ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 12 May 2011, 03:49:48
Processing time: 10 min 13 sec
Submitted sample:

File MD5: 0x5FE54D236142E2ECEF049F51D754A0CA
File SHA-1: 0xE5109C1B284CECEDB87AB887B389E1FF24096560
Filesize: 367,946 bytes
Packer info: packed with: UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\GetRightToGo\[filename of the sample #1 without extension].data	1,255 bytes	MD5: 0xACB214242E1135413F9749AA1BDF668F SHA-1: 0x3B88803A77B81758093E7B06A55A2C2020E145BF	(not available)
2	%AppData%\GetRightToGo\[filename of the sample #1 without extension].data0	873 bytes	MD5: 0x7CDEC6126CF6F72667767BC4162CAF7C SHA-1: 0x55216804240DB132701F28978070AF8174024A28	(not available)
3	%AppData%\GetRightToGo\[filename of the sample #1 without extension].htm	635 bytes	MD5: 0x33F09577707D079A40F706A18E126D92 SHA-1: 0x0CEF1F55B72A84E584A51E79A6787EA78D74A603	(not available)
4	%AppData%\BrotherSoft_Extreme\tbBrot.dll %AppData%\ConduitEngine\ConduitEngine.dll %Temp%\GLF14.tmp.ConduitEngine.dll %Temp%\GLF26.tmp.tbBrot.dll %Temp%\GLF2D.tmp.tbBrot.dll %Temp%\GLF3A.tmp.ConduitEngine.dll %Temp%\GLFD.tmp.tbBrot.dll %ProgramFiles%\BrotherSoft_Extreme\tbBrot.dll %ProgramFiles%\ConduitEngine\ConduitEngine.dll	4,215,080 bytes	MD5: 0x69E0A670A2C0D82E849B488FDD9DD7B1 SHA-1: 0xADA73AFCA1A2B703B4ABF863EB2B1C6ABB03B689	(not available)
5	%AppData%\BrotherSoft_Extreme\toolbar.cfg %ProgramFiles%\BrotherSoft_Extreme\toolbar.cfg	31 bytes	MD5: 0x51DA7F76E329A9EECD2988874AAC6E28 SHA-1: 0x12A3CA14300FEC7D86146ABF957A7E8CD905DAA2	(not available)
6	%AppData%\Conduit\CT2776682\BrotherSoft_ExtremeAutoUpdateHelper.exe %ProgramFiles%\BrotherSoft_Extreme\BrotherSoft_ExtremeToolbarHelper.exe %ProgramFiles%\ConduitEngine\ConduitEngineHelper.exe	38,496 bytes	MD5: 0xA320DF2B47CFCAF98D06EB59CD72084C SHA-1: 0xED0A3155E7256B1EE3DAEA9B5251A4A3141592DC	(not available)
7	%AppData%\ConduitEngine\EngineSettings.json %ProgramFiles%\ConduitEngine\EngineSettings.json	2,999 bytes	MD5: 0x09BE516C4F7713E594A437E852293C92 SHA-1: 0x7187E49DF00C790F692ACB022A298969D2148DFB	(not available)
8	%AppData%\ConduitEngine\toolbar.cfg %ProgramFiles%\ConduitEngine\toolbar.cfg	25 bytes	MD5: 0x7BBB07039B2B2CC073E44F50FAFDAF11 SHA-1: 0x72EFF70D121CD84307401973BD33114AF0246C67	(not available)
9	%Temp%\BrotherSoft_Extreme.exe	2,743,120 bytes	MD5: 0x4B5EE0A0DFCB54168B8F74676FC45460 SHA-1: 0x2990F123D661004FAC5D2F89DE61CAB6E5959F35	packed with WiseSFXDropper [Kaspersky Lab]
10	%Temp%\GLB15.tmp	71,680 bytes	MD5: 0x8CFAEA76FB3D02D753CA46148A792949 SHA-1: 0xFBA23621EC559C2DC539ABCC3100ABE1DC1BE277	(not available)
11	%Temp%\GLB18.tmp	71,680 bytes	MD5: 0xF654FAC2E46987230F38ED1819A9B885 SHA-1: 0x1A197311706940D9714002A580D63F233ACAB822	(not available)
12	%Temp%\GLC17.tmp %Temp%\GLC1A.tmp	165,376 bytes	MD5: 0x8C97D8BB1470C6498E47B12C5A03CE39 SHA-1: 0x15D233B22F1C3D756DCA29BCC0021E6FB0B8CDF7	(not available)
13	%Temp%\GLF22.tmp	10,752 bytes	MD5: 0x3B2E23D259394C701050486E642D14FA SHA-1: 0x4E9661C4BA84400146B80B905F46A0F7EF4D62EB	(not available)
14	%Temp%\GLF26.tmp %MyDocuments%\Downloads\mp4_player_4_0.exe	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
