ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 12 March 2012, 10:48:35
Processing time: 11 min 0 sec
Submitted sample:

File MD5: 0x65BE4EBFAD2CC4889AABDEFCCF46B9DB
File SHA-1: 0x48BB797CCF524D9A3F74918344037F19674FBDB1
Filesize: 1,587,477 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%ProgramFiles%\sidematch\FreeApp.exe	48,080 bytes	MD5: 0x5F1A003EE27AC7947C42F6DA100D00C6 SHA-1: 0xC4D16E2B05ED3AEF2781A5A3650A5D6BE9A81AB1
2	%ProgramFiles%\sidematch\SideBand.dll	413,136 bytes	MD5: 0x0C00344A698C8BBB2BA08F99BA7C1515 SHA-1: 0xEA4279510874B4981F4CF846D8D896EAB7C91178
3	%ProgramFiles%\sidematch\sidematch Update Log.txt	2,067 bytes	MD5: 0x6BD4FF88827E9CD24D60369910382582 SHA-1: 0x55444406E482D8003FC18B9199962F627120A3B8
4	%ProgramFiles%\sidematch\sidematch.dat	22,121 bytes	MD5: 0xDEF2D4DD75BF2A0A67D4F5B596659802 SHA-1: 0x0696E912CF99EE26802E0CE7248AEC5260AB6C11
5	%ProgramFiles%\sidematch\sidematch.exe	467,456 bytes	MD5: 0xC3F58232FB7870D4E0BF310EFA967FC1 SHA-1: 0x8AE0B4FB13F1F59809D4ADC19BDFBAEA45DD90AA
6	%ProgramFiles%\sidematch\SideMatch_v8.dll	381,904 bytes	MD5: 0xDFF4862693E2CCEA894EDCF605C34D14 SHA-1: 0xB39248CAB148F88D7990095A57555E0E05AD2B26
7	%ProgramFiles%\sidematch\unins000.dat	10,101 bytes	MD5: 0x03DBBA343B7E1A7377DB937E51EADB95 SHA-1: 0x477A1E4E933B868872A6ABD43EF56EA1EB1EE1B7
8	%ProgramFiles%\sidematch\unins000.exe	681,844 bytes	MD5: 0xDBB1912375670510B999960C4F84BE05 SHA-1: 0x09601A52D61AE229B6E0BAE8CBDF07274A8A1F03
9	%System%\del_nsis_bat.cmd	167 bytes	MD5: 0x5F36F6C84646B5AD645588841CE170AD SHA-1: 0x6CAB61FB665E72BD22D2281FAF7A4C48E129B08B
10	[file and pathname of the sample #1]	1,587,477 bytes	MD5: 0x65BE4EBFAD2CC4889AABDEFCCF46B9DB SHA-1: 0x48BB797CCF524D9A3F74918344037F19674FBDB1

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%ProgramFiles%\sidematch

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A0386FF-B48D-4C25-9AD7-972A80249E52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A0386FF-B48D-4C25-9AD7-972A80249E52}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A0386FF-B48D-4C25-9AD7-972A80249E52}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A0386FF-B48D-4C25-9AD7-972A80249E52}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideMatch.MatchBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideMatch.MatchBand\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87F960CE-F106-4AE2-A395-33F819275B6F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DECFFB19-DFB8-446C-82B7-3675CE1AE422}_is1
HKEY_CURRENT_USER\Software\sidematch

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\Version]

(Default) = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\TypeLib]

(Default) = "{023B20D9-692B-42E4-BF91-7B82460C1024}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\ProgID]

(Default) = "SideMatch.MatchBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}\InprocServer32]

(Default) = "C:\PROGRA~1\SIDEMA~1\SIDEMA~1.DLL"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87F960CE-F106-4AE2-A395-33F819275B6F}]

(Default) = "SideMatch Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A0386FF-B48D-4C25-9AD7-972A80249E52}\InprocServer32]

(Default) = "C:\PROGRA~1\SIDEMA~1\SideBand.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9A0386FF-B48D-4C25-9AD7-972A80249E52}]

(Default) = "&Side Match"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}\TypeLib]

(Default) = "{023B20D9-692B-42E4-BF91-7B82460C1024}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D48EB4F0-4938-4E87-8E75-D711F99A56C7}]

(Default) = "Imatchband"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0\0\win32]

(Default) = "%ProgramFiles%\sidematch\SideMatch_v8.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\sidematch\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{023B20D9-692B-42E4-BF91-7B82460C1024}\1.0]

(Default) = "SideMatch Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideMatch.MatchBand\Clsid]

(Default) = "{87F960CE-F106-4AE2-A395-33F819275B6F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SideMatch.MatchBand]

(Default) = "matchband"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87F960CE-F106-4AE2-A395-33F819275B6F}]

NoExplorer = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DECFFB19-DFB8-446C-82B7-3675CE1AE422}_is1]

Inno Setup: Setup Version = "5.1.9"
Inno Setup: App Path = "%ProgramFiles%\sidematch"
InstallLocation = "%ProgramFiles%\sidematch\"
Inno Setup: Icon Group = "sidematch"
Inno Setup: User = "%UserName%"
DisplayName = "Windows Sidematch System"
UninstallString = ""%ProgramFiles%\sidematch\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\sidematch\unins000.exe" /SILENT"
DisplayVersion = "1.0.0.8"
Publisher = "sidematch Inc."
URLInfoAbout = "http://side-match.com/"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20120312"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

sidematch = "%ProgramFiles%\sidematch\sidematch.exe"

so that sidematch.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\sidematch]

partnerID = "sidematch_01"
UpdateTime = "10:50:54"
InstallTime = "2012-03-12_10:48:48"
Version = "1.0.0.0"
BVersion = "1.0.0.0"
URL = "http://sidematch.app.linkprice.com/query/sidematch.php?option=Normal&aff_id=A100450954&key="
KeyWord = ""
GUID = "{AA5563C3-C3B9-4E93-A5DE-68D3AE1FB4E2}"
ActiveDate = "2012-03-12"

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
119.70.227.138	80
221.141.2.44	80

The data identified by the following URLs was then requested from the remote web server:

http://update.mylinks.kr/sidematch/sidematch.ts1
http://update.mylinks.kr/sidematch/download/unins000.dat
http://counter.side-match.com/analysis/ins.php?uq={AA5563C3-C3B9-4E93-A5DE-68D3AE1FB4E2}&pid=sidematch_01
http://counter.side-match.com/analysis/live.php?uq={AA5563C3-C3B9-4E93-A5DE-68D3AE1FB4E2}&pid=sidematch_01

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.