ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 14 December 2011, 18:47:37
Processing time: 9 min 15 sec
Submitted sample:

File MD5: 0x3C354DE140FD3191E68F0FDE2D4FEBED
File SHA-1: 0xA2899D042BC90FF857604A80D94661E64AB39A4E
Filesize: 1,376,896 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\searchguide\FreeApp.exe	48,112 bytes	MD5: 0x8FEEFFB3520C2AA9867745CB63EF18FA SHA-1: 0x579ABE77524AFDEBB3A69C857EDDE2C6B214F336	(not available)
2	%ProgramFiles%\searchguide\searchguide Update Log.txt	1,629 bytes	MD5: 0xCB4C75B73A447F4FDF0F6763EA226FA3 SHA-1: 0x9F0BFF11C0801D779C020435C5915DDC84E4DDB9	(not available)
3	%ProgramFiles%\searchguide\searchguide.dat	31,838 bytes	MD5: 0xB7958B743DA00A55A61AA955CB1C25DE SHA-1: 0x3449D758F41151554A548B168F1806E1BB38F709	(not available)
4	%ProgramFiles%\searchguide\searchguide.dll	338,928 bytes	MD5: 0x9DEB0E0CF4226B4EEFA69B32017FF03F SHA-1: 0x7CAD53AEFA8098B3D2A4AAA5A58E8A135322E5E9	packed with UPX [Kaspersky Lab]
5	%ProgramFiles%\searchguide\searchguide.exe	502,768 bytes	MD5: 0xF99144E864C96913B16F4EA74865ADD9 SHA-1: 0x77586EB90E0D1DB248BA92CD8ABB35B7A8EBBCAD	packed with UPX [Kaspersky Lab]
6	%ProgramFiles%\searchguide\sqlite3.dll	282,312 bytes	MD5: 0x0ACADCBFD0CB2560950D464199BDFF72 SHA-1: 0x6955BD63F370C9DD11F8463A062880A2C9FB48A5	packed with UPX [Kaspersky Lab]
7	%ProgramFiles%\searchguide\unins000.dat	9,908 bytes	MD5: 0x255B0C18904767EBCCC05D9CC6FDB338 SHA-1: 0xCE3471029AA74FC28DA04FCA3E67F6CE6A401679	(not available)
8	%ProgramFiles%\searchguide\unins000.exe	709,492 bytes	MD5: 0xB4C0B1B24CD6762A8648117F8F3F7E53 SHA-1: 0xAE61017A302DD519E85862D80543B9D19F2D81CE	(not available)
9	%System%\del_bat.cmd	150 bytes	MD5: 0xDF81D68C75F4C0E973CF65915DD85B35 SHA-1: 0x1C2D6E0341A8EBAE65EE8C066046289029565776	(not available)
10	[file and pathname of the sample #1]	1,376,896 bytes	MD5: 0x3C354DE140FD3191E68F0FDE2D4FEBED SHA-1: 0xA2899D042BC90FF857604A80D94661E64AB39A4E	(not available)

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%ProgramFiles%\searchguide

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A33F6992-515A-477A-AF37-F1CA5B45A483}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A33F6992-515A-477A-AF37-F1CA5B45A483}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A33F6992-515A-477A-AF37-F1CA5B45A483}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\searchguide_is1
HKEY_CURRENT_USER\Software\searchguide

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A33F6992-515A-477A-AF37-F1CA5B45A483}\InprocServer32]

(Default) = "C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A33F6992-515A-477A-AF37-F1CA5B45A483}]

(Default) = "searchguide class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A33F6992-515A-477A-AF37-F1CA5B45A483}]

NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\searchguide_is1]

Inno Setup: Setup Version = "5.1.9"
Inno Setup: App Path = "%ProgramFiles%\searchguide"
InstallLocation = "%ProgramFiles%\searchguide\"
Inno Setup: Icon Group = "searchguide"
Inno Setup: User = "%UserName%"
DisplayName = "searchguide"
DisplayIcon = "C:\searchguide\setup\search.ico"
UninstallString = ""%ProgramFiles%\searchguide\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\searchguide\unins000.exe" /SILENT"
DisplayVersion = "1.0.0.0"
Publisher = "SearchGuide Inc."
URLInfoAbout = "http://searchguide.co.kr/"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20111214"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

searchguide = "%ProgramFiles%\searchguide\searchguide.exe"

so that searchguide.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\searchguide]

partnerID = "searchguide_01"
UpdateTime = "20111214"
InstallTime = "2011-12-14_18:47:49"
Version = "1.0.0.0"
term_p = "600"
GUID = "{AB6C1593-10B5-4083-9871-92924251A52C}"
ActiveDate = "2011-12-14"

Other details

Analysis of the file resources indicate the following possible countries of origin:

	France
	Republic of Korea

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
116.122.135.43	80
116.122.135.44	80

The data identified by the following URLs was then requested from the remote web server:

http://www.searchguide.co.kr/analysis/ins.php?uq={AB6C1593-10B5-4083-9871-92924251A52C}&pid=searchguide_01
http://www.searchguide.co.kr/analysis/live.php?uq={AB6C1593-10B5-4083-9871-92924251A52C}&pid=searchguide_01
http://down.searchguide.co.kr/searchguide/searchguide.ts1
http://down.searchguide.co.kr/download/data.db

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.