ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 23 June 2012, 20:53:50
Processing time: 15 min 0 sec
Submitted sample:

File MD5: 0x7A1F2FE39DC2601C97C536B3E99AF787
File SHA-1: 0x2C65E144AFEC169822BA83D2CB562A49C35DBDEC
Filesize: 450,136 bytes

Summary of the findings:

What's been found	Severity Level
Attempts to use BITS (Background Intelligent Transfer Service). Some threats are known to use BITS to evade firewall filtering and download files without firewall inspection.
Downloads/requests other files from Internet.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonAppData%\Microsoft\Network\Downloader\qmgr0.dat	4,232 bytes	MD5: 0xCEEBB33B0E06000645F1FD05D3FBD61A SHA-1: 0x327B93942E88215A0A5F75746BDA3D8F1FCFD8F9
2	%CommonAppData%\Microsoft\Network\Downloader\qmgr1.dat	5,272 bytes	MD5: 0xCD78F4AB892F358D7401173212898174 SHA-1: 0x639606F28687644E4F0868D1A05B6033E247718D
3	%Temp%\APN-Stub\Stb37b636b5-7492-42c4-8d10-6dd352190211.log	1,143 bytes	MD5: 0x62A72C0078ABA5CB1CB9475351DFD1E5 SHA-1: 0xA3A9834F3CC5304B8B05EE607505CBEC8704D404
4	%Temp%\nsa3.tmp\ApnIC.dll	246,440 bytes	MD5: 0x197215658B8015182192E1EBCA3BBCC3 SHA-1: 0x40E49124AD0B55A25F947333CA88E9D0BC30A7E3
5	%Temp%\nsa3.tmp\ApnStub.exe	143,240 bytes	MD5: 0xC36923084822C017F69396418A999D39 SHA-1: 0xFDC2005CED8ACF86C68FE1B86B0698D0539E8CE0
6	%Temp%\nsa3.tmp\ask.bmp	154,544 bytes	MD5: 0x3BA431CE49A2B54BEF1713F1FE001B42 SHA-1: 0xD92774BB0CD0A640F87B1AA4AEF429C39C9FFC09
7	%Temp%\nsa3.tmp\ask.prev.ini	3,122 bytes	MD5: 0xA3DC9320A52DF66BB1F45FD35E656876 SHA-1: 0x985A2A61560B23521FD9879EEC4D66D24D2F6977
8	%Temp%\nsa3.tmp\ask1.ini	3,431 bytes	MD5: 0x2C82BA2A2C6B315D9E6AD00379E3370C SHA-1: 0xB165A4C801968918AC3F4866FD7C05D9E42EE6BE
9	%Temp%\nsa3.tmp\BabylonToolbar.bmp	24,696 bytes	MD5: 0x39C781C62E6C77979E84DD77768500DD SHA-1: 0x42E5CA212BF6CC9F9EA5AE372EF99B490A0D44E8
10	%Temp%\nsa3.tmp\bndo.ini	3,227 bytes	MD5: 0xAAA4D5BB0A424424C718B3BE687FE9C8 SHA-1: 0xC5E232842FF358B6E6EB47A17E7958F8BF608726
11	%Temp%\nsa3.tmp\bndo_v1.ini	3,225 bytes	MD5: 0x9D2F70EAFA98CFD019EFDB4900A9058B SHA-1: 0xEC1DFE18775829274859ACE03E43E6691974DD5C
12	%Temp%\nsa3.tmp\ConduitToolbar.bmp	24,696 bytes	MD5: 0x8AAC35D5D5AC35176EA94A0FFA2E00B5 SHA-1: 0xBDC6A45CE9F023543CFA7E700021E854CF9F9674
13	%Temp%\nsa3.tmp\D1_PriceGong.ini	1,927 bytes	MD5: 0x3B24D8496FE0031E0BF33F9C95E787EA SHA-1: 0x733996C5DF842D3CD00F0E9889A238CBFEB92CE7
14	%Temp%\nsa3.tmp\D1_swim.ini	1,874 bytes	MD5: 0x3BB4465B07A2CB4FAFC022606046897B SHA-1: 0xE845ACEBC68842B9FAD433AE189CFA9319994BC2
15	%Temp%\nsa3.tmp\D1_zYONTOO_SWEETIM.ini	1,878 bytes	MD5: 0x1DE0C01023ACA5756F411A6D594E2AA5 SHA-1: 0xB9CBEEF839AC5B5412801F0623375BEED9C4B411
