ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 29 February 2012, 05:53:42
Processing time: 11 min 8 sec
Submitted sample:

File MD5: 0x0A06D10B99CCAFD760FD08D0200A375E
File SHA-1: 0xABF0DA81AD13F0BE7475DC72F83A760D1397EB00
Filesize: 2,298,237 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%AppData%\bloson.bmp	26,456 bytes	MD5: 0x9D76CBB404F76D227B2015D08FB90DE9 SHA-1: 0xCC2D925128F1FEC7FFB8F760E7615EAF7665F23B
2	%AppData%\dealply.bmp	77,576 bytes	MD5: 0x622892E1BFD696D8964C75977E538674 SHA-1: 0xFD78C36C6AEE910B534D075781869EAC5E96564E
3	%AppData%\dealply.exe	945,752 bytes	MD5: 0xCAACA3D3783173998FBB157FDD07A846 SHA-1: 0x92E8B1D702C8B8411A33F9497F8BFBA72628522D
4	%AppData%\facemoods.bmp	77,576 bytes	MD5: 0x6015991F47DAFEB69223AB1BBCE46321 SHA-1: 0x58B2A90385BE4BD340839E58E56C7025F73A4C06
5	%AppData%\facemoods.exe	1,229,360 bytes	MD5: 0x5F856A489CC99DFF30713F9FDAB715DF SHA-1: 0x7037878B2DB6D2A611613C21C693458D3CFC4FC9
6	%AppData%\javascript-minimizer-1.0.exe %Temp%\nsr9.tmp	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
7	%AppData%\lateral1.bmp	193,744 bytes	MD5: 0x09FBAEDE48CFEDB759E640BED10D5DBF SHA-1: 0xE1C0A5A77042595BEAE53955CAD72143AAC61045
8	%AppData%\lateral2.bmp	193,744 bytes	MD5: 0xD0D2B5814833B7412A66C89E8B75021D SHA-1: 0x9B6C821D9078AA1054F522D3669686A1F7792B37
9	%AppData%\lateral3.bmp	195,108 bytes	MD5: 0xE1CE13E6F1ED1F339F8595CCF9D0198E SHA-1: 0x666997A9F8786074193C6CB2160C2EF3962D3ECC
10	%Temp%\nsh2.tmp\inetc.dll	24,576 bytes	MD5: 0x1EFBBF5A54EB145A1A422046FD8DFB2C SHA-1: 0xEC4EFD0A95BB72FD4CF47423647E33E5A3FDDF26
11	%Temp%\nsh2.tmp\LangDLL.dll	5,632 bytes	MD5: 0x9384F4007C492D4FA040924F31C00166 SHA-1: 0xABA37FAEF30D7C445584C688A0B5638F5DB31C7B
12	%Temp%\nsh2.tmp\md5dll.dll	6,656 bytes	MD5: 0x0745FF646F5AF1F1CDD784C06F40FCE9 SHA-1: 0xBF7EBA06020D7154CE4E35F696BEC6E6C966287F
13	%Temp%\nsh2.tmp\modern-header.bmp	130,056 bytes	MD5: 0xB94CE22E857BFFBBFF032D747653B3B0 SHA-1: 0xFD7EE723AEFB384DB149BF92A36603CFB70F4D98
14	%Temp%\nsh2.tmp\nsDialogs.dll	9,728 bytes	MD5: 0xC10E04DD4AD4277D5ADC951BB331C777 SHA-1: 0xB1E30808198A3AE6D6D1CCA62DF8893DC2A7AD43
15	%Temp%\nsh2.tmp\nsRandom.dll	21,504 bytes	MD5: 0xAB467B8DFAA660A0F0E5B26E28AF5735 SHA-1: 0x596ABD2C31EAFF3479EDF2069DB1C155B59CE74D
16	%Temp%\nsh2.tmp\System.dll	11,264 bytes	MD5: 0xC17103AE9072A06DA581DEC998343FC1 SHA-1: 0xB72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
17	c:\prefs.js	1,156 bytes	MD5: 0x864C52B83A0FDB3235A6B4998E580FE7 SHA-1: 0x52476B0D04BB5D246E69D5B2DD5DAA4DFC7541A6
18	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll	265,944 bytes	MD5: 0xD0813204B590D8E8B98627FD75610E9D SHA-1: 0x8D465E41BD3A156D6C3B12A562473193B9878A7D
19	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoods.crx	31,873 bytes	MD5: 0xC950D4862FF0DCFF908A8934B28702E8 SHA-1: 0x910E844373C425AE105362E12007ED48FF6C18BD
20	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoods.png	3,948 bytes	MD5: 0xAD000BBCE06733694151384B614C94D7 SHA-1: 0x7D2C7E141479E4ED9F8EAA8454CA15ED27438762
21	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll	368,344 bytes	MD5: 0x582B370E077DD9412DAA10E8B7AC9015 SHA-1: 0x538A2AA698B3F41A1F0D0BCD195021946B4786A5
22	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll	462,552 bytes	MD5: 0x45300E499CCCA60E2A6869170ECA9966 SHA-1: 0xFD9E5C83FF7337560E3F7F4AD9573934023B351B
23	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe	362,200 bytes	MD5: 0xE83686C5F2273F8A7561897DD5F4E570 SHA-1: 0xB46C493E729674C1F02AE94D32C476E5B5077625
24	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll	220,888 bytes	MD5: 0x0FB336CCB1FE21397098026DF36FD914 SHA-1: 0x3FA3C67B6F4721A7D77CD478BD9B10A0377520FC
25	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\uninstall.exe	144,620 bytes	MD5: 0x26E59759772F43227E2DBAF33F030ADB SHA-1: 0xF6AE582F0A76BF765E36090630D6D07A3776700A
26	%ProgramFiles%\Mozilla Firefox\searchplugins\fcmdSrch.xml	2,047 bytes	MD5: 0x1BB13D2832FFE1671736A987A803D180 SHA-1: 0x04AAE3DD7CBE3FEA157A2847A4629A75020A3749
27	[file and pathname of the sample #1]	2,298,237 bytes	MD5: 0x0A06D10B99CCAFD760FD08D0200A375E SHA-1: 0xABF0DA81AD13F0BE7475DC72F83A760D1397EB00

