Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/Xadupi
Aliases: PUA/Subtab.Gen7 (Avira) W32/Trojan.IIIP-0438 (Command)
Summary
Windows Defender detects and removes this threat.
This threat is a trojan that poses as a useful application, usually called WinZipper or QKSee, but can silently download and install other malware.
This trojan is often installed silently by BrowserModifier:Win32/Sasquor or BrowserModifier:Win32/SupTab. It is often installed under the name "WinZipper", "QKSee", or both.
This threat is part of a suite of malware and unwanted software families that is also called "Fireball". Read about this threat group in the Windows Security blog:
- Windows Defender for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Protect your sensitive information
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
Use cloud protection
The Microsoft Active Protection Service (MAPS) uses cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
Get more help
You can also see our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
This trojan is often installed silently by BrowserModifier:Win32/Sasquor or BrowserModifier:Win32/SupTab. It is often installed under the name "WinZipper", "QKSee", or both.
When this threat's installer is executed, it writes several files in the %ProgramFiles% folder, for example:
- %ProgramFiles%\qksee\
- %ProgramFiles%\WinZipper\
When the this trojan is executed, it writes several files to the %ProgramFiles% folder:
QKSee examples:
C:\Program Files (x86)\qksee\skin\oiview\image\default\action_line.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\btn_back.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\btn_screen_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\button_l.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\button_r.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\delete_logo.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\fileinfo_bound.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_arrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_catalogue1.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\icon_arrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_auto.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_enlarge.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_files.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_install_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_more.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_narrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_next.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_normal.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_prev.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_rotation_tl.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_rotation_tr.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_update.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_upward.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_max.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_min.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_res.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_warning.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_zoom.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\input_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\input_catalogue_single.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\install_button2.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\install_complete.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\invalid.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\logo_16x16.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\msg_bk.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\OIview_v1_33.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\OIview_v1_66.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic-error.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\picfolder_thum_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_back.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_folder.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_thum_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_thum_bg3.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\oivu_icon.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\thumbnail.ico
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\top_logo.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\qMenu_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\qMenu_over_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\resource.xml
C:\Program Files (x86)\qksee\skin\oiview\image\default\screen_block.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\screen_thum.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\uninstall_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\view_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\vscroll.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\warning_bg.png
C:\Program Files (x86)\qksee\skin\oiview\layout\default\fullscreendlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\iviewmaindlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\messageboxdlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\movewnd.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\msgbox.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\my_pc_menu.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\oiviewtoolsdlg.xml