16	%Temp%\nsa3.tmp\facemoodsToolbar.bmp	24,696 bytes	MD5: 0xB48E5955CDC2A57888A2EB0B60FD541C SHA-1: 0x8C4FF0080F69646B5DF4E39B8A36E65F17AB59B2
17	%Temp%\nsa3.tmp\inetc.dll	20,480 bytes	MD5: 0x7569B23F19A0F5CB4C1D3B30A296C4BB SHA-1: 0xC5F3546B3C795E46445393960694A2341692DDC7
18	%Temp%\nsa3.tmp\infospaceToolbar.bmp	24,696 bytes	MD5: 0xD83EC8BFD1A37865EA4EFCCDB902FC36 SHA-1: 0x98DA017770DE37E6B4E90DC35AC6AFBB46E7C0D9
19	%Temp%\nsa3.tmp\InstallOptions.dll	14,848 bytes	MD5: 0x325B008AEC81E5AAA57096F05D4212B5 SHA-1: 0x27A2D89747A20305B6518438EFF5B9F57F7DF5C3
20	%Temp%\nsa3.tmp\iwt-install.jpg	41,526 bytes	MD5: 0xADA04C889CC5FB6706ED584F1C580804 SHA-1: 0x0990F3A30A78ECE58334CC588E263EE571EA075D
21	%Temp%\nsa3.tmp\modern-wizard.bmp %Temp%\nsa3.tmp\win.bmp	26,494 bytes	MD5: 0xCBE40FD2B1EC96DAEDC65DA172D90022 SHA-1: 0x366C216220AA4329DFF6C485FD0E9B0F4F0A7944
22	%Temp%\nsa3.tmp\NoBundle.ini	1,100 bytes	MD5: 0x3D38ADC374C8604D0C009D2F2964A5A6 SHA-1: 0xAAD5C6B249F42DF94ED647EBE5B70810120E3F58
23	%Temp%\nsa3.tmp\NSISdl.dll	14,848 bytes	MD5: 0xA5F8399A743AB7F9C88C645C35B1EBB5 SHA-1: 0x168F3C158913B0367BF79FA413357FBE97018191
24	%Temp%\nsa3.tmp\nsRandom.dll	21,504 bytes	MD5: 0xAB467B8DFAA660A0F0E5B26E28AF5735 SHA-1: 0x596ABD2C31EAFF3479EDF2069DB1C155B59CE74D
25	%Temp%\nsa3.tmp\Post_red5.ini	859 bytes	MD5: 0xFB5EA37FE8657EA6924F15F3CF295297 SHA-1: 0x29E4B504D2C00F8C2BB57F9554CAF9384CEF88F6
26	%Temp%\nsa3.tmp\safeWeber.ini	3,137 bytes	MD5: 0x35087C95CDEC38EBB4B6F243F5EEE530 SHA-1: 0x620B9731659080377459C30FE9A0473875B19ED8
27	%Temp%\nsa3.tmp\setup.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41
28	%Temp%\nsa3.tmp\Single_babl_gong.ini	2,933 bytes	MD5: 0xCBA5346A70823E2AD6528372D805CF49 SHA-1: 0x05B03A6C403305F224955F830FB6708150CBF206
29	%Temp%\nsa3.tmp\Single_BABYLON.ini	3,555 bytes	MD5: 0xFC0AE5EA8DAF4272F09C4349AF784B38 SHA-1: 0xDC5792D71F8D728B895E783F76917D0A59FAA27A
30	%Temp%\nsa3.tmp\Single_BABYLON_quick.ini	3,593 bytes	MD5: 0xF74A6A7C73FC7A322AD8D8643EA581DE SHA-1: 0x427900C3AF5FEC0B2029C661D2FA6676030DBC39
31	%Temp%\nsa3.tmp\Single_Conduit.ini	3,045 bytes	MD5: 0x1DE8C90413A7140962EF7219B6F8B462 SHA-1: 0x5487FAEF041819DEC4608AA248B0A401A23DE8D8
32	%Temp%\nsa3.tmp\Single_conr.ini	3,046 bytes	MD5: 0xB75C24702D87CD35C7041A7872E1CA32 SHA-1: 0x94EB64074994222A0FB25B40E92EBA64C274D3A8
33	%Temp%\nsa3.tmp\Single_incr.ini	2,446 bytes	MD5: 0xE3C42C857B1FDA90A1B4E308EAE17078 SHA-1: 0x601F60632C37F7E68859C0EEDF95422697F83B08
34	%Temp%\nsa3.tmp\Single_Infospace.ini	3,220 bytes	MD5: 0x9F9EDF659E8571678F311FDC59B1DDF1 SHA-1: 0x0DFC154B3123CF3CE74554898DFC4556534AE757
