ThreatExpert Report: AdWare.Bcool

Submission Summary:

Submission details:

Submission received: 3 July 2012, 10:40:43
Processing time: 11 min 0 sec
Submitted sample:

File MD5: 0x5B8B0059B86C2EA185B13760DA4465FA
File SHA-1: 0xC422901DD769542E5AB7B4F476357045643A2773
Filesize: 320,782 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\Bcool\background.html	5,275 bytes	MD5: 0x57EE780F236D087B24E9A761D80F7322 SHA-1: 0x7A5AE371F7F33F9963E73CCC82BB027B21172663	(not available)
2	%CommonAppData%\Bcool\bhoclass.dll	140,800 bytes	MD5: 0xAC13C733379328F86568F6E514C2F7F8 SHA-1: 0x338901240FEDCEF4E3892FD4C723C89154F4DE05	(not available)
3	%CommonAppData%\Bcool\content.js	387 bytes	MD5: 0xAD08E0DA29745D8A2BF865E210010CC6 SHA-1: 0x45CA8A9490C437408E7929AE542B1A5AB5FD1441	(not available)
4	%CommonAppData%\Bcool\ilmmaihonadcijpgfplhidggnfophkof.crx	38,122 bytes	MD5: 0xA3CF93C4038A1F87F0CB9AC4EB438C32 SHA-1: 0x216DFC1B14C004C9F4416C3137E23020BE76CDC6	(not available)
5	%CommonAppData%\Bcool\settings.ini	593 bytes	MD5: 0x41F2C012C219FFE348C5C8CB4D8C6A7C SHA-1: 0xD8BEDCFBD7900EFB51A52CB6A61A3EF7C4A79BC0	(not available)
6	%CommonAppData%\Bcool\uninstall.exe	47,445 bytes	MD5: 0x2628F4240552CC3B2BA04EE51078AE0C SHA-1: 0x5B0CCA662149240D1FD4354BEAC1338E97E334EA	(not available)
7	%CommonPrograms%\Bcool\Bcool.lnk	272 bytes	MD5: 0x91765DBA15E631999722765410087665 SHA-1: 0xEBDFC2393F938450624FE103353C82232A8C6500	(not available)
8	%CommonPrograms%\Bcool\Uninstall.lnk	1,090 bytes	MD5: 0x5FBE8C7997E421A6008034C4DF753819 SHA-1: 0x578B5FA30BB599287F649F3101CF44F44CF00919	(not available)
9	c:\settings.ini	510 bytes	MD5: 0xF35AAA221EB79BB2F220BCBB354A95A0 SHA-1: 0x0CDD17F72836DD642219A00393F3B9B67D945524	AdWare.Bcool [Ikarus]
10	[file and pathname of the sample #1]	320,782 bytes	MD5: 0x5B8B0059B86C2EA185B13760DA4465FA SHA-1: 0xC422901DD769542E5AB7B4F476357045643A2773	(not available)

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).

The following directories were created:

%CommonAppData%\Bcool
%CommonAppData%\Bcool\data
%CommonPrograms%\Bcool

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	163,840 bytes
setup.exe	%Temp%\7zS1.tmp\setup.exe	249,856 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{513EC584-9729-57EA-DC1E-1456239D67C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20E7BC40-33F6-4A81-9D52-B58349326206}
HKEY_LOCAL_MACHINE\SOFTWARE\Google
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\ilmmaihonadcijpgfplhidggnfophkof

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE]

Path = "%CommonAppData%\Bcool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}\VersionIndependentProgID]

(Default) = "bhoclass.bho"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}\ProgID]

(Default) = "bhoclass.bho.1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}\InprocServer32]

(Default) = "%CommonAppData%\Bcool\bhoclass.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{513EC584-9729-57EA-DC1E-1456239D67C1}]

(Default) = "Bcool Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib]

(Default) = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}]

(Default) = "IInjectorBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib]

(Default) = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}]

(Default) = "ILocalStorage"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32]

(Default) = "%CommonAppData%\Bcool\bhoclass.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR]

(Default) = "%CommonAppData%\Bcool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0]

(Default) = "Injector 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer]

(Default) = "bhoclass.bho.1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID]

(Default) = "{513EC584-9729-57EA-DC1E-1456239D67C1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho]

(Default) = "Bcool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID]

(Default) = "{513EC584-9729-57EA-DC1E-1456239D67C1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0]

(Default) = "Bcool"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{513EC584-9729-57EA-DC1E-1456239D67C1}]

(Default) = "Bcool"
NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]

{513EC584-9729-57EA-DC1E-1456239D67C1} = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20E7BC40-33F6-4A81-9D52-B58349326206}]

DisplayName = "Bcool"
DisplayVersion = ""
Publisher = "Bcool"
URLInfoAbout = "http://bcoolapp.com"
DisplayIcon = "%CommonAppData%\Bcool\uninstall.exe"
UninstallString = "%CommonAppData%\Bcool\uninstall.exe /path=%CommonAppData%\Bcool"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\ilmmaihonadcijpgfplhidggnfophkof]

path = "%CommonAppData%\Bcool\ilmmaihonadcijpgfplhidggnfophkof.crx"
version = "1.0"

Other details

Analysis of the file resources indicate the following possible country of origin:

Israel

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
def.thebflix.info	80	(null)	(null)
getsyncer5.info	80	(null)	(null)
getsync.info	80	(null)	(null)

The following GET requests were made:

worker/init.js?ext=bcool&pid=27&country=DE
sync/?ext=bcool&pid=27&country=DE&regd=120703150218&jsoncallback=getJson

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.