ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 28 January 2008, 01:28:02
Processing time: 3 min 42 sec
Submitted sample:

File MD5: 0x650206B91F4A754C9E8FC06DADA9FB00
Filesize: 1,409,800 bytes

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Hijacker.InstaFinder	Instafinder is a Internet Explorer Browser search hijacker. It installs a file called instafin.dll which is used for hijacking.
Adware.TheSearchMall	This is an adware which adds an IE BHO and displays pop-up ads
Adware.Agent.BN	Adware.Agent.BN is an adware program that displays pop-up advertisements and adds a runkey to run at startup, and also modifies Windows system configuration in order to download more malwares on to infected computer.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%DesktopDir%\SpyKillerPro.lnk	774 bytes	MD5: 0xAFBB44D8BA77DC494E93F9434F9B5D3E
2	%Programs%\SpyKillerPro\SpyKillerPro.lnk	1,668 bytes	MD5: 0x53DE4B4B8706F097026D239F51D6E85C
3	%Programs%\SpyKillerPro\Uninstall.lnk	1,647 bytes	MD5: 0x6CB44F9CF4B7FBFC287040F16139AA8E
4	%ProgramFiles%\SpyKillerPro\backup.lst	117 bytes	MD5: 0x65EB73249B3AF1367A42D5CE5BC4801B
5	%ProgramFiles%\SpyKillerPro\helper.sys	9,728 bytes	MD5: 0x9A0FB32466522B5DEFE242201448EDB5
6	%ProgramFiles%\SpyKillerPro\icon.ico	11,502 bytes	MD5: 0x5C0D8223F9838733253F9F3289068173
7	%ProgramFiles%\SpyKillerPro\license.txt	1,725 bytes	MD5: 0xD37D277995900A0478CB52AA229D9AEC
8	%ProgramFiles%\SpyKillerPro\pn.cfg	12 bytes	MD5: 0x58BACD287E1C760B4BF8B62A5751C6CB
9	%ProgramFiles%\SpyKillerPro\SpyKillerPro.exe	4,833,792 bytes	MD5: 0xD63E310E9720FD24D80B749C519F0EC1
10	%ProgramFiles%\SpyKillerPro\SpyKillerProUpdate.exe	2,349,568 bytes	MD5: 0x052153E69EF8094A7CA03028B166B6AD
11	%ProgramFiles%\SpyKillerPro\SpyKillerPro_log.txt	308 bytes	MD5: 0x93044A87FDBE8F2E42E84ED86C1CA04C
12	%ProgramFiles%\SpyKillerPro\spyware.dat	307,187 bytes	MD5: 0x8DA969D21F2B65BA85ECD4091B6B5609
13	%ProgramFiles%\SpyKillerPro\uninstall.exe	32,616 bytes	MD5: 0xD092D99A99191ADFDD5D7D783D15ABAB
14	%ProgramFiles%\SpyKillerPro\ver.dat	9 bytes	MD5: 0xAFA401B18C24A8D00CFF2EA6FC03885A
15	%ProgramFiles%\SpyKillerPro\whitelist.cfg	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E
16	[file and pathname of the sample #1]	1,409,800 bytes	MD5: 0x650206B91F4A754C9E8FC06DADA9FB00

Notes:

%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

%Programs%\SpyKillerPro
%ProgramFiles%\SpyKillerPro
%ProgramFiles%\SpyKillerPro\Quarantine

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
SpyKillerPro.exe	%ProgramFiles%\spykillerpro\spykillerpro.exe	4,878,336 bytes
SpyKillerProUpdate.exe	%ProgramFiles%\SpyKillerPro\SpyKillerProUpdate.exe	2,392,064 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	184,320 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-dcf7-f96da086b434}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyKillerPro
HKEY_LOCAL_MACHINE\SOFTWARE\SpyKillerPro
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SpyKillerProFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SpyKillerProFilter\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SpyKillerProFilter\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter\Enum
HKEY_CURRENT_USER\Software\SpyKillerPro
HKEY_CURRENT_USER\Software\SpyKillerPro\FirstRun
HKEY_CURRENT_USER\Software\SpyKillerPro\Options
HKEY_CURRENT_USER\Software\SpyKillerPro\Register

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABCDECF0-4B15-11D1-ABED-709549C10000}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-dcf7-f96da086b434}]

(Default) = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

System = "%Windir%\krln32.exe"
Windows Framework = "%System%\scvh0st.exe"
mmnext06 = "%Windir%\trjdwnl.dll"
shellbn = "%Windir%\shlext32.exe"
Tapicfg.exe = "tapicfg.exe"
bantool = "bantool.exe"
winavx = "%System%\WinAvXX.exe"
anti_troj = "%System%\anti_troj.exe"
vmlib = "vmlib.exe"
cssrss.exe = "cssrss.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyKillerPro]

DisplayName = "SpyKillerPro"
UninstallString = ""%ProgramFiles%\SpyKillerPro\uninstall.exe""
NoModify = 0x00000001
NoRepair = 0x00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\SpyKillerPro]

Install_Dir = "%ProgramFiles%\SpyKillerPro"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SpyKillerProFilter\Enum]

Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SpyKillerProFilter\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SpyKillerProFilter]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "\??\%ProgramFiles%\SpyKillerPro\SSS.sys"
DisplayName = "1/7/20083:15:04 PM"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter\Enum]

Count = 0x00000000
NextInstance = 0x00000000
INITSTARTFAILED = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SpyKillerProFilter]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "\??\%ProgramFiles%\SpyKillerPro\SSS.sys"
DisplayName = "1/7/20083:15:04 PM"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

SpyKillerPro = "%ProgramFiles%\SpyKillerPro\SpyKillerPro.exe"
quartz = "%System%\quartz.exe"
dmime = "%System%\dmime.exe"
Outerinfo = "%Windir%\Outerinfo.exe"
winavx = "%System%\WinAvXX.exe"
anti_troj = "%System%\anti_troj.exe"
windows update loader = "%Windir%\xpupdate.exe"

so that SpyKillerPro.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\SpyKillerPro\Options]

AutoScanOnStartup = "1"
AutoUpdate = "0"
StartWithWindows = "1"
StartMinimized = "0"
MinimizeToTray = "1"
FirstRunMinimize = "0"
ProgramVersion = "SpyKillerPro 1.0.1"
HelpUrl = "http://mastertools.us/faq.php"
RegisterUrl = "http://mastertools.us/purchase.php?AffiliateID=1003&code="
VersionUrl = "http://mastertools.us/ver.dat"
UpdateUrl = "http://mastertools.us/spyware.dat"
OffsiteUrl = "http://mastertools.us"
LabelUrl = "http://mastertools.us"
UpdateExeUrl = "http://mastertools.us/SpyKillerPro.exe"
BillingUrl = "https://secure.sweeptransact.com/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%&AffiliateID=%aff%"
BillingUrlApproved = "https://secure.sweeptransact.com/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%&AffiliateID=%aff%&RegistrationCompleted=1"
TransactionKey = "HWKNAETGSGWELngO"
Aff = "2"
ExeVersion = "1.0.1"

Other details

Analysis of the file resources indicate the following possible country of origin:

Russian Federation

To mark the presence in the system, the following Mutex object was created:

SpyKillerPro_running

The following Internet download was started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://mastertools.us/ver.dat	%ProgramFiles%\SpyKillerPro\ver.txt

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.