35	%Temp%\nsa3.tmp\Single_mood_dply.ini	3,131 bytes	MD5: 0x305EB42394F4A8994214DE31EE37671A SHA-1: 0xA898792DF31C47F57EEB83D6562F367F8FE86450
36	%Temp%\nsa3.tmp\Single_mood_red5.ini	4,130 bytes	MD5: 0x50C6C0906CC4F5BBC1B92AF22C6C72C0 SHA-1: 0x812831DC2AF0B66642AAC367B094B5138714098A
37	%Temp%\nsa3.tmp\Single_pjoy.ini	2,515 bytes	MD5: 0x4199BEBCC02B1E810D5BCAF08E6073E6 SHA-1: 0xC0EA2C3B2DB1AE20CE721432E0DECEA4E8DDCE5E
38	%Temp%\nsa3.tmp\Single_Pricegong.ini	2,241 bytes	MD5: 0x35D5578B5ACBB327BFED9E8467E4E176 SHA-1: 0x7872D00C93A94DBCE540FF428CC82B4980BA5B1E
39	%Temp%\nsa3.tmp\Single_red5.ini	3,184 bytes	MD5: 0x210BD518D23E28FD05371758764EC56D SHA-1: 0x21E8B62670FD6E5E545AEB000E6FAB99717B43B4
40	%Temp%\nsa3.tmp\Single_swim.ini	2,805 bytes	MD5: 0xB226808A9ABB85EBFB8F0F38F05059DA SHA-1: 0xB9B3D071C2FEAD7DE584EF6FAE43A21433DFE667
41	%Temp%\nsa3.tmp\Single_zswim_red5.ini	2,940 bytes	MD5: 0x7E9E1E9AB068211A12B18064331B8EC3 SHA-1: 0x05B3FB6B45C99E191C4AC636AA9E94FCB2EAE3FC
42	%Temp%\nsa3.tmp\Single_zYONTOO.ini	2,475 bytes	MD5: 0x3CED1836EBEE0C942994AAFBC43EB39B SHA-1: 0xF890926DFE6F4E1B35E061D072B1330F51D1D4C5
43	%Temp%\nsa3.tmp\Single_zYONTOO_BABYLON.ini	2,826 bytes	MD5: 0x58E241B25DB92205A8053E4AA4DA1203 SHA-1: 0x9380DE6A36E3D64A252DA9AE5CAD4F0F9FF88045
44	%Temp%\nsa3.tmp\Single_zYONTOO_SWEETIM.ini	2,796 bytes	MD5: 0x783C3CC6741C3DEC1E6A7EE40EBCC2F8 SHA-1: 0x100391316354AA52D8E1F11D0AD86D4D07DFD769
45	%Temp%\nsa3.tmp\Single_zYONTOO_wsmk.ini	2,856 bytes	MD5: 0xCE955FB7A917BC7D650607456EB5F589 SHA-1: 0xD4DA78176F855D5842F4F302CB611106468BDEF9
46	%Temp%\nsa3.tmp\Single_zYONTOO_zBABYLON.ini	2,813 bytes	MD5: 0x96743804DD81F1FD9A5B49BBD5196FE9 SHA-1: 0xB306A23F579E98EDDCC48F74402EFA06F5F84777
47	%Temp%\nsa3.tmp\Single_zyon_zbab_gong.ini	3,079 bytes	MD5: 0xC71E6AE9B753456916C3CC79C969BB16 SHA-1: 0x8B9311F2E7A6A11E92089D738AABC5053C4E39CB
48	%Temp%\nsa3.tmp\SweetIM60.bmp	30,152 bytes	MD5: 0x92AFFF49F6A0BCEFD69D02732EE155B8 SHA-1: 0xE81B74C57622A6F1EBB48CA92A38B595726C02F9
49	%Temp%\nsa3.tmp\ToolbarASK.bmp	24,696 bytes	MD5: 0x466827FE1A8D652A027C96FE611F8063 SHA-1: 0x12AD0367865CD3A1D1F393667982910431ACF81B
50	%Temp%\nsa3.tmp\ToolbarImesh.bmp	24,696 bytes	MD5: 0xEFF20D384064E6FE1A44ADB6BEC9F7DE SHA-1: 0x109053E8FE29320A2FC07AD24688127E3EB79CD9
51	%Temp%\nsa3.tmp\ToolbarSafeWeber.bmp	24,696 bytes	MD5: 0x80B9D58882741A7D7BA957505BD7415F SHA-1: 0xD0D3DEAF7E262136E8A0B16C5FD4FDFBF24804A1
52	%Temp%\nsl2.tmp	1,331,788 bytes	MD5: 0xA0610677187434B3F6A4B1432FD119FF SHA-1: 0xC050ACCAAC5BE45CB881FA291935BBE51FB39381
53	[file and pathname of the sample #1]	450,136 bytes	MD5: 0x7A1F2FE39DC2601C97C536B3E99AF787 SHA-1: 0x2C65E144AFEC169822BA83D2CB562A49C35DBDEC