C:\Program Files (x86)\qksee\skin\oiview\style\style.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\bk_b.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\btn_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\btn_goon.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\button_delete.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\button_selected.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\checkbox_cancel.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\checkbox_default.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\cover_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\delete_logo.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\edit_skin.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\header_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\icon_edit_pg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_files.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_install_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_uninstall_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_update.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_max.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_min.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\installbut.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_button2.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_button3.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_checked.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_intermediate.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_uncheck.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_complete.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_progress_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_progress_indicator.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_resource.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\massagebox_bkg .png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menuitem_selbk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menu_bkg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menu_item_over.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\messagebox_btn.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\OIview_v1_66.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\open_dir0.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-error(2).png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-error.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-info.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-question.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-warning.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\app_icon.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\logo_install.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\logo_uninstall.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\picexa.ico
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progressbar_anim.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_install.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_install_glow.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_uninstall.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_uninstall2.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\resource.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\search_button.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\uninstall_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\view_action_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\view_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\msgbox.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewcoverdlg.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewInstall.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewunInstall.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewupgrade.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\style\install_style.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\style\style.xml
C:\Program Files (x86)\qksee\lang\oiviewinstall_lang.xml
C:\Program Files (x86)\qksee\lang\oiview_lang.xml
C:\Program Files (x86)\qksee\main
C:\Program Files (x86)\qksee\zlib1.dll
C:\Program Files (x86)\qksee\curlpp.dll
C:\Program Files (x86)\qksee\libcurl.dll
C:\Program Files (x86)\qksee\libeay32.dll
C:\Program Files (x86)\qksee\ssleay32.dll
C:\Program Files (x86)\qksee\msvcp110.dll
C:\Program Files (x86)\qksee\msvcr110.dll
C:\Program Files (x86)\qksee\msuser.dll
C:\Program Files (x86)\qksee\qksee.exe
C:\Program Files (x86)\qksee\uninstall.exe
C:\Program Files (x86)\qksee\qkseeSvc.exe
C:\Program Files (x86)\qksee\qkdup.exe
C:\Program Files (x86)\qksee\qkdl.exe
C:\Program Files (x86)\qksee\myuser.exe
C:\Program Files (x86)\qksee\oi_uninstall.inst
WinZipper examples:
C:\Program Files (x86)\WinZipper\image
C:\Program Files (x86)\WinZipper\language
C:\Program Files (x86)\WinZipper\layout
C:\Program Files (x86)\WinZipper\log
C:\Program Files (x86)\WinZipper\style
C:\Program Files (x86)\WinZipper\uninstaller
C:\Program Files (x86)\WinZipper\7z.dll
C:\Program Files (x86)\WinZipper\curlpp.dll
C:\Program Files (x86)\WinZipper\libcurl.dll
C:\Program Files (x86)\WinZipper\libeay32.dll
C:\Program Files (x86)\WinZipper\main
C:\Program Files (x86)\WinZipper\msvcp110.dll
C:\Program Files (x86)\WinZipper\msvcr110.dll
C:\Program Files (x86)\WinZipper\segoeui.ttf
C:\Program Files (x86)\WinZipper\segoeuib.ttf
C:\Program Files (x86)\WinZipper\ssleay32.dll
C:\Program Files (x86)\WinZipper\winziper.exe
C:\Program Files (x86)\WinZipper\winzipersvc.exe
C:\Program Files (x86)\WinZipper\wzdl.exe
C:\Program Files (x86)\WinZipper\wzShellctx64.dll
C:\Program Files (x86)\WinZipper\wzUninstall.exe
C:\Program Files (x86)\WinZipper\wzUpg.exe
C:\Program Files (x86)\WinZipper\wz_settings.ini
C:\Program Files (x86)\WinZipper\zlib1.dll
C:\Program Files (x86)\WinZipper\image\default
C:\Program Files (x86)\WinZipper\image\default\additem.png
C:\Program Files (x86)\WinZipper\image\default\app_icon.png
C:\Program Files (x86)\WinZipper\image\default\back.png
