ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 3 August 2008, 19:55:59
Processing time: 5 min 10 sec
Submitted sample:

File MD5: 0x042C5B392173CE5786101766B5E9A001
File SHA-1: 0x48A0F11A2313EBB4A20EEABEBA3D652E5738ADDB
Filesize: 842,896 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Spyware.180search_Assistant	180search Assistant produces targeted pop-up advertisements based on what users browse. To produce these targeted advertisements, 180search Assistant collects keywords from websites you visit including portions of website addresses or URLs, which can include users search terms. 180search Assistant is also known to be downloaded along with other malware.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\Mozilla\Plugins\npoctoshape.dll %ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll	165,136 bytes	MD5: 0x25C6372503BF9EF1841B49AF4556018B SHA-1: 0xF37EFF7B7DE73F5542B5AC7281B4B5D38EE38CE5
2	%AppData%\Mozilla\Plugins\npoctoshape.xpt %ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.xpt	193 bytes	MD5: 0xE4D29FC09869094D74DA24924D64646F SHA-1: 0xBDCCA7323089BD8CBCD2D6C3AA12B4758190211A
3	%DesktopDir%\Octoshape Streaming Services.lnk	992 bytes	MD5: 0x02A4EF465F3D559E3FA1767522C7E724 SHA-1: 0x48790B09599E24D68BCBB7FCE47078945F720948
4	%Programs%\Octoshape Streaming Services\License.lnk	936 bytes	MD5: 0x6125B956DF92EDFA2EDF64506F093071 SHA-1: 0x6795E8C45DC628FBE8B85D636BEA57F23D30A1B2
5	%Programs%\Octoshape Streaming Services\Octoshape Streaming Services.lnk	1,008 bytes	MD5: 0x5F8054814A4B9C6BF9DF06C334FE1B82 SHA-1: 0xFDD1C34EEB7AD8DFBC7AAF0C09BF49E71ABAE0C5
6	%Programs%\Octoshape Streaming Services\Uninstall Octoshape Streaming Services.lnk	931 bytes	MD5: 0x61E1245E964879B9F62F6F05F3ED446A SHA-1: 0x2DF1F05627E74606D1BB62817016DEEBCF67D654
7	%ProgramFiles%\Octoshape Streaming Services\%UserName%\EULA_de.rtf	35,439 bytes	MD5: 0x3E496F3A1E194DD78C93C06B7C57757B SHA-1: 0x40EDA413673B62F54E623C100B38D4C462D96166
8	%ProgramFiles%\Octoshape Streaming Services\%UserName%\EULA_en.rtf	27,398 bytes	MD5: 0x53861DEDDC5956C36F89B9D3FF7B9088 SHA-1: 0xEA77A5D9FAEACE07B1EDA40A70A4CA7A723FE315
9	%ProgramFiles%\Octoshape Streaming Services\%UserName%\install.xml	23 bytes	MD5: 0x5569E8D74BEBF097D8D1786B162DB523 SHA-1: 0xBF23D63E8C21A886785F4E6C5393215FA0F5CE12
10	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110-U01_SUA_900\confirmed.txt %ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110-U01_SUA_900\marker.txt %ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\marker.txt	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
11	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110-U01_SUA_900\content.txt	34 bytes	MD5: 0x61FB59DEC8A37701361781FCF9A8E148 SHA-1: 0xB8C74BA549988B2E2233E565A0D1BF90E88FDE84
12	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\apoctoshape.dll	132,368 bytes	MD5: 0x9EF2F9DE6EE57AA4F48CCBFFA4527544 SHA-1: 0x7EF2A7F791F6E7198B312E446F0D5CDCC98A88D2
13	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\content.txt	179 bytes	MD5: 0x6A97C104F65E17D85B6872A4F9F6CC79 SHA-1: 0x1120993659776C7BF49D5FEDBB45B9838B8B2D9E
14	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\dynfiles.zip	32,383 bytes	MD5: 0x514A02625706AF05B0DD6599D0A0FD2B SHA-1: 0xC61391FC8D966A5724F2697B2EF441E5F8A0D6E6
15	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\libOctoshapeClient.dll	391,168 bytes	MD5: 0x9AAE3BCC1471CE51D302D6C980704D1F SHA-1: 0x11E5A47D8575492C5480A29F1B0EADE9937A542B
16	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\module.xml	1,834 bytes	MD5: 0xC7208068756B6E8CB32F4528C7D9645E SHA-1: 0x4F903FB7F24578F761FDC70EF5BAA2AE3F310610
17	%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\suaold-versions.txt	191 bytes	MD5: 0x249C73659FCB1B97A6CC863A4692E41B SHA-1: 0xC6A719293860CF304DC9461A7DC6D7AAB675B46A
18	%ProgramFiles%\Octoshape Streaming Services\%UserName%\OctoshapeClient.exe	156,944 bytes	MD5: 0x13F5CFF50D3DB85B8207A63428863FB8 SHA-1: 0xC991B883C618FD6A052D7ED062D75EAF84056307
19	%ProgramFiles%\Octoshape Streaming Services\%UserName%\uninst.exe	122,897 bytes	MD5: 0xF37192BEAB76DCC7612F9F946BF81A35 SHA-1: 0xFFBB7EDFD57D8F7F6111BC70731A7DFEB80361CF
20	[file and pathname of the sample #1]	842,896 bytes	MD5: 0x042C5B392173CE5786101766B5E9A001 SHA-1: 0x48A0F11A2313EBB4A20EEABEBA3D652E5738ADDB

