ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 14 July 2011, 14:41:09
Processing time: 8 min 52 sec
Submitted sample:

File MD5: 0xAF6CC99D717C0DAEF65A9DAFD6C45DB7
File SHA-1: 0x00446CA668608E2EFBB82408236F356545295EDB
Filesize: 1,109,234 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%ProgramFiles%\WebEnhancements\BrowserEnhancements.crx	5,522 bytes	MD5: 0xE26C1AAC4AA7AFDC875D5775688C72CF SHA-1: 0x390F8B03229E35F72E61D4FB38BDAE150E5322DD
2	%ProgramFiles%\WebEnhancements\BrowserEnhancements.dll	234,496 bytes	MD5: 0xF69BAD7269A428776F437BBE56ED9586 SHA-1: 0x721D35B6DE6A87C7542AF627699A6B9FD50CD213
3	%ProgramFiles%\WebEnhancements\BrowserEnhancements.safariextz	5,662 bytes	MD5: 0x6A120091691A31F84E18B37C1A01A0B0 SHA-1: 0x1C423C5B78B2169A10BC005855D0592375EB4498
4	%ProgramFiles%\WebEnhancements\BrowserEnhancements.xpi	2,022 bytes	MD5: 0xA35BD2F5D430B5F724AFF7EA67CDC2DD SHA-1: 0xB87E2AC2A635980E14CB59B911A744526C360A3D
5	%ProgramFiles%\WebEnhancements\uninst.exe	49,140 bytes	MD5: 0xB8A5A0389485ED16F6E9650668BF4AD3 SHA-1: 0x167DE9299343B055FDB12352343EDCE240326994
6	[file and pathname of the sample #1]	1,109,234 bytes	MD5: 0xAF6CC99D717C0DAEF65A9DAFD6C45DB7 SHA-1: 0x00446CA668608E2EFBB82408236F356545295EDB
7	c:\Xvid.exe	940,987 bytes	MD5: 0x1CD510D18340ED8326739066B19AB664 SHA-1: 0xA6503D76996035DB79F7005FD14F306AEEF7D089

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%ProgramFiles%\WebEnhancements

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
Xvid.tmp	%Temp%\is-0C737.tmp\Xvid.tmp	1,273,856 bytes

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements_1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\icm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\icm

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\VersionIndependentProgID]

(Default) = "BrowserEnhancements.StockBar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\TypeLib]

(Default) = "{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\ProgID]

(Default) = "BrowserEnhancements.StockBar.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}\InprocServer32]

(Default) = "%ProgramFiles%\WebEnhancements\BrowserEnhancements.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}]

(Default) = "Browser Enhancements"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}\TypeLib]

(Default) = "{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1D10417-6A22-46D4-826A-078C0383F6E7}]

(Default) = "IStockBar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0\0\win32]

(Default) = "%ProgramFiles%\WebEnhancements\BrowserEnhancements.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\WebEnhancements"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B7A0F64A-9EA6-4FE4-9BD3-B9F0025B4930}\1.0]

(Default) = "BrowserEnhancements 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar\CurVer]

(Default) = "BrowserEnhancements.StockBar.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar\CLSID]

(Default) = "{04F3C4CF-8DCD-4D80-92B5-6A016E316869}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar]

(Default) = "Browser Enhancements"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar.1\CLSID]

(Default) = "{04F3C4CF-8DCD-4D80-92B5-6A016E316869}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserEnhancements.StockBar.1]

(Default) = "Browser Enhancements"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04F3C4CF-8DCD-4D80-92B5-6A016E316869}]

(Default) = "Browser Enhancements Plugin"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements_1]

DisplayName = "WebEnhancements"
Publisher = "WebEnhancements INC"
UninstallString = "%ProgramFiles%\WebEnhancements\uninst.exe"
NoModify = 0x00000001
NoRepair = 0x00000001

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
168.75.207.20	80
199.21.148.123	80
204.0.5.40	80
204.0.5.59	80
207.188.5.44	80
209.167.6.220	80
216.34.207.59	80
216.34.207.62	80
50.18.52.17	80
50.28.11.40	80