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%Temp%\nsh2.tmp
%ProgramFiles%\facemoods.com
%ProgramFiles%\facemoods.com\facemoods
%ProgramFiles%\facemoods.com\facemoods\1.4.17.11
%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\bh
%ProgramFiles%\Mozilla Firefox
%ProgramFiles%\Mozilla Firefox\searchplugins

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	327,680 bytes
dealply.exe	%AppData%\dealply.exe	212,992 bytes
facemoods.exe	%AppData%\facemoods.exe	352,256 bytes
facemoodssrv.exe	%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe	368,640 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}\Instl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}\Instl\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}\ProxyStubClsid

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL]

AppID = "{5B1881D1-D9C7-46df-B041-1E593282C7D0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE]

AppID = "{AD25754E-D76C-42B3-A335-2F81478B722F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}\Instl\Data]

afltId = "down"
cntrlId = "00cd1a40000000000000000000000000"
hrdId = "00cd1a40000000000000000000000000"
instlDay = 0x00003C27
prtnrId = "facemoods.com"
sftId = "52852236ac5c4915b41467c1485d66ac"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}]

(Default) = "escort"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}]

(Default) = "esrv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\VersionIndependentProgID]

(Default) = "facemoods.facemoodsHlpr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\TypeLib]

(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\ProgID]

(Default) = "facemoods.facemoodsHlpr.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}\InprocServer32]

(Default) = "%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}]

(Default) = "CescrtHlpr Object"
AppID = "{5B1881D1-D9C7-46df-B041-1E593282C7D0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\VersionIndependentProgID]