15	%Temp%\GLF2D.tmp.ConduitEngineSetup.exe %Temp%\GLFD.tmp.ConduitEngineSetup.exe	158,048 bytes	MD5: 0x8DF6E3853F4A6A5BFDA19F8DF3094902 SHA-1: 0xD81F96C881043511F502FE523FC4D36B0E8703D5	packed with WiseSFXDropper [Kaspersky Lab]
16	%Temp%\GLG21.tmp	173 bytes	MD5: 0xE4D5CB6D291A3B86FE637B07AE4B5B3E SHA-1: 0x7665256F3778349F3F806D57B1EBB26917814289	(not available)
17	%Temp%\GLK1D.tmp	34,304 bytes	MD5: 0x517419CAE37F6C78C80F9B7D0FBB8661 SHA-1: 0xA9E419F3D9EF589522556E0920C84FE37A548873	(not available)
18	%Temp%\GLM1C.tmp	12,800 bytes	MD5: 0x484CB68472473A1A84FF07996BB8C1F6 SHA-1: 0xBCE9D810F2558E73854E7C8E05F122B002558E9A	(not available)
19	%Temp%\prxGLF26.tmp.tbBrot.dll %Temp%\prxGLF2D.tmp.tbBrot.dll %Temp%\prxGLFD.tmp.tbBrot.dll %ProgramFiles%\BrotherSoft_Extreme\prxtbBrot.dll %ProgramFiles%\ConduitEngine\prxConduitEngine.dll	175,912 bytes	MD5: 0xB92293778555CE3DABE7F0A7E98B34C0 SHA-1: 0x685D65CCD52FD9D90C402CF9026344267E8B6FD9	(not available)
20	%MyDocuments%\Downloads\Integrated_BrotherSoft_TB.exe	4,813,312 bytes	MD5: 0x0441333F8D45B94C9BC086D72EF12B99 SHA-1: 0x894D413CCB58223FF6C99C01ECF6524F886738F5	packed with WiseSFXDropper [Kaspersky Lab]
21	%ProgramFiles%\BrotherSoft_Extreme\GottenAppsContextMenu.xml	7,044 bytes	MD5: 0xCE0449AC66B68DD896965167D460B135 SHA-1: 0xAB7C13818BE707B1599690FB84D4FFDBCAB821DD	(not available)
22	%ProgramFiles%\BrotherSoft_Extreme\OtherAppsContextMenu.xml	5,738 bytes	MD5: 0xA9CAA49F5C0DDD88168E857E3670EBDF SHA-1: 0x8500953B2600EFDB42EFFFC03FB9D7CC03F22CCC	(not available)
23	[pathname with a string SHARE]\SharedAppsContextMenu.xml	6,588 bytes	MD5: 0x6816D08A668E0D9A3A79831400177C04 SHA-1: 0xA90B7303F688679A4065879E1E50B0F865D0AB05	(not available)
24	%ProgramFiles%\BrotherSoft_Extreme\ToolbarContextMenu.xml	5,737 bytes	MD5: 0x815C07C40CEC4CF53861DA7A7C6EC639 SHA-1: 0xD48FA137FD2D543B555470BDFC46D2D5D637B877	(not available)
25	%ProgramFiles%\BrotherSoft_Extreme\uninstall.exe	93,792 bytes	MD5: 0xB7754D6963C1AE4FA66F60605618FD7A SHA-1: 0x0ED4C25E4292E37E4177C5C6AAAA36F481414315	(not available)
26	%ProgramFiles%\Conduit\Community Alerts\Alert.dll	634,976 bytes	MD5: 0x775D1655DCEF4AA65EBF89E744E511A0 SHA-1: 0x664270A860DDB3D6F23F617D0615070330A71A30	(not available)
27	%ProgramFiles%\ConduitEngine\appContextMenu.xml	6,560 bytes	MD5: 0x68451D444D8AF7483B9A5A6A244B9540 SHA-1: 0xAA4B354AB24C483A9C8A951611F8EFB87C7F98A6	(not available)
28	%ProgramFiles%\ConduitEngine\ConduitEngineUninstall.exe	23,648 bytes	MD5: 0xDF465BE110DC0F7E5329D1B8065A405F SHA-1: 0x4CBEA1ADF328E3DAF17DE451C4DEDB9FF17DEA43	(not available)
29	%ProgramFiles%\ConduitEngine\engineContextMenu.xml	4,013 bytes	MD5: 0x2185FA6EB24E54A78F1913C33B5408BC SHA-1: 0xCAD066F69CB76BD4CB2BA79D2DED45F8DC299688	(not available)
30	%ProgramFiles%\ConduitEngine\INSTALL.LOG	605 bytes	MD5: 0x215F2C5F749A78AD6748A98F1CE51EC7 SHA-1: 0xD35CF8FD71BFBD9EC640867482A1DBBAE8CC7D45	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%MyDocuments% is a variable that refers to the file system directory used to physically store a user's common repository of documents. A typical path is C:\Documents and Settings\[UserName]\My Documents.