C:\Program Files (x86)\WinZipper\image\default\Background_Main.png
C:\Program Files (x86)\WinZipper\image\default\Background_Small_2.png
C:\Program Files (x86)\WinZipper\image\default\browse_button.png
C:\Program Files (x86)\WinZipper\image\default\checkbox_blank.png
C:\Program Files (x86)\WinZipper\image\default\checkbox_select.png
C:\Program Files (x86)\WinZipper\image\default\combo.png
C:\Program Files (x86)\WinZipper\image\default\combo_skin.png
C:\Program Files (x86)\WinZipper\image\default\deleteitem.png
C:\Program Files (x86)\WinZipper\image\default\deskbtnbk.png
C:\Program Files (x86)\WinZipper\image\default\edit_skin.png
C:\Program Files (x86)\WinZipper\image\default\extractto.png
C:\Program Files (x86)\WinZipper\image\default\folder.png
C:\Program Files (x86)\WinZipper\image\default\footerbg.png
C:\Program Files (x86)\WinZipper\image\default\install_back.png
C:\Program Files (x86)\WinZipper\image\default\install_button_skin.png
C:\Program Files (x86)\WinZipper\image\default\install_check_checked.png
C:\Program Files (x86)\WinZipper\image\default\install_check_intermediate.png
C:\Program Files (x86)\WinZipper\image\default\install_check_uncheck.png
C:\Program Files (x86)\WinZipper\image\default\install_logo.png
C:\Program Files (x86)\WinZipper\image\default\install_new_button_skin.png
C:\Program Files (x86)\WinZipper\image\default\install_resource.xml
C:\Program Files (x86)\WinZipper\image\default\listctrl_header_bk.png
C:\Program Files (x86)\WinZipper\image\default\listview_report.png
C:\Program Files (x86)\WinZipper\image\default\listview_thumb.png
C:\Program Files (x86)\WinZipper\image\default\menubg.png
C:\Program Files (x86)\WinZipper\image\default\menu_bkg.png
C:\Program Files (x86)\WinZipper\image\default\menu_item_over.png
C:\Program Files (x86)\WinZipper\image\default\onekeyextract.png
C:\Program Files (x86)\WinZipper\image\default\patch_file_icon.png
C:\Program Files (x86)\WinZipper\image\default\pic-error.png
C:\Program Files (x86)\WinZipper\image\default\pic-info.png
C:\Program Files (x86)\WinZipper\image\default\pic-question.png
C:\Program Files (x86)\WinZipper\image\default\pic-warning.png
C:\Program Files (x86)\WinZipper\image\default\popup_dialog_bk.png
C:\Program Files (x86)\WinZipper\image\default\progressbar_bk.png
C:\Program Files (x86)\WinZipper\image\default\progressbar_image.png
C:\Program Files (x86)\WinZipper\image\default\progress_bk.png
C:\Program Files (x86)\WinZipper\image\default\progress_meter.png
C:\Program Files (x86)\WinZipper\image\default\pwd_lock.png
C:\Program Files (x86)\WinZipper\image\default\pwd_unlock.png
C:\Program Files (x86)\WinZipper\image\default\radio_normal.png
C:\Program Files (x86)\WinZipper\image\default\radio_selected.png
C:\Program Files (x86)\WinZipper\image\default\resource.xml
C:\Program Files (x86)\WinZipper\image\default\settingbkg.png
C:\Program Files (x86)\WinZipper\image\default\settingtab.png
C:\Program Files (x86)\WinZipper\image\default\sys_button_close.png
C:\Program Files (x86)\WinZipper\image\default\sys_button_max.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_button_min.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_button_restore.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_close.png
C:\Program Files (x86)\WinZipper\image\default\tobutton1.png
C:\Program Files (x86)\WinZipper\image\default\vscroll.png
C:\Program Files (x86)\WinZipper\language\en_us
C:\Program Files (x86)\WinZipper\language\es_es
C:\Program Files (x86)\WinZipper\language\pt_br
C:\Program Files (x86)\WinZipper\language\tr_tr
C:\Program Files (x86)\WinZipper\language\zh_cn
C:\Program Files (x86)\WinZipper\language\zh_tw
C:\Program Files (x86)\WinZipper\language\en_us\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\en_us\install_lang.ini
C:\Program Files (x86)\WinZipper\language\es_es\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\es_es\install_lang.ini
C:\Program Files (x86)\WinZipper\language\pt_br\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\pt_br\install_lang.ini
C:\Program Files (x86)\WinZipper\language\tr_tr\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\tr_tr\install_lang.ini
C:\Program Files (x86)\WinZipper\layout\default
C:\Program Files (x86)\WinZipper\layout\default\about.xml
C:\Program Files (x86)\WinZipper\layout\default\brower.xml
C:\Program Files (x86)\WinZipper\layout\default\compresspath.xml
C:\Program Files (x86)\WinZipper\layout\default\compresspwd.xml
C:\Program Files (x86)\WinZipper\layout\default\error.xml
C:\Program Files (x86)\WinZipper\layout\default\extractpath.xml
C:\Program Files (x86)\WinZipper\layout\default\install_msgbox.xml
C:\Program Files (x86)\WinZipper\layout\default\languageSelect.xml
C:\Program Files (x86)\WinZipper\layout\default\msgbox.xml
C:\Program Files (x86)\WinZipper\layout\default\OmigaZipInstall.xml
C:\Program Files (x86)\WinZipper\layout\default\overwrite.xml
C:\Program Files (x86)\WinZipper\layout\default\password.xml
C:\Program Files (x86)\WinZipper\layout\default\progress.xml
C:\Program Files (x86)\WinZipper\layout\default\rename.xml
C:\Program Files (x86)\WinZipper\layout\default\setting.xml
C:\Program Files (x86)\WinZipper\layout\default\uninstOmigaZip.xml
C:\Program Files (x86)\WinZipper\log\winzipersvc.log
C:\Program Files (x86)\WinZipper\style\install_style.xml
C:\Program Files (x86)\WinZipper\style\style.xml
C:\Program Files (x86)\WinZipper\uninstaller\OmigaZip.inst
It also usually installs a new folder in the Start Menu with two shortcuts, for example:
- %startmenu%\Programs\qksee\uninstall.lnk
- %startmenu%\Programs\qksee\qksee.lnk
Launching the "qksee" shortcut will show the QKSee interface:
This trojan also installs one of its files as a service to launch each time Windows starts.
