SecurityHome.eu Win32/Xadupi

Home / malware PDF

Win32/Xadupi

First posted on 14 September 2016.
Source: Microsoft
Aliases :
There are no other names known for Win32/Xadupi.
Explanation :
Installation

This trojan is often installed silently by BrowserModifier:Win32/Sasquor or BrowserModifier:Win32/SupTab. It is often installed under the name "WinZipper", "QKSee", or both.

When this threat's installer is executed, it writes several files in the %ProgramFiles% folder, for example:

%ProgramFiles%\qksee\

%ProgramFiles%\WinZipper\

When the this trojan is executed, it writes several files to the %ProgramFiles% folder:

QKSee examples:

C:\Program Files (x86)\qksee\skin\oiview\image\default\action_line.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\btn_back.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\btn_screen_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\button_l.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\button_r.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\delete_logo.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\fileinfo_bound.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_arrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\guide_catalogue1.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\icon_arrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_auto.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_enlarge.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_files.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_install_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_more.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_narrow.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_next.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_normal.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_prev.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_rotation_tl.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_rotation_tr.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_update.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_upward.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_close.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_max.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_min.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_view_res.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_warning.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\ico_zoom.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\input_catalogue.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\input_catalogue_single.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\install_button2.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\install_complete.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\invalid.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\logo_16x16.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\msg_bk.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\OIview_v1_33.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\OIview_v1_66.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic-error.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\picfolder_thum_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_back.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_folder.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_thum_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\pic_thum_bg3.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\oivu_icon.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\thumbnail.ico
C:\Program Files (x86)\qksee\skin\oiview\image\default\product\top_logo.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\qMenu_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\qMenu_over_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\resource.xml
C:\Program Files (x86)\qksee\skin\oiview\image\default\screen_block.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\screen_thum.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\uninstall_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\view_bg.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\vscroll.png
C:\Program Files (x86)\qksee\skin\oiview\image\default\warning_bg.png
C:\Program Files (x86)\qksee\skin\oiview\layout\default\fullscreendlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\iviewmaindlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\messageboxdlg.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\movewnd.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\msgbox.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\my_pc_menu.xml
C:\Program Files (x86)\qksee\skin\oiview\layout\default\oiviewtoolsdlg.xml
C:\Program Files (x86)\qksee\skin\oiview\style\style.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\bk_b.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\btn_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\btn_goon.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\button_delete.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\button_selected.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\checkbox_cancel.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\checkbox_default.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\cover_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\delete_logo.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\edit_skin.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\header_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\icon_edit_pg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_files.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_install_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_uninstall_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_update.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_close.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_max.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\ico_view_min.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\installbut.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_button2.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_button3.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_checked.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_intermediate.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_check_uncheck.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_complete.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_progress_bk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_progress_indicator.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\install_resource.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\massagebox_bkg .png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menuitem_selbk.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menu_bkg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\menu_item_over.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\messagebox_btn.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\OIview_v1_66.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\open_dir0.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-error(2).png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-error.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-info.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-question.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\pic-warning.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\app_icon.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\logo_install.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\logo_uninstall.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\product\picexa.ico
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progressbar_anim.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_install.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_install_glow.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_uninstall.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\progress_uninstall2.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\resource.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\search_button.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\uninstall_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\view_action_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\image\default\view_bg.png
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\msgbox.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewcoverdlg.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewInstall.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewunInstall.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\layout\default\oiviewupgrade.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\style\install_style.xml
C:\Program Files (x86)\qksee\skin\oi_uninstall\style\style.xml
C:\Program Files (x86)\qksee\lang\oiviewinstall_lang.xml
C:\Program Files (x86)\qksee\lang\oiview_lang.xml
C:\Program Files (x86)\qksee\main
C:\Program Files (x86)\qksee\zlib1.dll
C:\Program Files (x86)\qksee\curlpp.dll
C:\Program Files (x86)\qksee\libcurl.dll
C:\Program Files (x86)\qksee\libeay32.dll
C:\Program Files (x86)\qksee\ssleay32.dll
C:\Program Files (x86)\qksee\msvcp110.dll
C:\Program Files (x86)\qksee\msvcr110.dll
C:\Program Files (x86)\qksee\msuser.dll
C:\Program Files (x86)\qksee\qksee.exe
C:\Program Files (x86)\qksee\uninstall.exe
C:\Program Files (x86)\qksee\qkseeSvc.exe
C:\Program Files (x86)\qksee\qkdup.exe
C:\Program Files (x86)\qksee\qkdl.exe
C:\Program Files (x86)\qksee\myuser.exe
C:\Program Files (x86)\qksee\oi_uninstall.inst

WinZipper examples:

