc=%lc%&bis=%bis%&bief=%bief%&biefx=%biefx%&bif=%bif%&os=%os%&f=1580073001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Driver Pro]
"homepageurl" = "http://www.pcutilitiespro.com/"

"AppStart" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 30 81 51 F4 5B 0F 9E 55 4D 19 8E 59 63 35 32"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Driver Pro]
"DriverPro.exe" = "Driver Pro"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Driver Pro]
"InstallDate" = "99 54 5A 34 5A 68 E4 40"
"QuerryDate" = "02 5B 73 34 5A 68 E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:2508 makes changes in the system registry.


The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 6B 62 11 AD 67 3F 08 16 5C 5C 8B 3F AC A7 31"

[HKCU\Software\Driver Pro]
"setupname" = "c:\%original file name%.exe"

Dropped PE files

MD5 File path
8083b88ec859a42ad4848f76db8631edc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Driver_Pro.exe
17f7ee51c89876e64fba86471c90990ec:\Program Files\Driver Pro\DPLauncher.exe
90962b1007a7f0553e05b9db3f107b29c:\Program Files\Driver Pro\DPSchedule.exe
88045b9c77b632effd211e0e641becf6c:\Program Files\Driver Pro\DPSmartScan.exe
c8a38df575c7b67ce54b80f8aed0c3f4c:\Program Files\Driver Pro\DPStartScan.exe
c7d4f2b8950f1d69789071a58b8d0fadc:\Program Files\Driver Pro\DPUninstaller.exe
4dd53d8d4943b8d4d5e95985e912287cc:\Program Files\Driver Pro\DriverPro.exe
0f66e8e2340569fb17e774dac2010e31c:\Program Files\Driver Pro\sqlite3.dll
fe547eb408703b1f8e98643180b48f55c:\Program Files\Driver Pro\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Driver_Pro.exe:3820
    DriverPro.exe:3224
    Driver_Pro.tmp:2992
    DPStartScan.exe:2212
    %original file name%.exe:2508

  2. Delete the original not-a-virus file.
  3. Delete or disinfect the following files created/modified by the not-a-virus:

    %Documents and Settings%\%current user%\Local Settings\Temp\is-L4M2N.tmp\Driver_Pro.tmp (7386 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\Scan.ini (951 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\Devices.ini (24 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\PCInfo.ini (175 bytes)
    %Program Files%\Driver Pro\is-4MGE3.tmp (26 bytes)
    %Program Files%\Driver Pro\is-UUU8E.tmp (31891 bytes)
    %Documents and Settings%\%current user%\Desktop\Driver Pro.lnk (701 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Uninstall Driver Pro.lnk (708 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Help.lnk (713 bytes)
    %Program Files%\Driver Pro\is-B4I62.tmp (54 bytes)
    %Program Files%\Driver Pro\is-FQAJ0.tmp (5873 bytes)
    %Program Files%\Driver Pro\is-DKHGK.tmp (56 bytes)
    %Program Files%\Driver Pro\is-8NLL0.tmp (7433 bytes)
    %Program Files%\Driver Pro\is-33N8R.tmp (12 bytes)
    %Program Files%\Driver Pro\is-4UF8L.tmp (3361 bytes)
    %Program Files%\Driver Pro\is-T5O74.tmp (7433 bytes)
    %Program Files%\Driver Pro\unins000.dat (5536 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-HEU5S.tmp (61 bytes)
    %Program Files%\Driver Pro\is-V1TF6.tmp (3073 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro.lnk (713 bytes)
    %Program Files%\Driver Pro\unins000.msg (646 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Driver Pro\Driver Pro on the Web.lnk (708 bytes)
    %Program Files%\Driver Pro\is-MONI6.tmp (547 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-K4CUJ.tmp (526038 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5N9DJ.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\Driver Pro\is-IMKUO.tmp (5873 bytes)
    %Program Files%\Driver Pro\is-07GIJ.tmp (29430 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-062OK.tmp (558848 bytes)
    %Documents and Settings%\%current user%\Application Data\Driver Pro\is-E2JII.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Driver_Pro.exe (75554 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Driver Pro" = "%Program Files%\Driver Pro\DPLauncher.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: PC Utilities Software Limited
Product Name: DriverPro
Product Version: 3.1.0.0
Legal Copyright: PC Utilities Software Limited
Legal Trademarks:
Original Filename:
Internal Name: DriverPro
File Version:
File Description: DriverPro
Comments:
Language: English (United States)

Company Name: PC Utilities Software LimitedProduct Name: DriverProProduct Version: 3.1.0.0Legal Copyright: PC Utilities Software LimitedLegal Trademarks: Original Filename: Internal Name: DriverProFile Version: File Description: DriverProComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE409675644757764.45296341f60451089865a24c3c84ec3821c82
DATA81920142815362.76929f76f4515a2e2b60cda146361ff2e6e44
BSS86016218500d41d8cd98f00b204e9800998ecf8427e
.idata90112286230723.117443a510b9194a87490600faea96f544b5a
.tls942081200d41d8cd98f00b204e9800998ecf8427e
.rdata98304245120.141746b2b783af3ecd764905292c9b75d8ea4
.reloc102400608461444.573155b58562521fe8470d3ba9da0f91e605b
.rsrc11059210500608105006085.526972b985bf10034f9566dc079550f22e303

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 7
166c24941cf22eaf1738790d7aae0a8b
745c34030668b2ed871272dc644d8a95
c6eb104964994a0206d6dc3e6c4bdd27
303e4a905183a65278bd8e00c1204a82
2d7be47f6dc95f25ba9b9464c57d59ec
3be4974c7de5908c9ca16ed40725aa40
9d52d5c7730672e7a19c4f87b61cf39a

Network Activity

URLs

URL IP
hxxp://bi.softservers.net/t/dp?sid=121001356-US-003&dt=1401910753&gid=C671226F-F2F5-7826-0F3E-780A8A57284E&tz=2&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&os=102&f=1580073001107.6.170.117
hxxp://service.smartpcupdate.com/rpc/sendinstall?partner=PCUtilitiesPro&build=3.1176.9.2.106

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The not-a-virus connects to the servers at the folowing location(s):

Strings from Dumps