ThreatExpert Report: Generic Dropper.aei, Win32.SuspectCrc, AdWare.SideTab, Adware.Adpopup..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 13 September 2012, 21:21:49
Processing time: 10 min 1 sec
Submitted sample:

File MD5: 0x7BD4A321A348D585FCB0287F614D59CB
File SHA-1: 0xBC5914B73ED419C49C018D8E91EEA384B473D214
Filesize: 296,264 bytes
Alias:

Generic Dropper.aei [McAfee]
Win32.SuspectCrc [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\inst.xxx	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	%ProgramFiles%\WinPro\Helper.dll	34,920 bytes	MD5: 0x383D9DCF85188285BC1891BDB2F099AF SHA-1: 0xC88EBE2CF6257913445AF9FD15F9F6DCC7CF9D9B	(not available)
3	%ProgramFiles%\WinPro\Uninstall.exe	109,899 bytes	MD5: 0x0683B5F726F0350A2161F6CDEB85F804 SHA-1: 0x15BFDBC0C7B9E7D5EBB9AF3B8FE0106F76F19DA6	Generic Dropper.aei [McAfee]
4	%ProgramFiles%\WinPro\WinPro.dll	133,224 bytes	MD5: 0x21EBCCBEB2269310DD71028B20572BA3 SHA-1: 0x4FB13EB90A8342719A7C67D0F5165521B57461F2	AdWare.SideTab [Ikarus]
5	%ProgramFiles%\WinPro\WinPro.exe	84,072 bytes	MD5: 0xC34750D0857809E2CD2A1DFDAEAAADE0 SHA-1: 0xE16BF9E2D0D257857E06E5E72AB044511819BEAA	Win32.SuspectCrc [Ikarus]
6	[file and pathname of the sample #1]	296,264 bytes	MD5: 0x7BD4A321A348D585FCB0287F614D59CB SHA-1: 0xBC5914B73ED419C49C018D8E91EEA384B473D214	Generic Dropper.aei [McAfee] Win32.SuspectCrc [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\WinPro

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	274,432 bytes
[generic host process]	[generic host process filename]	20,480 bytes
WinPro.exe	%ProgramFiles%\WinPro\WinPro.exe	77,824 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{339E5541-DA75-412A-9F9B-3C014BE1050B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPro
HKEY_CURRENT_USER\Software\WinPro

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\VersionIndependentProgID]

(Default) = "WinPro.BandHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\ProgID]

(Default) = "WinPro.BandHelper.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\InprocServer32]

(Default) = "%ProgramFiles%\winpro\WinPro.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}]

(Default) = "WinPro"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\VersionIndependentProgID]

(Default) = "WinPro.SideBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\ProgID]

(Default) = "WinPro.SideBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\InprocServer32]

(Default) = "%ProgramFiles%\winpro\WinPro.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}]

(Default) = "WinPro"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}]

(Default) = "ISideBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}]

(Default) = "IBandHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\0\win32]

(Default) = "%ProgramFiles%\winpro\WinPro.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\winpro\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0]

(Default) = "WinPro 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CurVer]

(Default) = "WinPro.BandHelper.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CLSID]

(Default) = "{339E5541-DA75-412A-9F9B-3C014BE1050B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper]

(Default) = "BandHelper Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1\CLSID]

(Default) = "{339E5541-DA75-412A-9F9B-3C014BE1050B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1]

(Default) = "BandHelper Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CurVer]

(Default) = "WinPro.SideBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CLSID]

(Default) = "{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand]

(Default) = "SideBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1\CLSID]

(Default) = "{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1]

(Default) = "SideBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

WinPro" = ""%ProgramFiles%\WinPro\WinPro.exe""
WinPro = "%ProgramFiles%\winpro\winpro.exe"

so that WinPro.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPro]

DisplayName = "WinPro"
UninstallString = "%ProgramFiles%\WinPro\Uninstall.exe"
Publisher = "NBIZ"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\WinPro]

id = "WP102"
version = "1.0.0.1"
inst = "[file and pathname of the sample #1]"

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

To mark the presence in the system, the following Mutex object was created:

WinPro

The following Host Name was requested from a host database:

winpro.sideon.co.kr

The following HTTP URLs were started reading:

http://winpro.sideon.co.kr/install.asp?version=1.0.0.1&id=WP102&mac=1&iever=6
http://winpro.sideon.co.kr/update/WP102/WPU1004.exe

The data identified by the following URLs was then requested from the remote web server:

http://winpro.sideon.co.kr/update/WP102/WinPro.ini
http://winpro.sideon.co.kr/ex.dat

Downloaded File Summary:

Download details:

Download retrieved: 13 September 2012 21:31:51
Processing time: 11 min 4 sec
Downloaded sample:

File MD5: 0x6D82AC710FFA2F87A1753416280BFAF4
File SHA-1: 0x7C19D17880876F7532673CF7540F4D226AA7FAFF
Filesize: 306,704 bytes
Alias:

