Trojan.Win32.AntiFW.b (Kaspersky), Installerex/WebPick (fs) (VIPRE), Trojan.WebPick.29 (DrWeb), MalSign.Generic.256 (AVG), Win32:InstalleRex-BH [PUP] (Avast), InstallerTarmaInstallMate.YR (Lavasoft MAS)Behaviour: Trojan, Installer, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 9d88574eb0489e045c8927e3454b12f0
SHA1: 161f9dad11de4595390435d4ef0e01f608c062a3
SHA256: 2c2be4b5521d85f69a626685e415922714f0e3c175c7200ecb24b20bd2e60b1c
SSDeep: 6144:8rjbUzkuvcBYC47l2xhPAj9yshh1/9CSFuXWzMJSeJMLBz8xI:8rIkuveY3uPw4shT9Nnz62xQI
Size: 321648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Right Soft
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXP SP3 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):
9d88574eb0489e0:1480
File activity
The process 9d88574eb0489e0:1480 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Readme.txt (2106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Custom.dll (110080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1D365712.dat (491658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.exe (15968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuC6C466D7.dll (341088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\_Setup.dll (190976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.ico (4846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9d88574eb0489e045c8927e3454b12f0.log (87421 bytes)
The Installer deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1D365712.dat (0 bytes)
Registry activity
The process 9d88574eb0489e0:1480 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 BE 25 29 67 E6 E6 7F 21 4C BA C9 51 42 66 E6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| r1.getapplicationmy.info | |
| r2.getapplicationmy.info | |
| c2.getapplicationmy.info | |
| c1.getapplicationmy.info |
IDS verdicts
Dropped PE files
| MD5 | File path |
|---|---|
| af7ce801c8471c5cd19b366333c153c4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TsuC6C466D7.dll |
| d257c8662a2c67d5eb8db3bb46eaecbc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Custom.dll |
| e717f6ce3a7429bfa6d7f3cf66737a4b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.exe |
| 8815672378a261ae510745ea448438d9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\_Setup.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Readme.txt (2106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Custom.dll (110080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1D365712.dat (491658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.exe (15968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuC6C466D7.dll (341088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\_Setup.dll (190976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{09955B69-5E7C-45B1-A75A-165ED276799F}\Setup.ico (4846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9d88574eb0489e045c8927e3454b12f0.log (87421 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Right Soft
Product Name: Right Soft
Product Version: 1.0.0.3
Legal Copyright: Copyright (c) 2014 Right Soft
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2014.3.2.1434
File Description: Installer for Right Soft
Comments: WinNT (x86) Unicode Lib Rel
Language: English (United States)
Company Name: Right SoftProduct Name: Right SoftProduct Version: 1.0.0.3Legal Copyright: Copyright (c) 2014 Right SoftLegal Trademarks: Original Filename: TSULoader.exeInternal Name: TSULoaderFile Version: 2014.3.2.1434File Description: Installer for Right SoftComments: WinNT (x86) Unicode Lib RelLanguage: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 7672 | 7680 | 4.5056 | b1ae6dcdc3a7ba319c6d5e0b1a2eadbc |
| .rdata | 12288 | 1794 | 2048 | 3.26018 | cd4f20f041a2da05dfe5974fe61bd4ec |
| .data | 16384 | 1040 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 20480 | 8288 | 8704 | 2.76619 | cb539ba4a412d7419c6d5edc8fc03c5e |
| .reloc | 32768 | 348 | 512 | 2.09579 | 938152484b33bca77bd622973abb524e |
| .tsustub | 36864 | 120967 | 121344 | 5.54287 | ced43a410245fa01194fc0688a5085ee |
| .tsuarch | 159744 | 175104 | 175104 | 5.54392 | 09958aa1870a26981338585e0cfd3ddd |
Network Activity
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker: