ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 17 December 2009, 06:15:44
Processing time: 7 min 45 sec
Submitted sample:

File MD5: 0x743FFE7093911A1DC10010EA4B703FC4
File SHA-1: 0x75DEBE237E611D093B37CB33188F72726B5D41FE
Filesize: 3,248,463 bytes

Summary of the findings:

What's been found	Severity Level
Creates a startup registry entry.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonPrograms%\Proxy Switcher Standard\Anonymous Surfing Tutorial.lnk	705 bytes	MD5: 0xB3333C7FAEED02D6A6C48F6E6F7B67C7 SHA-1: 0x712390587F18523418E7141A004D0D9279BB6AE9	(not available)
2	%CommonPrograms%\Proxy Switcher Standard\Basic Usage Tutorial.lnk	705 bytes	MD5: 0xBF81D9DF0B15B6EBD4914478E0AF544C SHA-1: 0x5AB6E118F577E591717B06DFD5B35C302741969E	(not available)
3	%CommonPrograms%\Proxy Switcher Standard\License.lnk	710 bytes	MD5: 0xFEC3FEE6443324C6E057BE61C2AA2F10 SHA-1: 0xB85ADC1B4A27F43CC66935BF4C03A7CB47C74BFE	(not available)
4	%CommonPrograms%\Proxy Switcher Standard\ProxySwitcher Standard Help.lnk	686 bytes	MD5: 0x95946C0FAA58F19635EF531EDEC51618 SHA-1: 0xEDF455E525D174E78D42C779AEAC69C9BE68C893	(not available)
5	%CommonPrograms%\Proxy Switcher Standard\ProxySwitcher Standard.lnk	754 bytes	MD5: 0xCC2451237036C2119AFE5C0613E7DD92 SHA-1: 0x2C9BA5F731DCE54640DB2650BFEFE6A17FC800BA	(not available)
6	%CommonPrograms%\Proxy Switcher Standard\Readme.lnk	705 bytes	MD5: 0x9432AFF6DD246260A04DBDFD1F56A708 SHA-1: 0xBF56BDE29B95377B91A2C321C4FA66D3A1677A7D	(not available)
7	%CommonPrograms%\Proxy Switcher Standard\Setting Up Mozilla FireFox Tutorial.lnk	710 bytes	MD5: 0x5538DB3A923F8FB73962CC5DFBC3183E SHA-1: 0xFC1DFDECE00431AF8B9AE3C1A1FFBE8D1B2E2B84	(not available)
8	%CommonPrograms%\Proxy Switcher Standard\Uninstall ProxySwitcher Standard.lnk	717 bytes	MD5: 0x790FE5C4CFF03B1C2C96FEF26F8ACD41 SHA-1: 0xAF0117D9BA3DB407856F1ABFC50D37B64DCD9764	(not available)
9	%AppData%\WNR\PSW\psw.ini	2,008 bytes	MD5: 0xA32CCBABEE32380E1C210C6941709260 SHA-1: 0x29BD8B5C4AEDA9B9BEC9988ADDF394BC5B536111	(not available)
10	%Temp%\is-E2CBD.tmp\_shfoldr.dll	23,312 bytes	MD5: 0x92DC6EF532FBB4A5C3201469A5B5EB63 SHA-1: 0x3E89FF837147C16B4E41C30D6C796374E0B8E62C	(not available)
11	%Temp%\is-KKJKV.tmp\is-67MQJ.tmp	629,760 bytes	MD5: 0x667555FC8D80C030ED5DE256404DF5C5 SHA-1: 0x44A4EA8240378905CF40527B0BD9DA7FFB22416F	(not available)
12	%ProgramFiles%\Proxy Switcher Standard\AnSurf.exe	571,041 bytes	MD5: 0x63593EECCAC3F8A041E4146099CC9FC7 SHA-1: 0xB1E4CBFEFB6EA7897FD8D2F1684FB6B6A1E7BA90	packed with Swf2Exe [Kaspersky Lab]
13	%ProgramFiles%\Proxy Switcher Standard\Basics.exe	917,970 bytes	MD5: 0xD13FAE2DE2AD3784E9CCEAAC50DC2C28 SHA-1: 0x6C2D2F67AA97AC214CB45966840D0CF5CE81A75E	packed with Swf2Exe [Kaspersky Lab]
14	%ProgramFiles%\Proxy Switcher Standard\connections.dat	55 bytes	MD5: 0xDB9435052084181418478A5F6F99CCB1 SHA-1: 0x9B56459251362F03EC18C5A7BCB550390C76437C	(not available)
15	%ProgramFiles%\Proxy Switcher Standard\FireFox.exe	399,280 bytes	MD5: 0x215E509B9D86FDDF2BE1987140D39E05 SHA-1: 0xFD1E932CF0D2907E67A6BA8250534E3F80AC6FE9	packed with Swf2Exe [Kaspersky Lab]
16	%ProgramFiles%\Proxy Switcher Standard\License.rtf	3,068 bytes	MD5: 0x58522372E898CA17AB6F843EBF269194 SHA-1: 0x56A20FCC3D267B160154E024132F374217FBFBD1	(not available)
17	%ProgramFiles%\Proxy Switcher Standard\pcre.dll	106,496 bytes	MD5: 0xAB4DF8928E5180B710733366AB547812 SHA-1: 0x8BFACD191DEE8D438F219086012A6B86A5A8AFDA	(not available)
18	%ProgramFiles%\Proxy Switcher Standard\ProxySwitcher.exe	1,302,528 bytes	MD5: 0x2DE43530EA48C1AAE3D8BAC5B8855051 SHA-1: 0x50CFE30A357CC1F0298059BB71FB9C125A21DFEC	packed with PE_Patch.UPX [Kaspersky Lab]
19	%ProgramFiles%\Proxy Switcher Standard\psw.chm	319,818 bytes	MD5: 0xE52F50DA1F2EA6B4528061440F63F4BC SHA-1: 0x82BA38A35BF5E031B03EFE691C922355E6CD4EDE	(not available)
20	%ProgramFiles%\Proxy Switcher Standard\ReadMe.txt	850 bytes	MD5: 0xDB9A056ACCCC4DEE6F7C1C209EC4A3D6 SHA-1: 0x64AEEBAF96D0FC5056550549ED4EB2A4D3CC4739	(not available)
21	%ProgramFiles%\Proxy Switcher Standard\STLHash.dll	83,968 bytes	MD5: 0x6F5ECDE3D06FE19FBD6D860888960797 SHA-1: 0xD42F750CD787158FCC4E263E02F8C27957A2F97D	(not available)
22	%ProgramFiles%\Proxy Switcher Standard\unins000.dat	5,965 bytes	MD5: 0xB5DD1D6E0D5F0042CDD5500D2CA74356 SHA-1: 0x8C01B54DFF561D121944F89E9753323653D9283F	(not available)
23	%ProgramFiles%\Proxy Switcher Standard\unins000.exe	639,933 bytes	MD5: 0x0B362DF2679B1626DE2646A6AAE6518A SHA-1: 0xE8631E730968BE412671F371BBFF270ABB86E576	(not available)
24	[file and pathname of the sample #1]	3,248,463 bytes	MD5: 0x743FFE7093911A1DC10010EA4B703FC4 SHA-1: 0x75DEBE237E611D093B37CB33188F72726B5D41FE	(not available)

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%CommonPrograms%\Proxy Switcher Standard
%AppData%\WNR
%AppData%\WNR\PSW
%Temp%\is-E2CBD.tmp
%Temp%\is-KKJKV.tmp
%ProgramFiles%\Proxy Switcher Standard

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	77,824 bytes
ProxySwitcher.exe	%ProgramFiles%\Proxy Switcher Standard\ProxySwitcher.exe	3,862,528 bytes
is-67MQJ.tmp	%Temp%\is-KKJKV.tmp\is-67MQJ.tmp	688,128 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxySwitcher Standard_is1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_CURRENT_USER\Software\Classes\CLSID\{5F81784D-2E02-4876-B567-79CF0B7D6B50}
HKEY_CURRENT_USER\Software\Classes\CLSID\{5F81784D-2E02-4876-B567-79CF0B7D6B50}\ProgID
HKEY_CURRENT_USER\Software\Classes\CLSID\{6D7F9B66-08E9-4B1D-8F4D-247F0000D616}
HKEY_CURRENT_USER\Software\Classes\CLSID\{6D7F9B66-08E9-4B1D-8F4D-247F0000D616}\ProgId

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProxySwitcher Standard_is1]

Inno Setup: Setup Version = "5.0.7"
Inno Setup: App Path = "%ProgramFiles%\Proxy Switcher Standard"
InstallLocation = "%ProgramFiles%\Proxy Switcher Standard\"
Inno Setup: Icon Group = "Proxy Switcher Standard"
Inno Setup: User = "%UserName%"
DisplayName = "ProxySwitcher Standard"
DisplayIcon = "%ProgramFiles%\Proxy Switcher Standard\ProxySwitcher.exe"
UninstallString = ""%ProgramFiles%\Proxy Switcher Standard\unins000.exe""
QuietUninstallString = ""%ProgramFiles%\Proxy Switcher Standard\unins000.exe" /SILENT"
DisplayVersion = "3.9.0"
Publisher = "Valts Silaputnins"
URLInfoAbout = "http://www.proxyswitcher.com/"
HelpLink = "http://www.proxyswitcher.com/"
URLUpdateInfo = "http://www.proxyswitcher.com/"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

PSwitch = "%ProgramFiles%\Proxy Switcher Standard\ProxySwitcher.exe"

so that ProxySwitcher.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Classes\CLSID\{5F81784D-2E02-4876-B567-79CF0B7D6B50}\ProgID]

(Default) = 05 A8 07 52 1D 10 27 CD 22 74 0A 4A 92 50 2D B7

Other details

To mark the presence in the system, the following Mutex object was created:

PSW_UserName

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.