The data identified by the following URLs was then requested from the remote web server:

http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/t/3369/track.html
http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/fDUpnvB7pWqgEHcSFtSE3_wDP6azjGA6Q_EpFTSimRI=/track.html
http://www.myroitracking.com/newServing/roitrack.php?script=1&type=Lead&value=1.00&seo=0&adsid=37784&nid=1&para=clicksor_opt
http://cache-download.real.com/free/windows/installer/stubinst/stub/rp14/R61PCJ1/RealPlayer.exe
http://ak.imgfarm.com/images/vicinio/dsp-images/100000415/background/1304518587385.jpg
http://ak.imgfarm.com/images/vicinio/dsp-images/100000415/asset1/1304521635987.swf
http://ak.imgfarm.com/images/vicinio/dsp-images/100000415/asset2/1277307864357.png
http://ak.imgfarm.com/images/vicinio/dsp-images/default/1276635176180.png
http://ak.imgfarm.com/images/vicinio/100000415/tb_1277912337834.png
http://www.real.com/realplayer/download/cj1?pcode=cj&cpath=aff&rsrc=4187617_10772376_121h6WIn
http://x.azjmp.com/c.php?o=10580&a=42854&t=2&p=1&azauxurl=70473&sub=ap2
http://x.azjmp.com/4c2Xx?sub=
http://www.apmebf.com/2c111shqp7/hot/65CC78CB/96DCB6C/5/5/5?b=kZPK%3D898oDdPu<<o00w%3A%2F%2F333.qkvxvj5.jvt%3AF7%2Fjspjr-B8FED8E-87EE9AED<<N<<
http://www.jdoqocy.com/click-4187617-10772376?SID=121h6WIn
http://www.emjcd.com/cc111y1A9U/18D/RQXXSTXW/URYXWRX/Q/RFUSN8IPRXVTWXSUVRPRTRQWXSUZTTTYPK9/UXVT3-TX-3VRRR3QYQ34QQST-344QW13?i=hpfa%3DOPO4TtfA<z6B!FBMB-GR01PMT9<4GGC%3A%2F%2FJJJ.60BDBzL.zB9%3AVN%2Fz85z7-ROVUTOU-ONUUPQUT<<d<<
http://director.real.com/realplayer?type=rpsp_us&rppr=cj1&src=null&pcode=cj&rsrc=4187617_10772376_121h6WIn&cpath=aff
http://50.28.11.40/tracking202/redirect/dl.php?t202id=562&t202kw=
http://webenhancements.me/play/success.php
http://www.searchdock.me/plugin/sources/searchdock.js
http://clickapps.net/plugin/jquery-1.3.2_nd.js
http://clickapps.net/plugin/myscript.js
http://www.statcounter.com/counter/counter.js
http://log.realone.com/rpinst/log.txt?prod=stub&closedbrowser=none&opt1=&opt2=&opt3=&opt4=&action=acceptedoffer&value=none&version=3.6.0.24&payload=RealPlayer&li=en&distcode=R61PCJ1&os=5.1.2600|SP2|en&ie=6.00.2900.2180&loc=none&origcode=&overcode=&xml_id=&pkg_id=
http://log.realone.com/rpinst/log.txt?prod=stub&action=error&value=low_disk_space&version=3.6.0.24&payload=RealPlayer&li=en&distcode=R61PCJ1&os=5.1.2600|SP2|en&ie=6.00.2900.2180&loc=none&origcode=&overcode=&xml_id=&pkg_id=
http://log.realone.com/rpinst/log.txt?prod=stub&closedbrowser=none&opt1=&opt2=&opt3=&opt4=&action=displayedoffer&value=none&version=3.6.0.24&payload=RealPlayer&li=en&distcode=R61PCJ1&os=5.1.2600|SP2|en&ie=6.00.2900.2180&loc=none&origcode=&overcode=&xml_id=&pkg_id=
http://ad.yieldmanager.com/pixel?id=1369485&t=2
http://ad.yieldmanager.com/pixel?id=1376401&t=2
http://ad.yieldmanager.com/pixel?id=1376400&t=2
http://ad.yieldmanager.com/pixel?id=1379638&t=2
http://c.statcounter.com/t.php?sc_project=7006513&resolution=640&h=480&camefrom=&u=http%3A//webenhancements.me/play/success.php&t=Success&java=1&security=dee56ad1&sc_random=0.2084103351462575&sc_snum=1&invisible=1
http://stats.adbrite.com/stats/stats.gif?_uid=672286&_pid=2
http://download.televisionfanatic.com/index.jhtml?partner=XPxdm015&spu=true&sub_id=42854
http://www.google-analytics.com/ga.js

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.