(Default) = "facemoods.xtrnl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\TypeLib]

(Default) = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\ProgID]

(Default) = "facemoods.xtrnl.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}\InprocServer32]

(Default) = "%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}]

(Default) = "escrtAx Object"
AppID = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\VersionIndependentProgID]

(Default) = "facemoodsApp.appCore"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\TypeLib]

(Default) = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\ProgID]

(Default) = "facemoodsApp.appCore.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}\InprocServer32]

(Default) = "%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AD20D01C-C939-4dd2-8C55-56935A48987E}]

(Default) = "appCore Object"
AppID = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\VersionIndependentProgID]

(Default) = "facemoods.dskBnd"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\TypeLib]

(Default) = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\ProgID]

(Default) = "facemoods.dskBnd.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}\InprocServer32]

(Default) = "%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}]

(Default) = "facemoods Toolbar"
AppID = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\VersionIndependentProgID]

(Default) = "escort.escrtBtn.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\TypeLib]

(Default) = "{09C554C3-109B-483C-A06B-F14172F1A947}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\ProgID]

(Default) = "escort.escrtBtn.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}\InprocServer32]

(Default) = "%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll"
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE2C74F-58CC-4d71-8CE1-09DEBB8CFB78}]

(Default) = "escrtBtn Object"
AppID = "{5B1881D1-D9C7-46df-B041-1E593282C7D0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\VersionIndependentProgID]

(Default) = "esrv.escrtSrvc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\TypeLib]

(Default) = "{AD25754E-D76C-42B3-A335-2F81478B722F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\ProgID]

(Default) = "esrv.escrtSrvc.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}\LocalServer32]

(Default) = ""%ProgramFiles%\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe""
ThreadingModel = "apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}]

(Default) = "escrtSrvc Object"
AppID = "{AD25754E-D76C-42B3-A335-2F81478B722F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}]

(Default) = "IxpEmphszr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}]

(Default) = "IwebAtrbts"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}]

(Default) = "IXmlCnfg"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}]

(Default) = "IXtrnlBsc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\TypeLib]

(Default) = "{AD25754E-D76C-42B3-A335-2F81478B722F}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}]

(Default) = "IescrtSrvc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\TypeLib]

(Default) = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}]

(Default) = "IescrtAx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}]

(Default) = "Ixtrnlmain"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}]

(Default) = "IappInfo"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}]

(Default) = "IesrvXtrnl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}\TypeLib]

(Default) = "{12A5F606-B1EC-474C-83ED-95E99FD8058E}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

SearchAssistant =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

Analysis of the file resources indicate the following possible country of origin:

Israel

The following port was open in the system:

Port	Protocol	Process
1035	UDP	[file and pathname of the sample #1]

The following Host Name was requested from a host database:

r.facemoods.com

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
r.facemoods.com	1033

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
gstatic.uptodown.net	80	(null)	(null)
www.uptodown.com	80	(null)	(null)

The following GET requests were made:

v9/defaultwin.jpg
dm/control.txt
dm/date.txt
dm/check/d4d12c10fd6990d5543e56f4a7045529/4/111/javascript-minimizer-1.0.exe

The following HTTP URL was started reading:

http://r.facemoods.com/install_success/00cd1a40000000000000000000000000/down/0?t=json

Downloaded File Summary:

Download details:

Download retrieved: 29 February 2012 06:08:47
Processing time: 13 min 49 sec
Downloaded sample:

File MD5: 0x45CB4CFD0E8EF900A1C08A8BBFF69A1C
File SHA-1: 0x3B61DE44F485D76A1026A3F14BAAD6EB3DAAC6B2
Filesize: 36,864 bytes

Technical Details:

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	36,864 bytes	MD5: 0x45CB4CFD0E8EF900A1C08A8BBFF69A1C SHA-1: 0x3B61DE44F485D76A1026A3F14BAAD6EB3DAAC6B2

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	N/A

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.