QKSee example:
Service Name: qkseeService
Display Name: qkseeService
Description: qkseeService
Image Path: C:\Program Files (x86)\qksee\qkseeSvc.exe
Startup type: Automatic
WinZipper example:
Service Name: winzipersvc
Display Name: WinZiper service
Description: WinZipper service
Image Path: C:\Program Files (x86)\WinZipper\winzipersvc.exe
Startup type: Automatic
Payload
Modifies registry entries
The "WinZipper" variant of this trojan makes the following registry entry changes silently, without your consent, to associate itself with several archive file extensions, such as .zip and .rar. For example:
In subkey: HKCR\.zip
Sets value: "(Default)"
With data: "WinZippers.zip"
In subkey: HKCR\WinZippers.zip
Sets value: "(Default)"
With data: "WinZip"
In subkey: HKCR\WinZippers.zip\DefaultIcon
Sets value: "(Default)"
With data: "C:\Program Files (x86)\WinZipper\winziper.exe"
In subkey: HKCR\WinZippers.zip\shell\open\command
Sets value: "(Default)"
With data: ""C:\Program Files (x86)\WinZipper\winziper.exe" "o" "%1"
In subkey: HKCR\WinZippers.zip\shellex\DropHandler
Sets value: "(Default)"
With data: "{DC638EEA-2BA2-4459-9C46-85A2F0BE6040}"
In subkey: HKCR\.rar
Sets value: "(Default)"
With data: "WinZippers.rar"
In subkey: HKCR\WinZippers.rar
Sets value: "(Default)"
With data: "WinZip"
In subkey: HKCR\WinZippers.rar\DefaultIcon
Sets value: "(Default)"
With data: "C:\Program Files (x86)\WinZipper\winziper.exe,0"
In subkey: HKCR\WinZippers.rar\shell\open\command
Sets value: "(Default)"
With data: ""C:\Program Files (x86)\WinZipper\winziper.exe" "o" "%1""
Opening one of the above archive files launches the WinZipper interface:
Downloads and executes additional malware
The service that this trojan installs connects to a remote server to periodically check for instructions using HTTP requests. It can instruct it to silently download and run additional files. We have seen Xadupi's service download the following malware:
- BrowserModifier:Win32/Sasquor
- BrowserModifier:Win32/SupTab
- Trojan:Win32/Ghokswa
- Trojan:Win32/Sussab
- Trojan:Win32/Chuckenit.A
Analysis by Hamish O'Dea
Prevention
The following can indicate that you have this threat on your PC:
- You see these files:
-
QKSee examples:
C:\Program Files (x86)\qksee\skin\oiview\image\default\action_line.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\btn_back.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\btn_screen_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\button_l.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\button_r.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\delete_logo.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\fileinfo_bound.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_arrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_catalogue1.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\icon_arrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_auto.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_enlarge.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_files.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_install_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_more.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_narrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_next.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_normal.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_prev.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_rotation_tl.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_rotation_tr.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_update.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_upward.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_max.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_min.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_res.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_warning.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_zoom.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\input_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\input_catalogue_single.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\install_button2.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\install_complete.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\invalid.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\logo_16x16.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\msg_bk.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\OIview_v1_33.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\OIview_v1_66.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic-error.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\picfolder_thum_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_back.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_folder.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_thum_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_thum_bg3.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\oivu_icon.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\thumbnail.ico