The following directories were created:

%AppData%\GetRightToGo
%AppData%\BrotherSoft_Extreme
%AppData%\BrotherSoft_Extreme\Logs
%AppData%\Conduit
%AppData%\Conduit\Community Alerts
%AppData%\Conduit\Community Alerts\Log
%AppData%\Conduit\CT2776682
%AppData%\ConduitEngine
%AppData%\ConduitEngine\Logs
%AppData%\ConduitEngine\MyStuffApps
%AppData%\Temp
%AppData%\Temp\Logs
%MyDocuments%\Downloads
%ProgramFiles%\BrotherSoft_Extreme
%ProgramFiles%\Conduit
%ProgramFiles%\Conduit\Community Alerts
%ProgramFiles%\ConduitEngine

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,101,824 bytes
GLB15.tmp	%Temp%\glb15.tmp	28,672 bytes
GLB18.tmp	%Temp%\glb18.tmp	28,672 bytes
BROTHE~1.EXE	%Temp%\brothersoft_extreme.exe	2,752,512 bytes
GLB27.tmp	%Temp%\glb27.tmp	28,672 bytes
GLF2DT~1.EXE	%Temp%\glf2d.tmp.conduitenginesetup.exe	167,936 bytes
GLB2E.tmp	%Temp%\glb2e.tmp	28,672 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51A86BB3-6602-4C85-92A5-130EE4864F13}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51A86BB3-6602-4C85-92A5-130EE4864F13}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1379336-D286-4617-BAC2-C98BF97B11CB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1379336-D286-4617-BAC2-C98BF97B11CB}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1379336-D286-4617-BAC2-C98BF97B11CB}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1379336-D286-4617-BAC2-C98BF97B11CB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Conduit.Engine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Conduit.Engine\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar.CT2776682
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar.CT2776682\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{70F631DA-DFE6-40FA-B8DC-93527BD2A2C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8B2B182F-F3DA-488A-87DF-7F8C93CE626C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A7B93820-3D67-462A-93D2-C65FCDD33298}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51a86bb3-6602-4c85-92a5-130ee4864f13}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft Extreme Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft_Extreme Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conduit Engine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5842F524-302E-4D08-8FCC-586C01952A82}
HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme
HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\Communicator
HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Community Alerts
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\HomePage
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{30F9B915-B755-4826-820B-08FBA6BD249D}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{51a86bb3-6602-4c85-92a5-130ee4864f13}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{5842F524-302E-4D08-8FCC-586C01952A82}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{C1379336-D286-4617-BAC2-C98BF97B11CB}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Toolbars
HKEY_LOCAL_MACHINE\SOFTWARE\conduitEngine
HKEY_LOCAL_MACHINE\SOFTWARE\conduitEngine\Communicator
HKEY_LOCAL_MACHINE\SOFTWARE\conduitEngine\toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\conduitEngine\toolbar\InstalledApps
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar\IE5
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar\Log
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar\Monitored
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar\Repository
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar\Repository\conduit_CT2776682
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar\Repository\conduit_CT2776682\Coordinator
