ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 24 February 2009, 12:34:50
Processing time: 6 min 48 sec
Submitted sample:

File MD5: 0x559F699E60A785D1B7D0B4251891E8E6
File SHA-1: 0x75FCD8CC657217CF615E07693801992E0DA52658
Filesize: 433,328 bytes

Summary of the findings:

What's been found	Severity Level
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.Altnet_Software	Bundled with Kazaa. Installs a Browser Helper Object: which loads when IE is started. Altnet software is used to supply advertising content to KaZaA users

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%Temp%\_AMPSave.dat	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2	%ProgramFiles%\Altnet Music Plugin\AMPIEI.dll	128,048 bytes	MD5: 0x608F52D49F3CB9B0B7F20CD201049050 SHA-1: 0xEF004B47728251793FE88255058F77FA9D10B7D0
3	%ProgramFiles%\Altnet Music Plugin\npAMPff.dll	69,632 bytes	MD5: 0xA8B4D15414D1804B407C32B0FAD5E541 SHA-1: 0xA0FF5AB1D2022DAEF37FE475B12AB5276AE1EFC6
4	%ProgramFiles%\Altnet Music Plugin\nsIAMPff.xpt	317 bytes	MD5: 0x8D59DD903994EAF9985AC34046232638 SHA-1: 0x81BC32F265190C7180F381602B000AE6E8BAF0EF
5	%ProgramFiles%\Altnet Music Plugin\unins000.dat	1,792 bytes	MD5: 0xA816B1E7831F2040C32F665E996A641F SHA-1: 0x0A08459135CAB73A98BB90541749D5575AEDA394
6	%ProgramFiles%\Altnet Music Plugin\unins000.exe	691,033 bytes	MD5: 0xFE824A2C890AAEEB082ACD6C2BA49466 SHA-1: 0xCFA196092B6C9B1BF22DF975B3AC6B9EA744529B
7	[file and pathname of the sample #1]	433,328 bytes	MD5: 0x559F699E60A785D1B7D0B4251891E8E6 SHA-1: 0x75FCD8CC657217CF615E07693801992E0DA52658

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\Altnet Music Plugin

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1 without extension].tmp	%Temp%\is-3VDTV.tmp\[filename of the sample #1 without extension].tmp	741,376 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes
ampmdm.exe	%ProgramFiles%\altnet music plugin\ampmdm.exe	323,584 bytes
[generic host process]	[generic host process filename]	20,480 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\AMPIEI.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8D7A165F-7CA9-4F7D-8CA4-B03F1A1CCC5D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0911C19E-BD1A-420F-AEA6-093BFF40906D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\Control
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\MiscStatus
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\MiscStatus\1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\NumMethods
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Altnet Music Plugin_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5B186181-9197-4CE6-A576-EC0665233FD7}
HKEY_CURRENT_USER\Software\Altnet
HKEY_CURRENT_USER\Software\Altnet\AMP
HKEY_CURRENT_USER\Software\AMPMDM
HKEY_CURRENT_USER\Software\AMPMDM\DM

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\AMPIEI.DLL]

AppID = "{8D7A165F-7CA9-4F7D-8CA4-B03F1A1CCC5D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{8D7A165F-7CA9-4F7D-8CA4-B03F1A1CCC5D}]

(Default) = "AMPIEI"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\InProcServer32]

(Default) = "%ProgramFiles%\Altnet Music Plugin\AMPIEI.dll"
ThreadingModel = "Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0911C19E-BD1A-420F-AEA6-093BFF40906D}]

(Default) = "PSFactoryBuffer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\MiscStatus\1]

(Default) = "132497"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\VersionIndependentProgID]

(Default) = "AMPIEI.AmpAX"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\Version]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\TypeLib]

(Default) = "{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\ToolboxBitmap32]

(Default) = "%ProgramFiles%\Altnet Music Plugin\AMPIEI.dll, 102"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\ProgID]

(Default) = "AMPIEI.AmpAX.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\MiscStatus]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}\InprocServer32]

(Default) = "%ProgramFiles%\Altnet Music Plugin\AMPIEI.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B186181-9197-4CE6-A576-EC0665233FD7}]

(Default) = "AmpAX Class"
AppID = "{8D7A165F-7CA9-4F7D-8CA4-B03F1A1CCC5D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\TypeLib]

(Default) = "{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\ProxyStubClsid32]

(Default) = "{0911C19E-BD1A-420F-AEA6-093BFF40906D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}\NumMethods]

(Default) = "17"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0911C19E-BD1A-420F-AEA6-093BFF40906D}]

(Default) = "IAmpAX"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}\TypeLib]

(Default) = "{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}\ProxyStubClsid32]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}\ProxyStubClsid]

(Default) = "{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{77313B60-1CA2-4808-9A9C-A24EB69285B8}]

(Default) = "_IAmpAXEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0\0\win32]

(Default) = "%ProgramFiles%\Altnet Music Plugin\AMPIEI.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\Altnet Music Plugin\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9690DDCB-19CC-441B-A0F5-95CE5929A6A0}\1.0]

(Default) = "AMPIEI 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX\CurVer]

(Default) = "AMPIEI.AmpAX.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX\CLSID]

(Default) = "{5B186181-9197-4CE6-A576-EC0665233FD7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX]

(Default) = "AmpAX Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX.1\CLSID]

(Default) = "{5B186181-9197-4CE6-A576-EC0665233FD7}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AMPIEI.AmpAX.1]

(Default) = "AmpAX Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Altnet Music Plugin_is1]

Inno Setup: Setup Version = "5.2.2"
Inno Setup: App Path = "%ProgramFiles%\Altnet Music Plugin"
InstallLocation = "%ProgramFiles%\Altnet Music Plugin\"
Inno Setup: Icon Group = "Altnet Music Plugin"
Inno Setup: User = "%UserName%"
DisplayName = "Altnet Music Plugin"
DisplayIcon = "Altnet Music Plugin"
UninstallString = ""%ProgramFiles%\Altnet Music Plugin\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Altnet Music Plugin\unins000.exe" /SILENT"
Publisher = "Altnet Inc."
URLInfoAbout = "http://www.altnet.com/"
HelpLink = "http://www.altnet.com/"
URLUpdateInfo = "http://www.altnet.com/"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20090224"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

ampmdm = "%ProgramFiles%\Altnet Music Plugin\AMPMDM.exe"

[HKEY_CURRENT_USER\Software\AMPMDM\DM]

Loc = "%ProgramFiles%\Altnet Music Plugin\AMPMDM.exe"
Ver = "5, 0, 0, 10"
ProgressWindowPositionX = 0x00000014
ProgressWindowPositionY = 0x00000014
ProgressWindowExpanded = 0x00000000
folder = ""

Other details

Analysis of the file resources indicate the following possible country of origin:

Australia

To mark the presence in the system, the following Mutex object was created:

DBWinMutex

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.