ThreatExpert Report: SecurityRisk.AdShortcuts, AdShortcuts, TrojanClicker:Win32/Yabector.A

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 9 December 2009, 04:48:39
Processing time: 7 min 34 sec
Submitted sample:

File MD5: 0xD1BA8373DF4F53E95CE984FE4CEC3D15
File SHA-1: 0x2C12F08BC7B2E3E3A6E343CDFEA2260A9EACD576
Filesize: 261,295 bytes
Alias:

SecurityRisk.AdShortcuts [PCTools]
AdShortcuts [Symantec]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Desktopicon\eBayShortcuts.exe	89,088 bytes	MD5: 0x18137BD9666492C3BB21E964666877E5 SHA-1: 0x4B45816B7F6079519DAA542D698CB7E90E7C0F4B	SecurityRisk.AdShortcuts [PCTools] AdShortcuts [Symantec] TrojanClicker:Win32/Yabector.A [Microsoft]
2	%DesktopDir%\eBay.lnk	1,023 bytes	MD5: 0x19580E05EE5D0A0E8B7505798D0823DE SHA-1: 0x59FA556984FC0F9DFEEAB868C688197D5C97874C	(not available)
3	%Temp%\nsv3.tmp\eBay_shortcuts_1016_Unlocker.exe	79,028 bytes	MD5: 0xA8898A863D21468430E41AA59CCE5698 SHA-1: 0xAFCB72ED00E6E5AC0C6E8F99AE2879DDE6CD7683	SecurityRisk.AdShortcuts [PCTools] AdShortcuts [Symantec]
4	%StartMenu%\eBay.lnk	1,023 bytes	MD5: 0xBD0F47A1121B01DB31084936C7822C62 SHA-1: 0x7139BBF2D9C52258D0E2BFDF7B2CDC6401094EE0	(not available)
5	%Programs%\Unlocker\README.lnk	682 bytes	MD5: 0x8B5FDDE5C48E00B788FB2D9BB5ABDEA2 SHA-1: 0x38ED816DDD04127B469F4240F4909DFAA9332AA4	(not available)
6	%Programs%\Unlocker\Start Unlocker Assistant.lnk	739 bytes	MD5: 0x195C5D94B981D8768C0450CDBA6690B2 SHA-1: 0x9B9C1E8D1FCE674E3362ED741B59F584B38274A1	(not available)
7	%Programs%\Unlocker\Uninstall.lnk	507 bytes	MD5: 0x341B99BA3640736E376278F704FDB96D SHA-1: 0xE3AC9C7B6D7F5C1B340648991E8D8C33A44EBC37	(not available)
8	%Programs%\Unlocker\Website.lnk	694 bytes	MD5: 0x55209F574AC489D9BE41EB96B46C85F8 SHA-1: 0xC18CE68293E7390D3AF9F0A19D27F7575B16A43B	(not available)
9	%ProgramFiles%\Unlocker\README.TXT	1,646 bytes	MD5: 0x1E4F56310340D972501B8931B5AB43E3 SHA-1: 0x04336A4EB4A258BB02479AB9DC2E90C330CFF257	(not available)
10	%ProgramFiles%\Unlocker\uninst.exe	92,245 bytes	MD5: 0x311F9F834A38F6079B85016C04C12972 SHA-1: 0x20ADB82B02DE1D9A706F6EC8C331A222FBF31729	(not available)
11	%ProgramFiles%\Unlocker\Unlocker.exe	87,552 bytes	MD5: 0xAEB7861BF49F5D0B1834E3571BCA1803 SHA-1: 0xDFC9AF417868A6D5023D2FD6B487D3139D781F3F	(not available)
12	%ProgramFiles%\Unlocker\Unlocker.url	59 bytes	MD5: 0xD8843CE8A17012C12BA8FD35DE88379E SHA-1: 0xF11FD6407BAE44B19C37C4CE60EF3F094F8711CA	(not available)
13	%ProgramFiles%\Unlocker\UnlockerAssistant.exe	15,872 bytes	MD5: 0x403E928BA217E38485009636C793F3C9 SHA-1: 0x2DB1A193F60139FB7DA1C21B9A6558D75694F996	(not available)
14	%ProgramFiles%\Unlocker\UnlockerCOM.dll	10,240 bytes	MD5: 0xDA66CEAF1DEF4DA337F1542E0308483D SHA-1: 0xCC62FCE6BD958292064127A723BD936B95960EDD	(not available)
15	%ProgramFiles%\Unlocker\UnlockerDriver5.sys	4,096 bytes	MD5: 0x4847639D852763EE39415C929470F672 SHA-1: 0xBA5BF16F30378754DD06F0610A8E833421CF43EA	(not available)
16	%ProgramFiles%\Unlocker\UnlockerHook.dll	4,608 bytes	MD5: 0x78D62115F51B641A9F12AFDF50A352FC SHA-1: 0xB801BFA7200BD378C53056E3B330DD4D2BFC622A	(not available)
17	[file and pathname of the sample #1]	261,295 bytes	MD5: 0xD1BA8373DF4F53E95CE984FE4CEC3D15 SHA-1: 0x2C12F08BC7B2E3E3A6E343CDFEA2260A9EACD576	SecurityRisk.AdShortcuts [PCTools] AdShortcuts [Symantec]