HKEY_CURRENT_USER\Software\BrotherSoft_Extreme\toolbar\settings
HKEY_CURRENT_USER\Software\Conduit
HKEY_CURRENT_USER\Software\Conduit\Community Alerts
HKEY_CURRENT_USER\Software\Conduit\Community Alerts\Settings
HKEY_CURRENT_USER\Software\conduitEngine
HKEY_CURRENT_USER\Software\conduitEngine\toolbar
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\IE5
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\Log
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\Monitored
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\Repository
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\Repository\conduit_ConduitEngine
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\Repository\conduit_ConduitEngine\Coordinator
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\Settings
HKEY_CURRENT_USER\Software\conduitEngine\toolbar\Settings\MyStuff
HKEY_CURRENT_USER\Software\Headlight
HKEY_CURRENT_USER\Software\Headlight\GetRightToGo
HKEY_CURRENT_USER\Software\Headlight\GetRightToGo\CustomizedApps
HKEY_CURRENT_USER\Software\Headlight\GetRightToGo\NoRange-0
HKEY_CURRENT_USER\Software\Headlight\GetRightToGo\NoRange-X
[pathname with a string SHARE]\SharedConfig
HKEY_CURRENT_USER\Toolbar
HKEY_CURRENT_USER\Toolbar\RegisteredSources

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}\VersionIndependentProgID]

(Default) = "Conduit.Engine"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}\ProgID]

(Default) = "Conduit.Engine"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}\InprocServer32]

(Default) = "%ProgramFiles%\ConduitEngine\prxConduitEngine.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}]

(Default) = "Conduit Engine API Server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\InprocServer32]

(Default) = "%ProgramFiles%\ConduitEngine\prxConduitEngine.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}]

(Default) = "Conduit Engine"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32]

(Default) = "%ProgramFiles%\Conduit\Community Alerts\Alert.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]

(Default) = "Conduit Community Alerts"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51A86BB3-6602-4C85-92A5-130EE4864F13}\InprocServer32]

(Default) = "%ProgramFiles%\BrotherSoft_Extreme\prxtbBrot.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51A86BB3-6602-4C85-92A5-130EE4864F13}]

(Default) = "BrotherSoft Extreme Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}\VersionIndependentProgID]

(Default) = "Toolbar.CT2776682"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}\ProgID]

(Default) = "Toolbar.CT2776682"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}\InprocServer32]

(Default) = "%ProgramFiles%\BrotherSoft_Extreme\prxtbBrot.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5842F524-302E-4D08-8FCC-586C01952A82}]

(Default) = "BrotherSoft Extreme API Server"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1379336-D286-4617-BAC2-C98BF97B11CB}\InprocServer32]

(Default) = "%ProgramFiles%\ConduitEngine\prxConduitEngine.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1379336-D286-4617-BAC2-C98BF97B11CB}]

(Default) = "Conduit Engine Findbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}\InprocServer32]

(Default) = "%ProgramFiles%\BrotherSoft_Extreme\prxtbBrot.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}]

(Default) = "BrotherSoft Extreme Findbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Conduit.Engine\CLSID]

(Default) = "{3072E62A-1FE8-4874-B78B-D0A4A356D5F2}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Toolbar.CT2776682\CLSID]

