ThreatExpert Report: not-a-virus:AdWare.Win32.WinAgir.ds, not-a-virus:AdWare.Win32.WinAgir..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 24 September 2012, 03:26:02
Processing time: 8 min 21 sec
Submitted sample:

File MD5: 0xEFF52187C3D67218A52E50C7216DEEC0
File SHA-1: 0xE54EAB2590028D0D936C94F341B0ACB4DF11D4C5
Filesize: 452,694 bytes
Alias:

not-a-virus:AdWare.Win32.WinAgir.ds [Kaspersky Lab]
not-a-virus:AdWare.Win32.WinAgir [Ikarus]

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A potentially unwanted adware program designed to deliver various advertisements to the users' systems
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\nsu2.tmp\nsProcess.dll	4,608 bytes	MD5: 0x8F4AC52CB2F7143F29F114ADD12452AD SHA-1: 0x29DC25F5D69BF129D608B83821C8EC8AB8C8EDB3	(not available)
2	%Temp%\nsu2.tmp\nsProcEx.dll	24,576 bytes	MD5: 0xC22123994784BDFD0D6E11CADD89E39A SHA-1: 0x70F52BD94E681571FFC0E3E11A4FD7806B2B0C92	not-a-virus:AdWare.Win32.WinAgir [Ikarus]
3	%Temp%\nsu2.tmp\SelfDel.dll	4,608 bytes	MD5: 0x7CFF7FE2CAEA5184D98C147E7E263132 SHA-1: 0x21F39D3D0DD5F7198D67EF30E95D10AE3460093E	packed with UPX [Kaspersky Lab]
4	%Temp%\nsu2.tmp\wizenis.dll %ProgramFiles%\Wizeni\wizenis.dll	274,432 bytes	MD5: 0xC002F6F228A1B8FB5E53C6A3D824E1F9 SHA-1: 0x2ADC1EAF9B52CD8969FFAC13D7F0FBF1DD4A7274	Adware.Adpopup [Symantec] Trojan.Win32.Sasfis [Ikarus]
5	%ProgramFiles%\Wizeni\uninst.exe	191,674 bytes	MD5: 0x88869A8EA22A96525C917511A634DA22 SHA-1: 0x189C51BC45AE2B6D6109EB87083D067C90F604BE	not-a-virus:AdWare.Win32.WinAgir [Ikarus]
6	%ProgramFiles%\Wizeni\wizenib.dll	77,824 bytes	MD5: 0x42D959453E28D688C2D63CCD78C143B8 SHA-1: 0xFAA2A6F77BBC811A19759AD1D198EC62637B52D7	Adware.Adpopup [Symantec] Trojan.Win32.Sasfis.dhbj [Kaspersky Lab] Trojan.Win32.Sasfis [Ikarus]
7	%ProgramFiles%\Wizeni\wizenir.exe	45,056 bytes	MD5: 0x66799FE2A079730390F75AD386C397DB SHA-1: 0xC557AB0059A5AF6F779A36350339D9434C0FA2E8	Adware.Adpopup [Symantec] not-a-virus:AdWare.Win32.WinAgir.dw [Kaspersky Lab] not-a-virus:AdWare.Win32.WinAgir [Ikarus]
8	[file and pathname of the sample #1]	452,694 bytes	MD5: 0xEFF52187C3D67218A52E50C7216DEEC0 SHA-1: 0xE54EAB2590028D0D936C94F341B0ACB4DF11D4C5	not-a-virus:AdWare.Win32.WinAgir.ds [Kaspersky Lab] not-a-virus:AdWare.Win32.WinAgir [Ikarus]
9	%System%\svcwin.exe	94,208 bytes	MD5: 0xBF5F56050E051BACFC88B4E91FDE63AF SHA-1: 0xA0D8BF183052F2CC13BE2033A4AD8C2C8591327B	not-a-virus:AdWare.Win32.WinAgir.du [Kaspersky Lab] not-a-virus:AdWare.Win32.WinAgir [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directories were created:

%AppData%\Wizeni
%Temp%\nsu2.tmp
%ProgramFiles%\Wizeni

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
svcwin.exe	%System%\svcwin.exe	102,400 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	241,664 bytes
svcwin.da.exe	%System%\svcwin.da.exe	102,400 bytes

Attention! The following processes were intentionally hidden from the user:

Process Name	Main Module Size
svcwin.exeexe	102,400 bytes
svcwin.exeexe	102,400 bytes

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
Wizeni Service	Wizeni Service	"Running"	%System%\svcwin.exe