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%StartMenu% is a variable that refers to the file system directory containing Start menu items. A typical path is C:\Documents and Settings\[UserName]\Start Menu.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%AppData%\Desktopicon
%Temp%\nsv3.tmp
%Programs%\Unlocker
%ProgramFiles%\Unlocker

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
UnlockerAssistant.exe	%ProgramFiles%\Unlocker\UnlockerAssistant.exe	24,576 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Unlocker
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnlockerDriver5

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension]

(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension]

(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32]

(Default) = "%ProgramFiles%\Unlocker\UnlockerCOM.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}]

(Default) = "UnlockerShellExtension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension]

(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

UnlockerAssistant = ""%ProgramFiles%\Unlocker\UnlockerAssistant.exe""

so that UnlockerAssistant.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = "UnlockerShellExtension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Unlocker]

Language = "1033"
OnlineVersion = "1.8.7"
DisplayName = "Unlocker 1.8.7"
UninstallString = "%ProgramFiles%\Unlocker\uninst.exe"
DisplayIcon = "%ProgramFiles%\Unlocker\Unlocker.exe"
DisplayVersion = "1.8.7"
URLInfoAbout = "http://ccollomb.free.fr/unlocker/"
Publisher = "Cedrick Collomb"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5]

ImagePath = "\??\%ProgramFiles%\Unlocker\UnlockerDriver5.sys"
Type = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnlockerDriver5]

ImagePath = "\??\%ProgramFiles%\Unlocker\UnlockerDriver5.sys"
Type = 0x00000001

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1601 =

Other details

Analysis of the file resources indicate the following possible country of origin:

United Kingdom

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
204.0.5.24	80
204.0.5.33	80
204.0.5.9	80
66.135.202.211	80
66.211.160.10	80
66.211.180.40	80
66.211.181.11	80
89.202.135.151	80
92.51.132.59	80

The data identified by the following URLs was then requested from the remote web server:

http://pics.ebaystatic.com/aw/pics/logos/logoEbay_x45.gif
http://pics.ebaystatic.com/aw/pics/homepage/xmas2009/globalhdr_holiday2009_tile.gif
http://pics.ebaystatic.com/aw/pics/homepage/xmas2009/globalhdr_holiday2009_lft.gif
http://pics.ebaystatic.com/aw/pics/homepage/xmas2009/globalhdr_holiday2009_rht.gif
http://pics.ebaystatic.com/aw/pics/globalHeader/imgHdrDropDownIcon.gif
http://pics.ebaystatic.com/aw/pics/cmp/ui/sprglobalheader_100pxw.png
http://pics.ebaystatic.com/aw/pics/icons/iconAutofillDown_12x10.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgCCHPMeBAAGSignedOut.gif
http://pics.ebaystatic.com/aw/pics/s.gif
http://pics.ebaystatic.com/aw/pics/homepage/xmas2009/imghphdrrhtblue.gif
http://pics.ebaystatic.com/aw/pics/homepage/xmas2009/imgHPHdrLftBlue.gif
http://pics.ebaystatic.com/aw/pics/homepage/xmas2009/cchp_598x31.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgPanelLRGrey.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgPanelLLGrey.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgPanelBGGreyGrad.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgPanelLRGreyGrad.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgPanelLLGreyGrad.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgAutofillLLGrey.gif
http://pics.ebaystatic.com/aw/pics/globalAssets/imgAutofillLRGrey.gif
http://pics.ebaystatic.com/aw/pics/icons/iconAutofillUp_12x10.gif
http://rtm.ebaystatic.com/0/RTMS/Image/Merc-widget_books-Q409-275x73.gif
http://rtm.ebaystatic.com/0/RTMS/Image/BRND-MaxMara-DDAlertBar-Q409-930x35.jpg
http://rtm.ebaystatic.com/0/RTMS/Image/MERC-HolidayFreeShipping_Q409-GreatGifts_DooneyBourke-613x290.gif
http://rtm.ebaystatic.com/0/RTMS/Image/Merc-widget_zhuzhu-Q409-275x73.gif
http://rtm.ebaystatic.com/0/RTMS/Image/PROD-StockingStufferMM-Q409-298x270.jpg
http://rtm.ebaystatic.com/0/RTMS/Image/CHAR-MollySimsV2-Q409-298x270.jpg
http://rtm.ebaystatic.com/0/RTMS/Image/BRND-MaxMara-Q409-300x310.jpg
http://rtm.ebaystatic.com/0/RTMS/Image/ADVT-SCHeaderNonTB_Q407-112x22.gif
http://rtm.ebaystatic.com/0/RTMS/Image/BRND-vault_RTM-Q409-135x24.gif
http://include.ebaystatic.com/v4css/en_US/e639/CCHP_HomepageV4_SLDR_e63910185443_en_US.css
http://include.ebaystatic.com/v4css/en_US/e643/GH-LIGER_Ebay_e64310272617_en_US.css
http://include.ebaystatic.com/v4js/en_US/e643/SYS-LIGER_vjo_e64310333892_1_en_US.js
http://include.ebaystatic.com/v4js/en_US/e643/GH-LIGER_Ebay_e64310272616_1_en_US.js
http://include.ebaystatic.com/v4js/en_US/e639/CCHP_HomepageV4_SLDR_e63910185442_6_en_US.js
http://include.ebaystatic.com/v4css/en_US/e643/Finding_AllDomains_e64310272617_en_US.css
http://include.ebaystatic.com/v4js/en_US/e643/Finding_Common_e64310279810_6b_en_US.js
http://include.ebaystatic.com/v4js/en_US/e637/Finding_AllDomains_e63710121519_6_en_US.js
http://rover.ebay.com/idmap/0?footer&cb=vjo.dsf.assembly.VjClientAssembler._callback1&_vrdm=1260363036252
http://rover.ebay.com/rover/1/711-53200-19255-0/1?type=1&campid=5335816973&toolid=10001&customid=
http://shop.ebay.com/?_from=R40&_trksid=p3907.m38.l1313&_nkw=&_sacat=See-All-Categories
http://shop.ebay.com/allcategories/all-categories
http://srx.main.ebayrtm.com/rtm?RtmCmd&a=json&g=&ord=1260356207563&p=433:876:912&z=0&bw=485&cg=731576d01250a0e203102b90fd3df3a0&enc=UTF-8&v=4&cb=vjo.dsf.assembly.VjClientAssembler._callback0&_vrdm=1260363038267
http://www.ebay.com/
http://adon-demand.de/red/2375/
http://www.adon-demand.de/red/2302/?s=United%20States&c=1
http://www.callidae.biz/cgi-bin/redirect.cgi?t=0
http://www.callidae.biz/en/1004138/samsung-sgh-c417-1.html
http://www.callidae.biz/js/lib.js
http://www.callidae.biz/js/track.js?1004138
http://www.callidae.biz/cgi-bin/ext.cgi?t=26

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.