(Default) = "{5842F524-302E-4D08-8FCC-586C01952A82}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{51a86bb3-6602-4c85-92a5-130ee4864f13} = "BrotherSoft_Extreme Toolbar"
{30F9B915-B755-4826-820B-08FBA6BD249D} = ""
{51a86bb3-6602-4c85-92a5-130ee4864f13} = "BrotherSoft Extreme Toolbar"
{30F9B915-B755-4826-820B-08FBA6BD249D} = "Conduit Engine"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A7B93820-3D67-462A-93D2-C65FCDD33298}]

AppPath = "%ProgramFiles%\ConduitEngine"
AppName = "ConduitEngineHelper.exe"
Policy = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8B2B182F-F3DA-488A-87DF-7F8C93CE626C}]

AppPath = "%AppData%\Conduit\CT2776682"
AppName = "BrotherSoft_ExtremeAutoUpdateHelper.exe"
Policy = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{70F631DA-DFE6-40FA-B8DC-93527BD2A2C7}]

AppPath = "%ProgramFiles%\BrotherSoft_Extreme"
AppName = "BrotherSoft_ExtremeToolbarHelper.exe"
Policy = 0x00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

(Default) = "Conduit Engine"
NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51a86bb3-6602-4c85-92a5-130ee4864f13}]

(Default) = ""
NoExplorer = 0x00000001
(Default) = "BrotherSoft Extreme"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft Extreme Toolbar]

DisplayVersion = "6.3.2.90"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrotherSoft_Extreme Toolbar]

DisplayName = "BrotherSoft_Extreme Toolbar"
UninstallString = "C:\PROGRA~1\BROTHE~1\UNINST~1.EXE"
Comments = ""
Contact = ""
HelpLink = "http://BrotherSoftExtreme.OurToolbar.com/help"
Publisher = "BrotherSoft Extreme"
DisplayVersion = "6.3.2.90"
URLInfoAbout = "http://BrotherSoftExtreme.OurToolbar.com/"
DisplayName = "BrotherSoft Extreme Toolbar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conduit Engine]

DisplayVersion = "6.3.2.90"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine]

DisplayName = "Conduit Engine"
UninstallString = "C:\PROGRA~1\CONDUI~1\ConduitEngineUninstall.exe"
DisplayIcon = "C:\PROGRA~1\CONDUI~1\ConduitEngineUninstall.exe"
DisplayVersion = ""
Publisher = "Conduit Ltd."
Comments = ""
Contact = ""
HelpLink = " "
URLInfoAbout = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\toolbar]

MarkOldApps = "FALSE"
BrowserSearchURL = "http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2776682"
ComId = "{51a86bb3-6602-4c85-92a5-130ee4864f13}"
DisplayName = "BrotherSoft Extreme"
DisplayTitle = "BrotherSoft_Extreme Toolbar"
GroupingEnabled = "FALSE"
InstallationId = "integrated_brothersoft_tb.exe"
InstallationType = "conduitintegration"
MultiCommunityEnabled = "FALSE"
Path = "%ProgramFiles%\BrotherSoft_Extreme"
Server = "users.conduit.com"
ShouldPerformGroupByOS = "FALSE"
ShouldShowPersonalComponentDlg = "false"
SponsorId = "CT2776682"
ToolbarHelperFileName = "%ProgramFiles%\BrotherSoft_Extreme\BrotherSoft_ExtremeToolbarHelper.exe"
PlatformType = "ConduitToolbar"
IsEngineHost = "TRUE"
AllowToUninstallFromEngine = "FALSE"
ForceEngineUninstall = "TRUE"
ToolbarDllName = "tbBrot.dll"
IphoneUpdateURL = ""
AutoUpdateHelperPath = "%AppData%\Conduit\CT2776682\BrotherSoft_ExtremeAutoUpdateHelper.exe"
AllowUntrustedApps = "FALSE"
ShouldSendToolbarAge = "TRUE"
ProxyDllPath = "%ProgramFiles%\BrotherSoft_Extreme\prxtbBrot.dll"
version = "6.3.2.90"
VistaElevationComId = "{70F631DA-DFE6-40FA-B8DC-93527BD2A2C7}"
AutoupdateElevationComId = "{8B2B182F-F3DA-488A-87DF-7F8C93CE626C}"
ToolbarAPIComId = "{5842F524-302E-4D08-8FCC-586C01952A82}"
UserID = "UN27943982752613122"
FindBarComId = "{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}"
OpenUninstallPage = "TRUE"