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wizeni App
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B0C52541-4520-44e3-B3D6-5512CF31B89E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wizeni App
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Status
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIZENI_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIZENI_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIZENI_SERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wizeni Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wizeni Service\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wizeni Service\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIZENI_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIZENI_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIZENI_SERVICE\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wizeni Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wizeni Service\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wizeni Service\Enum
HKEY_CURRENT_USER\Software\Microsoft\WZCSVC
HKEY_CURRENT_USER\Software\Microsoft\WZCSVC\Status

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\VersionIndependentProgID]

(Default) = "WizBHO.WizAPI"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\TypeLib]

(Default) = "{5C64953E-D568-4af1-B20B-15EF5B37C94D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\ProgID]

(Default) = "WizBHO.WizAPI.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}\InprocServer32]

(Default) = "%ProgramFiles%\Wizeni\wizenib.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0C52541-4520-44e3-B3D6-5512CF31B89E}]

(Default) = "Wizeni"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}\TypeLib]

(Default) = "{5C64953E-D568-4AF1-B20B-15EF5B37C94D}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5A3D8D48-493B-49E8-85E4-7C58F91412CB}]

(Default) = "IWizeniAPI"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0\0\win32]

(Default) = "%ProgramFiles%\Wizeni\wizenib.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\Wizeni\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C64953E-D568-4AF1-B20B-15EF5B37C94D}\1.0]

(Default) = "WizeniAPIClass 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI\CurVer]

(Default) = "WizBHO.WizAPI.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI\CLSID]

(Default) = "{B0C52541-4520-44e3-B3D6-5512CF31B89E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI]

(Default) = "WizClass"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI.1\CLSID]

(Default) = "{B0C52541-4520-44e3-B3D6-5512CF31B89E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WizBHO.WizAPI.1]

(Default) = "WizClass"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wizeni App]

Changed = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B0C52541-4520-44e3-B3D6-5512CF31B89E}]

(Default) = "WizHelper"
(Default) = " "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Wizeni = "%ProgramFiles%\Wizeni\wizenir.exe"

so that wizenir.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wizeni App]

DisplayName = "Wizeni"
InstallLocation = "%ProgramFiles%\Wizeni"
UninstallString = "%ProgramFiles%\Wizeni\uninst.exe"
Publisher = "Wizeni"
HelpLink = "http://www.wizeniapp.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC]

dist = ""
mid = "XX1C5AE90565"
ts_shift2 = "18693"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Status]

last_patch = "2012/09/24 03:26:06"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIZENI_SERVICE\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "Wizeni Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIZENI_SERVICE\0000]

Service = "Wizeni Service"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Wizeni Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIZENI_SERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wizeni Service\Enum]

0 = "Root\LEGACY_WIZENI_SERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wizeni Service\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wizeni Service]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svcwin.exe"
DisplayName = "Wizeni Service"
ObjectName = "LocalSystem"
Description = " "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIZENI_SERVICE\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "Wizeni Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIZENI_SERVICE\0000]

Service = "Wizeni Service"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Wizeni Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIZENI_SERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wizeni Service\Enum]

0 = "Root\LEGACY_WIZENI_SERVICE\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wizeni Service\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wizeni Service]

Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svcwin.exe"
DisplayName = "Wizeni Service"
ObjectName = "LocalSystem"
Description = " "

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Enable Browser Extensions = "yes"

[HKEY_CURRENT_USER\Software\Microsoft\WZCSVC]

bn = "2012/09/24 03:26:07"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

Cookies =
History =

Other details

Analysis of the file resources indicate the following possible countries of origin:

	United Kingdom
	Republic of Korea

The following Host Names were requested from a host database:

192.5.5.241
www.ddnswzplus.com
www_wz.ddnsfree.net

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.wizeniapp.com	80	(null)	(null)

The data identified by the following URLs was then requested from the remote web server:

http://www.wizeniapp.com/runs/do.php?_pi=b9cbdda6ee001c33495e66748f9f6cb3d1e1&a=bec7e3f812214d40574770799cb7c2d0ec041a78435a71
http://www.wizeniapp.com/apps/act.php?_pi=b9cbdda6ee001c33495e66748f9f6cb3d1e1&a=bec5ea03112f466c607869939dc1dde9f8152e45a47088a0
http://www.wizeniapp.com/apps/act.php?_pi=bacde0db061ce32c3f5c747a999fb28ee1eb0d&a=bec5ea03112f466c607869939dc1dde9f8152e45a47088a0
http://www.wizeniapp.com/apps/act.php?_pi=b9cbdda6ee001c33495e66748f9f6cb3d1e1&a=c0e1f8072c605a786f9fafd9fb0d22456481e6b8d6f45e354c6dd6ae1230
http://www.wizeniapp.com/apps/act.php?_pi=b9cbdda6ee001c33495e66748f9f6cb3d1e1&a=c2d701112a5085809f97c8d904273a507494b218eb0a29946c84a610e94e6d

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.