Adware.Adpopup [Symantec]
Generic Dropper.aei [McAfee]
Win32.Malware [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\updat.xxx	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
2	%ProgramFiles%\WinPro\Helper.dll	34,952 bytes	MD5: 0xB5A66D95AFE4AAC5DD8E93F3219CD0ED SHA-1: 0xD7AA99D6C98FFCD7B9F7DD0DA9ADB50A60DC4E84	Adware.Adpopup [Symantec]
3	%ProgramFiles%\WinPro\Uninstall.exe	109,900 bytes	MD5: 0xF08086ABFEB6821098ECEF716AF5C2A9 SHA-1: 0x3DD5C9AB1134013497A53A41861AC495F7AD07F0	Generic Dropper.aei [McAfee]
4	%ProgramFiles%\WinPro\WinPro.dll	141,448 bytes	MD5: 0xA080743E57BE825C107982F25E9F288D SHA-1: 0x7788D7F14C338EA05DA194569814BE96E2EDD56A	Win32.Malware [Ikarus]
5	%ProgramFiles%\WinPro\WinPro.exe	96,392 bytes	MD5: 0x29D230577EB317584A0410BAA496D1EF SHA-1: 0x884A8F4128CCB94821416B47B0426FD508CD10F2	Adware.Adpopup [Symantec] Win32.SuspectCrc [Ikarus]
6	[file and pathname of the sample #1]	306,704 bytes	MD5: 0x6D82AC710FFA2F87A1753416280BFAF4 SHA-1: 0x7C19D17880876F7532673CF7540F4D226AA7FAFF	Adware.Adpopup [Symantec] Generic Dropper.aei [McAfee] Win32.Malware [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\WinPro

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
WinPro.exe	%ProgramFiles%\WinPro\WinPro.exe	90,112 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	270,336 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{339E5541-DA75-412A-9F9B-3C014BE1050B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPro
HKEY_CURRENT_USER\Software\WinPro

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\VersionIndependentProgID]

(Default) = "WinPro.BandHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\ProgID]

(Default) = "WinPro.BandHelper.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}\InprocServer32]

(Default) = "%ProgramFiles%\winpro\WinPro.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{339E5541-DA75-412A-9F9B-3C014BE1050B}]

(Default) = "WinPro"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\VersionIndependentProgID]

(Default) = "WinPro.SideBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\ProgID]

(Default) = "WinPro.SideBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}\InprocServer32]

(Default) = "%ProgramFiles%\winpro\WinPro.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}]

(Default) = "WinPro"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}]

(Default) = "ISideBand"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\TypeLib]

(Default) = "{C1F67743-C496-46C5-8476-489EF23E3665}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBC13F1E-3AD1-494B-A272-DCE6E39B856B}]

(Default) = "IBandHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\0\win32]

(Default) = "%ProgramFiles%\winpro\WinPro.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\winpro\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1F67743-C496-46C5-8476-489EF23E3665}\1.0]

(Default) = "WinPro 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CurVer]

(Default) = "WinPro.BandHelper.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper\CLSID]

(Default) = "{339E5541-DA75-412A-9F9B-3C014BE1050B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper]

(Default) = "BandHelper Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1\CLSID]

(Default) = "{339E5541-DA75-412A-9F9B-3C014BE1050B}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.BandHelper.1]

(Default) = "BandHelper Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CurVer]

(Default) = "WinPro.SideBand.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand\CLSID]

(Default) = "{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand]

(Default) = "SideBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1\CLSID]

(Default) = "{F543A3E8-AC7D-4A6E-86A8-5916DC31256D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinPro.SideBand.1]

(Default) = "SideBand Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

WinPro = "%ProgramFiles%\winpro\winpro.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPro]

DisplayName = "WinPro"
UninstallString = "%ProgramFiles%\WinPro\Uninstall.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_CURRENT_USER\Software\WinPro]

version = ""

Other details

Analysis of the file resources indicate the following possible country of origin:

Republic of Korea

To mark the presence in the system, the following Mutex object was created:

WinPro

The following Host Name was requested from a host database:

winpro.sideon.co.kr

The following HTTP URLs were started reading:

http://winpro.sideon.co.kr/update.asp?version=&id=&mac=1&oldversion=&iever=6
http://www.naver.com
http://naver.com
http://www.naver.com/
http://naver.com/
http://www.daum.net
http://daum.net
http://www.daum.net/
http://daum.net/
http://www.nate.com
http://nate.com
http://www.nate.com/
http://nate.com/
http://www.joinsmsn.com
http://joinsmsn.com
http://www.joinsmsn.com/
http://joinsmsn.com/
http://kr.yahoo.com
http://yahoo.com
http://kr.yahoo.com/
http://yahoo.com/

The data identified by the following URLs was then requested from the remote web server:

http://winpro.sideon.co.kr/update//WinPro.ini
http://winpro.sideon.co.kr/ex.dat
http://winpro.sideon.co.kr/except.dat

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.