Technical Information
Malicious functions:
Creates and executes the following:
- %TEMP%\unblacklist.exe pollkeobaahnbmpcgombjfibedabcddd
- %TEMP%\forceffaddon.exe "%APPDATA%\SDIV 2.0\Lib\xpi"
- %TEMP%\nsu3.tmp\ext_installer.exe /S
- %TEMP%\nsu3.tmp\FBDownloader.exe /S
- %TEMP%\nsz6.tmp\FBDownloaderSetup.exe /S
Executes the following:
- <SYSTEM32>\msiexec.exe /V
- <SYSTEM32>\msiexec.exe /x "%APPDATA%\SDIV 2.0\Lib\FBDownloader.msi" /quiet /norestart
Terminates or attempts to terminate
the following user processes:
- firefox.exe
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\download_tagged_hover.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\FacebookDownloader_16x16_Source.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\FacebookDownloader_16x16_Source_off.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\download_photo.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\download_photo_hover.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\download_tagged.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\fbdownloader_bgFooterButton16x25.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\overlay.css
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\progressbar.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\FacebookDownloader_24.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\FacebookDownloader_32.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\fb_loader.gif
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\props.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\utils.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\locale\en-US\strings.dtd
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\json.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\overlay.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\overlay.xul
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\dialog.css
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\download_album.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\download_album_hover.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\black_arrow.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\black_arrow.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\content.css
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\fb_loader.gif
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\fbdownloader_bgFooterButton16x25.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\overlay.css
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\FacebookDownloader_16x16_Source_off.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\FacebookDownloader_24.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\FacebookDownloader_32.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\tick.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome.manifest
- %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.sqlite-journal
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\progressbar.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\recommend.jpg
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\share.jpg
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\content.css
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\dialog.css
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\download_album.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\recommend.jpg
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\share.jpg
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\classic\tick.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\download_tagged.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\download_tagged_hover.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\FacebookDownloader_16x16_Source.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\download_album_hover.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\download_photo.png
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\skin\classic\download_photo_hover.png
- %PROGRAM_FILES%\fbDownloader\Newtonsoft.Json.dll
- %PROGRAM_FILES%\fbDownloader\FacebookDownloader_48x48_Source.ico
- %PROGRAM_FILES%\fbDownloader\DotNetCheck.exe
- %PROGRAM_FILES%\fbDownloader\pdt.txt
- %PROGRAM_FILES%\fbDownloader\Facebook.dll
- %PROGRAM_FILES%\fbDownloader\FacebookAPI.dll
- %PROGRAM_FILES%\fbDownloader\content.txt
- %HOMEPATH%\Desktop\fbDownloader.lnk
- %HOMEPATH%\Start Menu\Programs\fbDownloader\fbDownloader.lnk
- %PROGRAM_FILES%\fbDownloader\Microsoft.VC90.DebugCRT.manifest
- %PROGRAM_FILES%\fbDownloader\msvcp90d.dll
- %PROGRAM_FILES%\fbDownloader\msvcr90d.dll
- %PROGRAM_FILES%\fbDownloader\Uninstall.ini
- %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\prefs.js.new
- %TEMP%\nsz6.tmp\System.dll
- %TEMP%\nso2.tmp
- %TEMP%\nso5.tmp
- %TEMP%\nsz6.tmp\UserInfo.dll
- %TEMP%\nsz6.tmp\FBDownloaderSetup.exe
- %TEMP%\nst8.tmp
- %PROGRAM_FILES%\fbDownloader\fbDownloader.exe
- %TEMP%\nsz6.tmp\inetc.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ga[1].aspx
- %TEMP%\nsz6.tmp\ga.tmp
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\contentScripts\background.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\contentScripts\content_script.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\contentScripts\jquery.js
- %TEMP%\forceffaddon.exe
- %TEMP%\nsrB.tmp\ZipDLL.dll
- %APPDATA%\SDIV 2.0\Lib\xpi\install.rdf
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\contentScripts\utils.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\downloader.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\feedbackCalls.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\contentScripts\json.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\contentScripts\login.js
- %APPDATA%\SDIV 2.0\Lib\xpi\chrome\content\contentScripts\task.js
- %PROGRAM_FILES%\fbDownloader\uninstall fbDownloader.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ga[1].aspx
- %TEMP%\nstA.tmp
- %PROGRAM_FILES%\fbDownloader\fbDownloader.url
- %HOMEPATH%\Start Menu\Programs\fbDownloader\Website.lnk
- %HOMEPATH%\Start Menu\Programs\fbDownloader\Uninstall.lnk
- %APPDATA%\UpdMgr\updmgr.exe
- %APPDATA%\UpdMgr\version.txt
- %TEMP%\unblacklist.exe
- %APPDATA%\SDIV 2.0\Lib\fbdownloader.xpi
- %APPDATA%\SDIV 2.0\Lib\FBDownloader.crx
- %APPDATA%\SDIV 2.0\Lib\FBDownloader.msi
Deletes the following files:
- %TEMP%\nsz6.tmp\System.dll
- %TEMP%\nsz6.tmp\UserInfo.dll
- %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.sqlite-journal
- %TEMP%\nsz6.tmp\FBDownloaderSetup.exe
- %TEMP%\nsz6.tmp\ga.tmp
- %TEMP%\nsz6.tmp\inetc.dll
Network activity:
Connects to:
- 'fb####loader.com':80
TCP:
HTTP GET requests:
- fb####loader.com/webservices/ga.aspx?ca#####################################
- fb####loader.com/webservices/ga.aspx?ca####################################
UDP:
- DNS ASK fb####loader.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MozillaWindowClass' WindowName: ''
- ClassName: 'Chrome_WidgetWin_0' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
- ClassName: '#32770' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
