Trojan:Win32/AproposMedia is a software suite that is installed via a third party application, which may bundle AproposMedia as a toolbar. It may also be installed via drive-by downloads or through pop-up advertisements.
Trojan:Win32/AproposMedia displays pop-up advertisements in Internet Explorer and tracks and reports user habits. It may update itself or download and execute other files from the Internet without user knowledge or consent. Some variants of AproposMedia also use a system driver to make its detection and removal more difficult. A user may experience a decrease in Internet speed if AproposMedia is installed in the computer.
Installation
The Trojan:Win32/AproposMedia installer may arrive in the computer with the file name "install_ct.exe". When this installer is run, it creates the following files and folders:
%temp%\~apropos0\
%temp%\~apropos0\atla.dll
%temp%\~apropos0\atlw.dll
%temp%\~apropos0\CxtPls.exe
%temp%\~apropos0\ph.exe
%temp%\~apropos0\pm.exe
%temp%\~apropos0\setup.inf
%ProgramFiles%\CxtPls\
%ProgramFiles%\CxtPls\ace.dll
%ProgramFiles%\CxtPls\atl.dll
%ProgramFiles%\CxtPls\AI_<date>.log
%ProgramFiles%\CxtPls\CxtPls.dll
%ProgramFiles%\CxtPls\CxtPls.exe
%ProgramFiles%\CxtPls\data.bin
%ProgramFiles%\CxtPls\libexpat.dll
%ProgramFiles%\CxtPls\ProxyStub.dll
%ProgramFiles%\CxtPls\uninstaller.exe
%ProgramFiles%\CxtPls\WinGenerics.dll
It may also drop the following files in the Windows system folder:
jgdatcha.exe
shltedit.exe
sxlntr.exe
It may also download the following files as part of its installation routine:
AutoUpdater.exe
HookDll.dll
install_ct.exe
npf.sys
SysAI.exe
uninstaller.exe
Trojan:Win32/AproposMedia modifies the system registry so that its dropped files automatically run every time Windows starts, for example:
Adds value: "5stg3tX"
With data: "shltedit.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "hdloker"
With data: "<system folder>\sxlntr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "AutoLoaderAproposClient"
With data: "<system folder>\Cxtpls_loader.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "hdloker"
With data: "<system folder>\sxlntr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Adds value: "load"
With data: "<system folder>\sxlntr.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Modifies value: "shell"
From data: "explorer.exe"
To data: "explorer.exe <system folder>\sxlntr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It also registers its dropped DLL files by creating some or all of the following subkeys:
HKCR\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
HKCR\CLSID\{6200BDDD-11D4-07C0-1A8F-500A15C9973}
HKCR\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
HKCR\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
HKCR\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
HKCR\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
HKCR\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
HKLM\SOFTWARE\Classes\CLSID\{6200BDDD-11D4-07C0-1A8F-500A15C9973}
HKLM\SOFTWARE\Classes\CLSID\{65D557EB-146A-2B46-36A7-8D6CB48FF4F}
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
It may also create the following registry subkeys and entries as part of its installation routine:
Adds value: "ClientName"
With data: "%ProgramFiles%\CxtPls\CxtPls.exe"
Adds value: "Plugin"
With data: "%ProgramFiles%\CxtPls\cxtpls.dll"
Adds value: "ProxyStub"
With data: "%ProgramFiles%\CxtPls\proxystub.dll"
Adds value: "ServerAddress"
With data: "adchannel.contextplus.net"
To subkey: HKLM\SOFTWARE\Apropos\Client
Adds subkeys:
HKLM\SOFTWARE\Envolo\AutoUpdate
HKLM\SOFTWARE\AutoLoader\5F261ZKKdbac
It also creates an uninstall entry for itself:
Adds value: "DisplayName"
With data: "CtxPls"
Adds value: "UninstallString"
With data: "%ProgramFiles%\CxtPls\uninstaller.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient
Trojan:Win32/AproposMedia may also create mutexes using any of the following names:
_AutoLoaderSession_AproposLoaderSessionIsStarted
ALActive_CtxPlus
AproposClient
CompoundInstallerIsRunning
Global_POB_C__WINDOWS_p2J2d
Payload
Downloads other components
Trojan:Win32/AproposMedia may create the following registry entries:
Adds value: "LoadUrl"
With data: "http:// download.contextplus.net/apropos/client/<version>/wb.pop/<try>/aproposclientinstaller.exe"
To subkey: HKLM\SOFTWARE\AutoLoader\AproposClient
where <version> and <try> are versions of the updated component.
It also specifies a server to which to connect from by creating a registry entry, for example:
Adds value: "SU"
With data: "http://au.contextplus.net/services/auserver"
To subkey: HKLM\SOFTWARE\C2ij6AzFKfqm\AU2
It may also connect to other pages within the Web site "contextplus.net" to download other files. These files may then be installed in the computer without the user's knowledge or consent.
Analysis by Patrik Vicol