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%CommonAppData%\Microsoft\Network\Downloader
%Temp%\APN-Stub
%Temp%\nsa3.tmp

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	376,832 bytes
APNStub.exe	%Temp%\nsa3.tmp\APNStub.exe	159,744 bytes

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
BITS	Background Intelligent Transfer Service	"Running"	%System%\svchost.exe -k netsvcs

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Other details

The following port was open in the system:

Port	Protocol	Process
1033	TCP	[file and pathname of the sample #1]

The following Host Name was requested from a host database:

cdn01.downloads-center.com

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
track.bndle.com	80	(null)	(null)

The following GET request was made:

tracking/action.php?channel=vGrabberWR_C78US_AUTO_NICE_SIGNED_WITHPOST&detected_products=_askB&offered=Single_mood_red5&funnel=insInit

The following HTTP URL was started reading:

http://cdn01.downloads-center.com/offers/IWantThis_i.exe

The data identified by the following URL was then requested from the remote web server:

http://apnmedia.ask.com/media/toolbar/stub/1.0.0.0/ApnIC.dll?tb=BDE&version=1.0.0.0

Heuristics Analysis

Heuristically identified capability to use BITS (Background Intelligent Transfer Service) to schedule the following download task:

http://apnmedia.ask.com/media/toolbar/stub/1.0.0.0/apnic.dll?tb=bde&version=1.0.0.0

Downloaded File Summary:

Download details:

Download retrieved: 23 June 2012 21:08:50
Processing time: 14 min 15 sec
Downloaded sample #1:

File MD5: 0xD1BEBDB3A279BE71242D5E516AB30C62
File SHA-1: 0x111A73CE04F6F658ADB87A6E6D758718369C2092
Filesize: 1,997,096 bytes

Downloaded sample #2:

File MD5: 0x197215658B8015182192E1EBCA3BBCC3
File SHA-1: 0x40E49124AD0B55A25F947333CA88E9D0BC30A7E3
Filesize: 246,440 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	[file and pathname of the sample #1]	1,997,096 bytes	MD5: 0xD1BEBDB3A279BE71242D5E516AB30C62 SHA-1: 0x111A73CE04F6F658ADB87A6E6D758718369C2092
2	[file and pathname of the sample #2]	246,440 bytes	MD5: 0x197215658B8015182192E1EBCA3BBCC3 SHA-1: 0x40E49124AD0B55A25F947333CA88E9D0BC30A7E3

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	290,816 bytes

Note:

[generic host process filename] is a full path filename of [generic host process].

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
[filename of the sample #2]	[file and pathname of the sample #2]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0xB10000 - 0xB50000

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Ask.com.tmp
HKEY_CURRENT_USER\Software\Ask.com.tmp\General
HKEY_CURRENT_USER\Software\Ask.com.tmp\Installer

The newly created Registry Values are:

[HKEY_CURRENT_USER\Software\Ask.com.tmp\Installer]

guid = "11d20a2c-20fc-4db1-802f-2843146910cb"

[HKEY_CURRENT_USER\Software\Ask.com.tmp\General]

apn_dbr = "ie_6.0.2900.2180"
client = "ic"
clientv = "5.1.1.0"
cr = "0"
dbr = "132"
dot = ""
dt = "0"
dtid = ""
fflu = "-2"
fv = ""
guid = "11d20a2c-20fc-4db1-802f-2843146910cb"
harch = "32"
hloc = "en-US"
hos = "5.1.1.sp2.x86"
iedis = "0"
ielu = "-2"
iev = "6.0.2900.2180"
inst = "200"
iv = "6.0.2900.2180"
tb = ""
wft = "remote"

Other details

To mark the presence in the system, the following Mutex object was created:

I Want ThisInstallerMutex

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
websearch.ask.com	80	websearch.ask.com	websearch.ask.com
img.apnanalytics.com	80	img.apnanalytics.com	img.apnanalytics.com

The following GET requests were made:

installed?client=ic&tb=&dtid=&id=11d20a2c-20fc-4db1-802f-2843146910cb&ipid=&iev=6.0.2900.2180&iedis=0&ielu=-2&fflu=-2&iv=&nv=&clientv=5.1.1.0&said=&browser-lang=en&apn_dbr=ie_6.0.2900.2180&cr=0
images/nocache/apn/tr.gif?ev=eichk&cb=&encb=&chk=mkofno&ts=8KhFO&guid=11d20a2c-20fc-4db1-802f-2843146910cb&dt=0&wft=remote&harch=32&hloc=en-US&iev=6.0.2900.2180&dbr=132&vb=&msi=&inst=200&tb=&hos=5.1.1.sp2.x86&dot=

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.