ThreatExpert Report: not-a-virus:WebToolbar.Win32.InstallCore.ayx

Submission Summary:

Submission details:

Submission received: 22 September 2012, 15:33:35
Processing time: 10 min 21 sec
Submitted sample:

File MD5: 0x72D76C936A51702ED9F5FB090118F9FD
File SHA-1: 0xC8CF2DBE7A844015E2568EE769F63860B6E5B867
Filesize: 1,114,896 bytes
Alias: not-a-virus:WebToolbar.Win32.InstallCore.ayx [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%DesktopDir%\Continue FLV Player Installation.lnk	911 bytes	MD5: 0x9980FDF529A048697DB8C0A8C21620CE SHA-1: 0x43CFB44EF7A49B08FC3C13AC40AAE74E61B7442C	(not available)
2	%Temp%\ICReinstall_[filename of the sample #1] [file and pathname of the sample #1]	1,114,896 bytes	MD5: 0x72D76C936A51702ED9F5FB090118F9FD SHA-1: 0xC8CF2DBE7A844015E2568EE769F63860B6E5B867	not-a-virus:WebToolbar.Win32.InstallCore.ayx [Kaspersky Lab]
3	%Temp%\is87173921\100493_Setup.CIS %Temp%\is87173921\100570_Setup.CIS	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
4	%Temp%\is87173921\1381032960.cfg	236 bytes	MD5: 0x59326A243221A1E02DCA4F4D0CD94A07 SHA-1: 0xE28DEBB5382C36A6D33E245406BAF4E0F80AF81D	(not available)
5	%Temp%\is87173921\2118222269.cfg	236 bytes	MD5: 0x72D99F2FB575953EB2E929E8AA0E9CA7 SHA-1: 0xFCD0FD722BF821102E2733824B7487AE0E7FDCCA	(not available)
6	%Temp%\is87173921\393008642.cfg	236 bytes	MD5: 0xE5BD0B95B4D03C77AA1E188AB281F2E2 SHA-1: 0x86EA3845A0AFE4BA7AB8A637627D3B3401F764B1	(not available)
7	%Temp%\is87173921\998093759.cfg	236 bytes	MD5: 0x1CBBBB11242309DE0F21A8EB07C8867F SHA-1: 0xEC85A2D58878CD8E52AF8ECEF02A9743BC67DBD6	(not available)
8	%Temp%\ish98640\blank.gif	49 bytes	MD5: 0x56398E76BE6355AD5999B262208A17C9 SHA-1: 0xA1FDEE122B95748D81CEE426D717C05B5174FE96	(not available)
9	%Temp%\ish98640\css\buttons.css	1,100 bytes	MD5: 0x63E5607B6CA179F4022438B4C1EBB8CD SHA-1: 0x3A51B4C95B4210058242EC0F3025CC28CEC16CF6	(not available)
10	%Temp%\ish98640\css\ie6_main.css	1,516 bytes	MD5: 0xEFF041B25053BFF27A223D77ED92EADE SHA-1: 0x8DF7C332F34A175D1C446213156D86B243970016	(not available)
11	%Temp%\ish98640\css\main.css	3,539 bytes	MD5: 0x36D758D229DFE18DE95FA25465C89D18 SHA-1: 0xBD7B2561987BAD2E273D85061C22D5D1206D4335	(not available)
12	%Temp%\ish98640\css\sdk-ui\browse.css	318 bytes	MD5: 0x10C359BC980927BB66B215407ECE3E66 SHA-1: 0x4A2FC034BF7B4E84D832B6BBD9413D2055B9EC62	(not available)
13	%Temp%\ish98640\css\sdk-ui\button.css	417 bytes	MD5: 0x37E1FF96E084EC201F0D95FEEF4D5E94 SHA-1: 0x4EC405F2668D5D93260525AD916ABAFA2414CB72	(not available)
14	%Temp%\ish98640\css\sdk-ui\checkbox.css	190 bytes	MD5: 0x64773C6B0E3413C81AEBC46CCE8C9318 SHA-1: 0x50F84EF8331341B48981AF82313B146863EBA526	(not available)
15	%Temp%\ish98640\css\sdk-ui\images\button-bg.png	131 bytes	MD5: 0x98B1DE48DFA64DC2AA1E52FACFBEE3B0 SHA-1: 0xA1615C118FBFA49253D98185EAE283F26EA392D7	(not available)
16	%Temp%\ish98640\css\sdk-ui\images\progress-bg.png	2,845 bytes	MD5: 0x32A6846FE53388EB03BE3ADA2221297F SHA-1: 0x1C1BAEC7B7FE7A420CCF68D3112384B44F8BA89E	(not available)
17	%Temp%\ish98640\css\sdk-ui\progress-bar.css	458 bytes	MD5: 0xF047788B88F4DACE0E828635437E565F SHA-1: 0x159D7A6B7563E4E4756796A83A4C019B3862D86D	(not available)
18	%Temp%\ish98640\csshover3.htc	2,893 bytes	MD5: 0x52FA0DA50BF4B27EE625C80D36C67941 SHA-1: 0x0B2769433E73E3C6C677A5C7294A9A2F45CB8A64	(not available)