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\top_logo.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\qMenu_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\qMenu_over_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\resource.xml
C:\Program Files (x86)\qksee\skin\oiview\image\default\screen_block.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\screen_thum.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\uninstall_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\view_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\vscroll.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\warning_bg.png
C:\Program Files (x86)\qksee\skin\oiview\layout\default\fullscreendlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\iviewmaindlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\messageboxdlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\movewnd.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\msgbox.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\my_pc_menu.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\oiviewtoolsdlg.xml
C:\Program Files (x86)\qksee\skin\oiview\style\style.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\bk_b.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\btn_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\btn_goon.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\button_delete.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\button_selected.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\checkbox_cancel.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\checkbox_default.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\cover_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\delete_logo.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\edit_skin.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\header_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\icon_edit_pg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_files.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_install_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_uninstall_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_update.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_max.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_min.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\installbut.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_button2.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_button3.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_checked.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_intermediate.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_uncheck.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_complete.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_progress_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_progress_indicator.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_resource.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\massagebox_bkg .png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menuitem_selbk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menu_bkg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menu_item_over.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\messagebox_btn.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\OIview_v1_66.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\open_dir0.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-error(2).png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-error.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-info.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-question.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-warning.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\app_icon.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\logo_install.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\logo_uninstall.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\picexa.ico
