Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CashBack' = '%PROGRAM_FILES%\CashBack\bin\cashback.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'NaviSearch' = '%PROGRAM_FILES%\NaviSearch\bin\nls.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BullsEye Network' = '%PROGRAM_FILES%\BullsEye Network\bin\bargains.exe'
Malicious functions:
Creates and executes the following:
- %PROGRAM_FILES%\CashBack\bin\cashback.exe
- %WINDIR%\exdl.exe 3~No 2~No 1~No
- %PROGRAM_FILES%\NaviSearch\bin\nls.exe
- <SYSTEM32>\exdl2.exe 2~0
- <SYSTEM32>\exdl3.exe 3~0
- %WINDIR%\cb8040_MARKETING11.exe
- %WINDIR%\adp8043_MARKETING11.exe
- %PROGRAM_FILES%\Funcade\package_funcade_MARKETING11.exe
- %PROGRAM_FILES%\Funcade\funcade.exe
- %PROGRAM_FILES%\BullsEye Network\bin\bargains.exe
- %WINDIR%\nls8041_MARKETING11.exe
Executes the following:
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\nvms.dll
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\mscb.dll
- %WINDIR%\explorer.exe "http://www.na###earch.net/redir/forwarding.php?ty#####"
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\msbe.dll
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\CashBack\icon.gif
- %PROGRAM_FILES%\CashBack\logo.gif
- %PROGRAM_FILES%\CashBack\bb_welcome1.swf
- %PROGRAM_FILES%\CashBack\blank.gif
- %PROGRAM_FILES%\CashBack\bin\cashback.exe
- C:\temp\bb_click_wider.swf
- C:\temp\bb_auto_wider.swf
- %PROGRAM_FILES%\CashBack\bin\cb.exe
- %PROGRAM_FILES%\CashBack\bin\flash.exe
- %PROGRAM_FILES%\CashBack\bb_welcome.html
- %PROGRAM_FILES%\CashBack\cashback.exe
- %PROGRAM_FILES%\CashBack\cb.exe
- %TEMP%\nstA.tmp
- %PROGRAM_FILES%\CashBack\mscb.dll
- %PROGRAM_FILES%\CashBack\flash.exe
- %PROGRAM_FILES%\CashBack\bb_click_wider.swf
- %PROGRAM_FILES%\CashBack\bb_auto_wider.swf
- %PROGRAM_FILES%\CashBack\template.html
- %PROGRAM_FILES%\CashBack\template2.html
- C:\temp\bb_welcome.html
- <SYSTEM32>\exdl2.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\webservice[1].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\webservice[1].main
- <SYSTEM32>\exdl3.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\webservice[2].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\webservice[2].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\webservice[3].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\webservice[2].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\webservice[2].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\webservice[1].main
- C:\temp\icon.gif
- C:\temp\logo.gif
- C:\temp\bb_welcome1.swf
- C:\temp\blank.gif
- <SYSTEM32>\mscb.dll
- %PROGRAM_FILES%\NaviSearch\t1309778657.dec
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\webservice[1].main
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\forwarding[1].php
- %PROGRAM_FILES%\CashBack\Uninstall.exe
- <SYSTEM32>\bbchk.exe
- %HOMEPATH%\Desktop\Funcade.lnk
- <SYSTEM32>\exul.exe
- <SYSTEM32>\javexulm.vxd
- %WINDIR%\exclean.exe
- %WINDIR%\adp8043_MARKETING11.exe
- %HOMEPATH%\Start Menu\Programs\Funcade\Uninstall.lnk
- %HOMEPATH%\Start Menu\Programs\Funcade\Funcade.lnk
- <SYSTEM32>\exclean.exe
- <SYSTEM32>\mqexdlm.srg
- %PROGRAM_FILES%\Funcade\package_funcade_MARKETING11.exe
- %PROGRAM_FILES%\Funcade\uninstall.exe
- %TEMP%\nsu2.tmp
- %PROGRAM_FILES%\Funcade\funcade.exe
- %TEMP%\nso4.tmp
- %WINDIR%\bbchk.exe
- <SYSTEM32>\exdl.exe
- %WINDIR%\exdl.exe
- %WINDIR%\exul.exe
- %TEMP%\nso6.tmp
- %PROGRAM_FILES%\NaviSearch\nls.exe
- %PROGRAM_FILES%\NaviSearch\ad-nls.dat
- %TEMP%\nsf8.tmp
- %PROGRAM_FILES%\NaviSearch\nvms.dll
- %PROGRAM_FILES%\NaviSearch\bin\nls.exe
- %PROGRAM_FILES%\NaviSearch\Uninstall.exe
- %WINDIR%\cb8040_MARKETING11.exe
- %PROGRAM_FILES%\NaviSearch\ad.dat
- <SYSTEM32>\nvms.dll
- %WINDIR%\nls8041_MARKETING11.exe
- %PROGRAM_FILES%\BullsEye Network\adx.exe
- %PROGRAM_FILES%\BullsEye Network\msbe.dll
- %PROGRAM_FILES%\BullsEye Network\bargains.exe
- %PROGRAM_FILES%\BullsEye Network\adv.exe
- %PROGRAM_FILES%\BullsEye Network\bin\bargains.exe
- <SYSTEM32>\msbe.dll
- %PROGRAM_FILES%\BullsEye Network\Uninstall.exe
- %PROGRAM_FILES%\BullsEye Network\bin\adv.exe
- %PROGRAM_FILES%\BullsEye Network\bin\adx.exe
Deletes the following files:
- %PROGRAM_FILES%\CashBack\flash.exe
- %WINDIR%\cb8040_MARKETING11.exe
- %PROGRAM_FILES%\CashBack\cashback.exe
- %PROGRAM_FILES%\CashBack\cb.exe
- %WINDIR%\exdl.exe
- %WINDIR%\exclean.exe
- %PROGRAM_FILES%\NaviSearch\t1309778657.dec
- %WINDIR%\exul.exe
- %WINDIR%\bbchk.exe
- %PROGRAM_FILES%\CashBack\mscb.dll
- %PROGRAM_FILES%\BullsEye Network\adv.exe
- %PROGRAM_FILES%\BullsEye Network\adx.exe
- %PROGRAM_FILES%\BullsEye Network\msbe.dll
- %PROGRAM_FILES%\BullsEye Network\bargains.exe
- %WINDIR%\adp8043_MARKETING11.exe
- %PROGRAM_FILES%\NaviSearch\ad-nls.dat
- %WINDIR%\nls8041_MARKETING11.exe
- %PROGRAM_FILES%\NaviSearch\nvms.dll
- %PROGRAM_FILES%\NaviSearch\nls.exe
Network activity:
Connects to:
- 'se#####.bargain-buddy.net':80
- 'www.na###earch.net':80
- 'localhost':1035
TCP:
HTTP GET requests:
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve###############################################
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve####################################################
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve######################################################################
- www.na###earch.net/redir/forwarding.php?ty#####
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve###################################################
- se#####.bargain-buddy.net/scripts/adpopper/webservice.main?ve#############################################
UDP:
- DNS ASK se#####.bargain-buddy.net
- DNS ASK www.na###earch.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'nls_wnd_class' WindowName: 'nls module'
- ClassName: 'cashback_wnd_class' WindowName: 'cashback module'
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: 'adp module'
- ClassName: 'adp_wnd_class' WindowName: 'adp'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'adp_wnd_class' WindowName: 'adp module'
