Installation
This program is a software bundler that installs third-party software. We have seen it bundling other applications as it installs following software:
- EzDownloaderPro
- Facebook Chat Desktop
This software bundler installs copies of itself to the following locations:
- %ALLUSERSPROFILE%\<generated GUID>\<malware file>.exe, for example C:\Users\All Users\ea9abab7-9a58-bc16-ea9a-abab79a5eade\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe
- %ProgramData%\<genarated GUID>\<malware file>.exe, for example C:\ProgramData\5ea19cda-0b1b-937d-5ea1-19cda0b17368\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe
- %TEMP%\<random.exe, for example %TEMP%\27d1763d90590.exe
- %TEMP%\<random>\temp\<malware file>.exe, for example %TEMP%\E8aC3A04e199\temp\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe
It also creates a shortcut link file to the startup folder so it runs every time you start your PC:
It also creates the following component files:
- %ALLUSERSPROFILE%\<generated GUID>\<malware name>.dat, for example %ALLUSERSPROFILE%\{ea9abab7-9a58-bc16-ea9a-abab79a5eade}\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.dat
- %ProgramData%\<generated GUID>\<malware name>.dat, for example %ProgramData%\{5ea19cda-0b1b-937d-5ea1-19cda0b17368}\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.dat
- %TEMP%\<randomfolder name>\images\loader.gif, for example %TEMP%\E8aC3A04e199\images\loader.gif
- %TEMP%\<randomfolder name>\images\progressbar.gif, for example %TEMP%\E8aC3A04e199\images\loader.gif
- %TEMP%\<randomfolder name>\steps\<random file name>.ini.txt, for example %TEMP%\E8aC3A04e199\steps\3_2.ini.txt
- %TEMP%\<randomfolder name>\steps\<random file name>.ini.task, for example %TEMP%\E8aC3A04e199\steps\6_1_0.ini.task
It creates the following registry entries:
In subkey: HKCU\Software\WebApp\Styles
Sets value: "MaxScriptStatements"
With data: "dword:ffffffff"
In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
Sets value: "(Default) "
With data: "ITinyJSObject"
In subkey: HKEYHKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32
Sets value: "(Default)"
With data: "{00020424-0000-0000-C000-000000000046}"
In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: "(Default)"
With data: "{157B1AA6-3E5C-404A-9118-C1D91F537040}"
Sets value: "Version"
With data: "1.0"
In subkey: HKEYHKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0
Sets value: "(Default)"
With data: "JSIELib"
In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32
Sets value: "(Default)"
With data: "%TEMP%\<random name>\temp\<random name>.exe", for example: "%TEMP%\E8aC3A04e199\temp\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe"
In subkey: HKEYHKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS
Sets value: "(Default)"
With data: "0"
In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR
Sets value: "(Default)"
With data: "%TEMP%"
Behavior
Installs unwanted software onto your PC
We have seen this program install unwanted software on your PC without your permission, including:
Connects to a remote host
We have seen this program connect to the following remote sites to download configuration files:
- c1.diriginal.org
- i1.coolinary.info
- r1.fasties.org
Additional information
When this program installs other software it uses a date from one year so that it won't appear as recently installed software, as shown below:
Analysis by James Dee