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progressbar_anim.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_install.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_install_glow.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_uninstall.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_uninstall2.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\resource.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\search_button.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\uninstall_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\view_action_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\view_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\msgbox.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewcoverdlg.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewInstall.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewunInstall.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewupgrade.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\style\install_style.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\style\style.xml
C:\Program Files (x86)\qksee\lang\oiviewinstall_lang.xml
C:\Program Files (x86)\qksee\lang\oiview_lang.xml
C:\Program Files (x86)\qksee\main
C:\Program Files (x86)\qksee\zlib1.dll
C:\Program Files (x86)\qksee\curlpp.dll
C:\Program Files (x86)\qksee\libcurl.dll
C:\Program Files (x86)\qksee\libeay32.dll
C:\Program Files (x86)\qksee\ssleay32.dll
C:\Program Files (x86)\qksee\msvcp110.dll
C:\Program Files (x86)\qksee\msvcr110.dll
C:\Program Files (x86)\qksee\msuser.dll
C:\Program Files (x86)\qksee\qksee.exe
C:\Program Files (x86)\qksee\uninstall.exe
C:\Program Files (x86)\qksee\qkseeSvc.exe
C:\Program Files (x86)\qksee\qkdup.exe
C:\Program Files (x86)\qksee\qkdl.exe
C:\Program Files (x86)\qksee\myuser.exe
C:\Program Files (x86)\qksee\oi_uninstall.inst -
WinZipper examples:
C:\Program Files (x86)\WinZipper\image
C:\Program Files (x86)\WinZipper\language
C:\Program Files (x86)\WinZipper\layout
C:\Program Files (x86)\WinZipper\log
C:\Program Files (x86)\WinZipper\style
C:\Program Files (x86)\WinZipper\uninstaller
C:\Program Files (x86)\WinZipper\7z.dll
C:\Program Files (x86)\WinZipper\curlpp.dll
C:\Program Files (x86)\WinZipper\libcurl.dll
C:\Program Files (x86)\WinZipper\libeay32.dll
C:\Program Files (x86)\WinZipper\main
C:\Program Files (x86)\WinZipper\msvcp110.dll
C:\Program Files (x86)\WinZipper\msvcr110.dll
C:\Program Files (x86)\WinZipper\segoeui.ttf
C:\Program Files (x86)\WinZipper\segoeuib.ttf
C:\Program Files (x86)\WinZipper\ssleay32.dll
C:\Program Files (x86)\WinZipper\winziper.exe
C:\Program Files (x86)\WinZipper\winzipersvc.exe
C:\Program Files (x86)\WinZipper\wzdl.exe
C:\Program Files (x86)\WinZipper\wzShellctx64.dll
C:\Program Files (x86)\WinZipper\wzUninstall.exe
C:\Program Files (x86)\WinZipper\wzUpg.exe
C:\Program Files (x86)\WinZipper\wz_settings.ini
C:\Program Files (x86)\WinZipper\zlib1.dll
C:\Program Files (x86)\WinZipper\image\default
C:\Program Files (x86)\WinZipper\image\default\additem.png
C:\Program Files (x86)\WinZipper\image\default\app_icon.png
C:\Program Files (x86)\WinZipper\image\default\back.png
C:\Program Files (x86)\WinZipper\image\default\Background_Main.png
C:\Program Files (x86)\WinZipper\image\default\Background_Small_2.png
C:\Program Files (x86)\WinZipper\image\default\browse_button.png
C:\Program Files (x86)\WinZipper\image\default\checkbox_blank.png
C:\Program Files (x86)\WinZipper\image\default\checkbox_select.png
C:\Program Files (x86)\WinZipper\image\default\combo.png
C:\Program Files (x86)\WinZipper\image\default\combo_skin.png
C:\Program Files (x86)\WinZipper\image\default\deleteitem.png
C:\Program Files (x86)\WinZipper\image\default\deskbtnbk.png
C:\Program Files (x86)\WinZipper\image\default\edit_skin.png
C:\Program Files (x86)\WinZipper\image\default\extractto.png
C:\Program Files (x86)\WinZipper\image\default\folder.png
C:\Program Files (x86)\WinZipper\image\default\footerbg.png
C:\Program Files (x86)\WinZipper\image\default\install_back.png
C:\Program Files (x86)\WinZipper\image\default\install_button_skin.png
C:\Program Files (x86)\WinZipper\image\default\install_check_checked.png
C:\Program Files (x86)\WinZipper\image\default\install_check_intermediate.png
C:\Program Files (x86)\WinZipper\image\default\install_check_uncheck.png
C:\Program Files (x86)\WinZipper\image\default\install_logo.png
C:\Program Files (x86)\WinZipper\image\default\install_new_button_skin.png
C:\Program Files (x86)\WinZipper\image\default\install_resource.xml
C:\Program Files (x86)\WinZipper\image\default\listctrl_header_bk.png
C:\Program Files (x86)\WinZipper\image\default\listview_report.png
C:\Program Files (x86)\WinZipper\image\default\listview_thumb.png
C:\Program Files (x86)\WinZipper\image\default\menubg.png
C:\Program Files (x86)\WinZipper\image\default\menu_bkg.png
C:\Program Files (x86)\WinZipper\image\default\menu_item_over.png
C:\Program Files (x86)\WinZipper\image\default\onekeyextract.png
C:\Program Files (x86)\WinZipper\image\default\patch_file_icon.png