[HKEY_LOCAL_MACHINE\SOFTWARE\BrotherSoft_Extreme\Communicator]

Url = "http://servicemap.conduit-services.com/Toolbar/?ownerId=EB_ORIGINAL_CTID"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{D8EB0E8D-2AEB-4033-9004-2F8413E63F94}]

HostID = "{51a86bb3-6602-4c85-92a5-130ee4864f13}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{C1379336-D286-4617-BAC2-C98BF97B11CB}]

HostID = "{30F9B915-B755-4826-820B-08FBA6BD249D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{5842F524-302E-4D08-8FCC-586C01952A82}]

HostID = "{51a86bb3-6602-4c85-92a5-130ee4864f13}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{51a86bb3-6602-4c85-92a5-130ee4864f13}]

Name = "BrotherSoft_Extreme"

[HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\Platforms\{30F9B915-B755-4826-820B-08FBA6BD249D}]

Name = "conduitEngine"

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

The following port was open in the system:

Port	Protocol	Process
1050	UDP	[file and pathname of the sample #1]

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
174.132.118.42	80
204.0.5.43	80
204.0.5.56	80
208.93.142.80	80
216.137.43.162	80
74.125.227.4	80

The data identified by the following URLs was then requested from the remote web server:

http://rufiles.brothersoft.com/mp3_audio/players/mp4_player_4_0.exe
http://img.brothersoft.com/softsale/img/20100826.jpg
http://ie.conduit-download.com/87/246/CT2463487/downloads/Integrated_BrotherSoft_TB.exe
http://www.conduit.com/ScriptResource.axd?d=xxHWFSuSmHCfOtqfTX6fe6pUYZJKSM0S9e0Mq06zJIz0_VvX9DjuPC6M7Ah89kauZ1Gf7XVWVAAqosAkwSrFl7jI4BinOnDk2pS35wFy4Kk1&t=4944c721
http://www.conduit.com/ScriptResource.axd?d=xxHWFSuSmHCfOtqfTX6fe6pUYZJKSM0S9e0Mq06zJIz0_VvX9DjuPC6M7Ah89kau4Ns0j3c1iiOWMscVxsTwOm2gSsQdz6HZvMofzPozosM1&t=4944c721
http://www.conduit.com/images/newmarketing/images/Header/logoR.gif
http://www.conduit.com/Images/newmarketing/images/Bait_over.gif
http://www.conduit.com/images/newmarketing/images/newlinesmushed2.jpg
http://www.conduit.com/images/newmarketing/images/3boxes/toolbaricons.jpg
http://www.conduit.com/images/newmarketing/images/3boxes/mobileicons.jpg
http://www.conduit.com/Images/NewMarketing/images/dynamicbox/WSJ.jpg
http://www.conduit.com/images/newmarketing/images/masterimage2.jpg
http://www.conduit.com/Images/NewMarketing/images/dynamicbox/nerd.jpg
http://www.conduit.com/images/newmarketing/images/HomeLinesmushed1.jpg
http://www.conduit.com/script/version/mapv5i.js
http://www.conduit.com/images/newmarketing/images/masterhome1.jpg
http://www.conduit.com/images/newmarketing/images/dynamicbox/seemorearrows.gif
http://www.conduit.com/Images/NewMarketing/images/dynamicbox/NeAApp_Develp.gif
http://www.conduit.com/Images/NewMarketing/images/dynamicbox/word.jpg
http://www.conduit.com/
http://www.conduit.com/CMSPages/GetCSS.aspx?stylesheetname=newHomepage
http://www.conduit.com/script/version/homemin12.js
http://www.conduit.com/WebResource.axd?d=DYOE8hILG2ERjvY_24x67w2&t=633722862080137500
http://dnn506yrbagrg.cloudfront.net/pages/scripts/0009/1342.js
http://www.google-analytics.com/ga.js

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.