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.

The following directories were created:

%AppData%\Mozilla
%AppData%\Mozilla\Plugins
%Programs%\Octoshape Streaming Services
%ProgramFiles%\Octoshape Streaming Services
%ProgramFiles%\Octoshape Streaming Services\%UserName%
%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110-U01_SUA_900
%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
OctoshapeClient.exe	%ProgramFiles%\Octoshape Streaming Services\%UserName%\OctoshapeClient.exe	155,648 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	212,992 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DB17959D-D5A9-48ca-9259-6304C37CD57A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Octoshape Streaming Services
HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}
HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\ProgID
HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\Programmable
HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\TypeLib
HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\VersionIndependentProgID
HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}
HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}\ProxyStubClsid
HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}
HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0\0
HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0\0\win32
HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0\FLAGS
HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0\HELPDIR
HKEY_CURRENT_USER\Software\Classes\AppID
HKEY_CURRENT_USER\Software\Classes\AppID\activex.DLL
HKEY_CURRENT_USER\Software\Classes\AppID\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}
HKEY_CURRENT_USER\Software\Classes\OCTOSHAPE
HKEY_CURRENT_USER\Software\Classes\OCTOSHAPE\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\OCTOSHAPE\shell
HKEY_CURRENT_USER\Software\Classes\OCTOSHAPE\shell\open
HKEY_CURRENT_USER\Software\Classes\OCTOSHAPE\shell\open\command
HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client
HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client\CLSID
HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client\CurVer
HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client.1
HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client.1\CLSID
HKEY_CURRENT_USER\Software\MozillaPlugins
HKEY_CURRENT_USER\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0
HKEY_CURRENT_USER\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0\MimeTypes
HKEY_CURRENT_USER\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0\MimeTypes\application/x-octoshapeplugin-client
HKEY_CURRENT_USER\Software\Octoshape
HKEY_CURRENT_USER\Software\Octoshape\Octoshape Streaming Services
HKEY_CURRENT_USER\Software\Octoshape\Octoshape Streaming Services\Demo Version
HKEY_CURRENT_USER\Software\Octoshape\Octoshape Streaming Services\Demo Version\npoctoshape

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DB17959D-D5A9-48ca-9259-6304C37CD57A}]

AppName = "OctoshapeClient.exe"
AppPath = "%ProgramFiles%\Octoshape Streaming Services\%UserName%"
Policy = 0x00000003

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Octoshape Streaming Services = ""%ProgramFiles%\Octoshape Streaming Services\%UserName%\OctoshapeClient.exe" -inv:bootrun"

so that OctoshapeClient.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Octoshape Streaming Services]

