SecurityHome.eu SoftwareBundler:Win32/Besofter

Home / malware PDF

SoftwareBundler:Win32/Besofter

First posted on 26 June 2013.
Source: Microsoft
Aliases :
SoftwareBundler:Win32/Besofter is also known as Backdoor.Win32.Clack.pkn (Kaspersky), winpe/InstalleRex.H (Norman), Trojan.DownLoader8.16612 (Dr.Web), Riskware/BetterSoftAgent (other).
Explanation :

Installation

SoftwareBundler:Win32/Besofter can be bundled and installed with other software. We have seen it bundled with BetterSoftAgent.

When run, SoftwareBundler:Win32/Besofter installs the following files:

%ALLUSERPROFILE%\application data\bettersoft\agent\agent.exe._tm

%ALLUSERPROFILE%\application data\bettersoft\agent\agent.exe

%ALLUSERPROFILE%\application data\bettersoft\agent\577855134.dll

The software modfies the following registry entries to make sure the file 577855134.dll is run as a browser helper object in Internet Explorer:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}
Sets value: "(default)"
With data: "runtime class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\InprocServer32
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent\577855134.dll"

In subkey:HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\Version
Sets value: "(default)"
With data: "1.0"

In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}
Sets value: "Compatibility Flags"
With data: "1024"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0
Sets value: "(default)"
With data: "runtimelib"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\0\win32
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent\577855134.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\HELPDIR
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}
Sets value: "(default)"
With data: "idownloadjob"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}
Sets value: "(default)"
With data: "iruntime"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}
Sets value: "(default)"
With data: "irunningprocess"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}
Sets value: "(default)"
With data: "iwaitabletask"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}
Sets value: "(default)"
With data: "idownloaderror"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

It also modifies the following registry entry to change Internet Explorer security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sets value: "ProxyBypass"
With data: "1"

Execution The software may try to download files, including possible malware from virtuallyreality.info.

Analysis by Hyun Choi
Last update 26 June 2013

TOP

Malware :

Last 20