19	%Temp%\ish98640\images\back-over.png	969 bytes	MD5: 0xB3892DB811CA786A8F404373A47D6CAD SHA-1: 0x8DE5DF9AAC3E1F20E005C30A3CFBCE789D5DE88F	(not available)
20	%Temp%\ish98640\images\back.png	991 bytes	MD5: 0x8A99E16E48AB5BFD0084CCD49281B036 SHA-1: 0xAB40545BB33AB2BAD0891D3B71C3F618A916CB1D	(not available)
21	%Temp%\ish98640\images\bg.png	65,226 bytes	MD5: 0x674EBEB11C056B0CDF01802020B8B41A SHA-1: 0x16FBA8A46BE739BE737FCCE768021A83142DC7EB	(not available)
22	%Temp%\ish98640\images\close-over.png	1,054 bytes	MD5: 0x62D7273F7BFD374313F6FB0155B2E7F7 SHA-1: 0xDCC738108FA120A4D8EC47FF3E6E71C336C59C16	(not available)
23	%Temp%\ish98640\images\close.png	1,074 bytes	MD5: 0x60E7A3F760637DD125A1150474E7F6BB SHA-1: 0x46E4B53480DD7B3DB532E3511A7AD3B9E99B2F48	(not available)
24	%Temp%\ish98640\images\icon.png	5,996 bytes	MD5: 0x45D8E7F1E721DB59ECA3DC36E932BF8B SHA-1: 0x974FBB730C8C1AE66C6187F99D887F44D8A77A56	(not available)
25	%Temp%\ish98640\images\loader.gif	22,379 bytes	MD5: 0x360281E85620142C3329848262DA263D SHA-1: 0x032AE1E422AF859D78D172E918573FB0F55318DE	(not available)
26	%Temp%\ish98640\images\next-over.png	1,100 bytes	MD5: 0xFC4C088EF45496F8E4E4B280D23B786A SHA-1: 0x045AD4062936B9E45155E50D3D57B5D3F6AB9FBF	(not available)
27	%Temp%\ish98640\images\next.png	1,132 bytes	MD5: 0xA4987C1267F6E8361800AA3D2DC840A2 SHA-1: 0x6D428D5E9333F78FFB65F8AC3AAB06C8915078A3	(not available)
28	%Temp%\ish98640\images\progbar-inner.png	199 bytes	MD5: 0x209159D57409BAF1F392CAF9DF23B372 SHA-1: 0xB1AA47FFDF9A0629997F5295AD189C49D4F76427	(not available)
29	%Temp%\ish98640\images\progbar.png	1,497 bytes	MD5: 0x8AB10BF44584DF6C97C4BAF8301706AD SHA-1: 0x56D8BE2FC533EA1E828963AC0E3F9751214ADC8D	(not available)
30	%Temp%\ish98640\license.txt	18,520 bytes	MD5: 0x1C6DB3FA84A99BA1D82520AC8214F3DA SHA-1: 0x0BBD50BBA392C24C8B1A5D43A9C04F52BC5E3586	(not available)
31	%Temp%\ish98640\locale\EN.locale	2,439 bytes	MD5: 0xB00C2E0F80EA6979545867C6EF6E79CF SHA-1: 0xF8856956429DD8DF7A88E798144325D72033A35B	(not available)

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%Temp%\is87173921
%Temp%\ish98640
%Temp%\ish98640\css
%Temp%\ish98640\css\sdk-ui
%Temp%\ish98640\css\sdk-ui\images
%Temp%\ish98640\images
%Temp%\ish98640\locale

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,146,880 bytes
icreinstall_[filename of the sample #1]	%Temp%\icreinstall_[filename of the sample #1]	1,146,880 bytes

Other details

To mark the presence in the system, the following Mutex objects were created:

DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__

The following port was open in the system:

Port	Protocol	Process
1047	TCP	[file and pathname of the sample #1]

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
os.bestflvplayer.net	80	(null)	(null)
cdnus.bestflvplayer.net	80	(null)	(null)
cdneu.bestflvplayer.net	80	(null)	(null)

The following HTTP URLs were started reading:

http://cdneu.bestflvplayer.net/app/Aff/FLVPlayer-v2.cis
http://cdnus.bestflvplayer.net/app/Aff/FLVPlayer-v2.cis
http://cdneu.bestflvplayer.net/ofr/BabylonToolbarV7.cis
http://cdnus.bestflvplayer.net/ofr/BabylonToolbarV7.cis

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.