DisplayName = "Octoshape Streaming Services"
UninstallString = "%ProgramFiles%\Octoshape Streaming Services\%UserName%\uninst.exe"
DisplayVersion = "Demo Version"
URLInfoAbout = "http://www.octoshape.com"
Publisher = "Octoshape"
InstallLanguageWindows = "1033"
Group = ""
InstallDir = "%ProgramFiles%\Octoshape Streaming Services\%UserName%"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\VersionIndependentProgID]

(Default) = "octoshapeplugin.client"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\TypeLib]

(Default) = "{5732DDC8-74AD-4C63-B44C-B13382FBAA07}"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\ProgID]

(Default) = "octoshapeplugin.client.1"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}\InprocServer32]

(Default) = "%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\apoctoshape.dll"
ThreadingModel = "apartment"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}]

(Default) = "client Object"
AppID = "{5732DDC8-74AD-4C63-B44C-B13382FBAA07}"

[HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}\TypeLib]

(Default) = "{5732DDC8-74AD-4C63-B44C-B13382FBAA07}"
Version = "1.0"

[HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_CURRENT_USER\Software\Classes\Interface\{3E8F8929-8AFB-4908-8B22-B8F259855A53}]

(Default) = "Iclient"

[HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0\0\win32]

(Default) = "%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\apoctoshape.dll"

[HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0\HELPDIR]

(Default) = ""

[HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0\FLAGS]

(Default) = "0"

[HKEY_CURRENT_USER\Software\Classes\TypeLib\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}\1.0]

(Default) = "octoshapeplugin"

[HKEY_CURRENT_USER\Software\Classes\AppID\{5732DDC8-74AD-4C63-B44C-B13382FBAA07}]

(Default) = "activex"

[HKEY_CURRENT_USER\Software\Classes\AppID\activex.DLL]

AppID = "{5732DDC8-74AD-4C63-B44C-B13382FBAA07}"

[HKEY_CURRENT_USER\Software\Classes\OCTOSHAPE\shell\open\command]

(Default) = ""%ProgramFiles%\Octoshape Streaming Services\%UserName%\OctoshapeClient.exe" -inv:protocol -url:%1"

[HKEY_CURRENT_USER\Software\Classes\OCTOSHAPE]

URL Protocol = ""
(Default) = "URL:OCTOSHAPE Protocol"

[HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client\CurVer]

(Default) = "octoshapeplugin.client.1"

[HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client\CLSID]

(Default) = "{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}"

[HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client]

(Default) = "client Object"

[HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client.1\CLSID]

(Default) = "{7D4733C0-C43B-4A81-AF43-F9B20D1F8348}"

[HKEY_CURRENT_USER\Software\Classes\octoshapeplugin.client.1]

(Default) = "client Object"

[HKEY_CURRENT_USER\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0]

Path = "%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.dll"
XPTPath = "%ProgramFiles%\Octoshape Streaming Services\%UserName%\octoprogram-L03-NMS0806110_SUA_900\npoctoshape.xpt"

[HKEY_CURRENT_USER\Software\Octoshape\Octoshape Streaming Services\Demo Version\npoctoshape]

profile_component = "%AppData%\Mozilla\Plugins\npoctoshape.xpt"
profile_plugin = "%AppData%\Mozilla\Plugins\npoctoshape.dll"

[HKEY_CURRENT_USER\Software\Octoshape\Octoshape Streaming Services\Demo Version]

Idle = "0"
Player = "0"
Browser = "0"
Variant = ""
Startup = "1"
InstallerVersion = "0806110"
Group = ""
InstallDir = "%ProgramFiles%\Octoshape Streaming Services\%UserName%"
Language = "en"
TempID = "Lemha_Poneju_05619066"

Other details

To mark the presence in the system, the following Mutex objects were created:

OctoshapeClientPid1008
OctoshapeClientRunning
OctoshapeClientPid1704
OctoshapeClientPid480
OctoshapeClientPid948
OctoshapeClientPid976

The following Host Names were requested from a host database:

log.octoshape.net
proxyexam.octoshape.net
proxyexam.octoshape.org
log.octoshape.org

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
log.octoshape.net	1042
proxyexam.octoshape.org	1044
log.octoshape.org	1046

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.