C:\Program Files (x86)\WinZipper\image\default\pic-error.png
C:\Program Files (x86)\WinZipper\image\default\pic-info.png
C:\Program Files (x86)\WinZipper\image\default\pic-question.png
C:\Program Files (x86)\WinZipper\image\default\pic-warning.png
C:\Program Files (x86)\WinZipper\image\default\popup_dialog_bk.png
C:\Program Files (x86)\WinZipper\image\default\progressbar_bk.png
C:\Program Files (x86)\WinZipper\image\default\progressbar_image.png
C:\Program Files (x86)\WinZipper\image\default\progress_bk.png
C:\Program Files (x86)\WinZipper\image\default\progress_meter.png
C:\Program Files (x86)\WinZipper\image\default\pwd_lock.png
C:\Program Files (x86)\WinZipper\image\default\pwd_unlock.png
C:\Program Files (x86)\WinZipper\image\default\radio_normal.png
C:\Program Files (x86)\WinZipper\image\default\radio_selected.png
C:\Program Files (x86)\WinZipper\image\default\resource.xml
C:\Program Files (x86)\WinZipper\image\default\settingbkg.png
C:\Program Files (x86)\WinZipper\image\default\settingtab.png
C:\Program Files (x86)\WinZipper\image\default\sys_button_close.png
C:\Program Files (x86)\WinZipper\image\default\sys_button_max.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_button_min.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_button_restore.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_close.png
C:\Program Files (x86)\WinZipper\image\default\tobutton1.png
C:\Program Files (x86)\WinZipper\image\default\vscroll.png
C:\Program Files (x86)\WinZipper\language\en_us
C:\Program Files (x86)\WinZipper\language\es_es
C:\Program Files (x86)\WinZipper\language\pt_br
C:\Program Files (x86)\WinZipper\language\tr_tr
C:\Program Files (x86)\WinZipper\language\zh_cn
C:\Program Files (x86)\WinZipper\language\zh_tw
C:\Program Files (x86)\WinZipper\language\en_us\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\en_us\install_lang.ini
C:\Program Files (x86)\WinZipper\language\es_es\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\es_es\install_lang.ini
C:\Program Files (x86)\WinZipper\language\pt_br\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\pt_br\install_lang.ini
C:\Program Files (x86)\WinZipper\language\tr_tr\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\tr_tr\install_lang.ini
C:\Program Files (x86)\WinZipper\layout\default
C:\Program Files (x86)\WinZipper\layout\default\about.xml
C:\Program Files (x86)\WinZipper\layout\default\brower.xml
C:\Program Files (x86)\WinZipper\layout\default\compresspath.xml
C:\Program Files (x86)\WinZipper\layout\default\compresspwd.xml
C:\Program Files (x86)\WinZipper\layout\default\error.xml
C:\Program Files (x86)\WinZipper\layout\default\extractpath.xml
C:\Program Files (x86)\WinZipper\layout\default\install_msgbox.xml
C:\Program Files (x86)\WinZipper\layout\default\languageSelect.xml
C:\Program Files (x86)\WinZipper\layout\default\msgbox.xml
C:\Program Files (x86)\WinZipper\layout\default\OmigaZipInstall.xml
C:\Program Files (x86)\WinZipper\layout\default\overwrite.xml
C:\Program Files (x86)\WinZipper\layout\default\password.xml
C:\Program Files (x86)\WinZipper\layout\default\progress.xml
C:\Program Files (x86)\WinZipper\layout\default\rename.xml
C:\Program Files (x86)\WinZipper\layout\default\setting.xml
C:\Program Files (x86)\WinZipper\layout\default\uninstOmigaZip.xml
C:\Program Files (x86)\WinZipper\log\winzipersvc.log
C:\Program Files (x86)\WinZipper\style\install_style.xml
C:\Program Files (x86)\WinZipper\style\style.xml
C:\Program Files (x86)\WinZipper\uninstaller\OmigaZip.inst - You see the following shortcuts in your Start menu:
- %startmenu%\Programs\qksee\uninstall.lnk
- %startmenu%\Programs\qksee\qksee.lnk
- You see the following registry entry modifications:
In subkey: HKCR\.zip
Sets value: "(Default)"
With data: "WinZippers.zip"
In subkey: HKCR\WinZippers.zip
Sets value: "(Default)"
With data: "WinZip"
In subkey: HKCR\WinZippers.zip\DefaultIcon
Sets value: "(Default)"
With data: "C:\Program Files (x86)\WinZipper\winziper.exe"
In subkey: HKCR\WinZippers.zip\shell\open\command
Sets value: "(Default)"
With data: ""C:\Program Files (x86)\WinZipper\winziper.exe" "o" "%1"
In subkey: HKCR\WinZippers.zip\shellex\DropHandler
Sets value: "(Default)"
With data: "{DC638EEA-2BA2-4459-9C46-85A2F0BE6040}"
In subkey: HKCR\.rar
Sets value: "(Default)"
With data: "WinZippers.rar"
In subkey: HKCR\WinZippers.rar
Sets value: "(Default)"
With data: "WinZip"
In subkey: HKCR\WinZippers.rar\DefaultIcon
Sets value: "(Default)"
With data: "C:\Program Files (x86)\WinZipper\winziper.exe,0"
In subkey: HKCR\WinZippers.rar\shell\open\command
Sets value: "(Default)"
With data: ""C:\Program Files (x86)\WinZipper\winziper.exe" "o" "%1""