C:\Program Files (x86)\WinZipper\image
C:\Program Files (x86)\WinZipper\language
C:\Program Files (x86)\WinZipper\layout
C:\Program Files (x86)\WinZipper\log
C:\Program Files (x86)\WinZipper\style
C:\Program Files (x86)\WinZipper\uninstaller
C:\Program Files (x86)\WinZipper\7z.dll
C:\Program Files (x86)\WinZipper\curlpp.dll
C:\Program Files (x86)\WinZipper\libcurl.dll
C:\Program Files (x86)\WinZipper\libeay32.dll
C:\Program Files (x86)\WinZipper\main
C:\Program Files (x86)\WinZipper\msvcp110.dll
C:\Program Files (x86)\WinZipper\msvcr110.dll
C:\Program Files (x86)\WinZipper\segoeui.ttf
C:\Program Files (x86)\WinZipper\segoeuib.ttf
C:\Program Files (x86)\WinZipper\ssleay32.dll
C:\Program Files (x86)\WinZipper\winziper.exe
C:\Program Files (x86)\WinZipper\winzipersvc.exe
C:\Program Files (x86)\WinZipper\wzdl.exe
C:\Program Files (x86)\WinZipper\wzShellctx64.dll
C:\Program Files (x86)\WinZipper\wzUninstall.exe
C:\Program Files (x86)\WinZipper\wzUpg.exe
C:\Program Files (x86)\WinZipper\wz_settings.ini
C:\Program Files (x86)\WinZipper\zlib1.dll
C:\Program Files (x86)\WinZipper\image\default
C:\Program Files (x86)\WinZipper\image\default\additem.png
C:\Program Files (x86)\WinZipper\image\default\app_icon.png
C:\Program Files (x86)\WinZipper\image\default\back.png
C:\Program Files (x86)\WinZipper\image\default\Background_Main.png
C:\Program Files (x86)\WinZipper\image\default\Background_Small_2.png
C:\Program Files (x86)\WinZipper\image\default\browse_button.png
C:\Program Files (x86)\WinZipper\image\default\checkbox_blank.png
C:\Program Files (x86)\WinZipper\image\default\checkbox_select.png
C:\Program Files (x86)\WinZipper\image\default\combo.png
C:\Program Files (x86)\WinZipper\image\default\combo_skin.png
C:\Program Files (x86)\WinZipper\image\default\deleteitem.png
C:\Program Files (x86)\WinZipper\image\default\deskbtnbk.png
C:\Program Files (x86)\WinZipper\image\default\edit_skin.png
C:\Program Files (x86)\WinZipper\image\default\extractto.png
C:\Program Files (x86)\WinZipper\image\default\folder.png
C:\Program Files (x86)\WinZipper\image\default\footerbg.png
C:\Program Files (x86)\WinZipper\image\default\install_back.png
C:\Program Files (x86)\WinZipper\image\default\install_button_skin.png
C:\Program Files (x86)\WinZipper\image\default\install_check_checked.png
C:\Program Files (x86)\WinZipper\image\default\install_check_intermediate.png
C:\Program Files (x86)\WinZipper\image\default\install_check_uncheck.png
C:\Program Files (x86)\WinZipper\image\default\install_logo.png
C:\Program Files (x86)\WinZipper\image\default\install_new_button_skin.png
C:\Program Files (x86)\WinZipper\image\default\install_resource.xml
C:\Program Files (x86)\WinZipper\image\default\listctrl_header_bk.png
C:\Program Files (x86)\WinZipper\image\default\listview_report.png
C:\Program Files (x86)\WinZipper\image\default\listview_thumb.png
C:\Program Files (x86)\WinZipper\image\default\menubg.png
C:\Program Files (x86)\WinZipper\image\default\menu_bkg.png
C:\Program Files (x86)\WinZipper\image\default\menu_item_over.png
C:\Program Files (x86)\WinZipper\image\default\onekeyextract.png
C:\Program Files (x86)\WinZipper\image\default\patch_file_icon.png
C:\Program Files (x86)\WinZipper\image\default\pic-error.png
C:\Program Files (x86)\WinZipper\image\default\pic-info.png
C:\Program Files (x86)\WinZipper\image\default\pic-question.png
C:\Program Files (x86)\WinZipper\image\default\pic-warning.png
C:\Program Files (x86)\WinZipper\image\default\popup_dialog_bk.png
C:\Program Files (x86)\WinZipper\image\default\progressbar_bk.png
C:\Program Files (x86)\WinZipper\image\default\progressbar_image.png
C:\Program Files (x86)\WinZipper\image\default\progress_bk.png
C:\Program Files (x86)\WinZipper\image\default\progress_meter.png
C:\Program Files (x86)\WinZipper\image\default\pwd_lock.png
C:\Program Files (x86)\WinZipper\image\default\pwd_unlock.png
C:\Program Files (x86)\WinZipper\image\default\radio_normal.png
C:\Program Files (x86)\WinZipper\image\default\radio_selected.png
C:\Program Files (x86)\WinZipper\image\default\resource.xml
C:\Program Files (x86)\WinZipper\image\default\settingbkg.png
C:\Program Files (x86)\WinZipper\image\default\settingtab.png
C:\Program Files (x86)\WinZipper\image\default\sys_button_close.png
C:\Program Files (x86)\WinZipper\image\default\sys_button_max.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_button_min.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_button_restore.PNG
C:\Program Files (x86)\WinZipper\image\default\sys_close.png
C:\Program Files (x86)\WinZipper\image\default\tobutton1.png
C:\Program Files (x86)\WinZipper\image\default\vscroll.png
C:\Program Files (x86)\WinZipper\language\en_us
C:\Program Files (x86)\WinZipper\language\es_es
C:\Program Files (x86)\WinZipper\language\pt_br
C:\Program Files (x86)\WinZipper\language\tr_tr
C:\Program Files (x86)\WinZipper\language\zh_cn
C:\Program Files (x86)\WinZipper\language\zh_tw
C:\Program Files (x86)\WinZipper\language\en_us\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\en_us\install_lang.ini
C:\Program Files (x86)\WinZipper\language\es_es\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\es_es\install_lang.ini
C:\Program Files (x86)\WinZipper\language\pt_br\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\pt_br\install_lang.ini
C:\Program Files (x86)\WinZipper\language\tr_tr\eCompress_lang.ini
C:\Program Files (x86)\WinZipper\language\tr_tr\install_lang.ini
C:\Program Files (x86)\WinZipper\layout\default
C:\Program Files (x86)\WinZipper\layout\default\about.xml
C:\Program Files (x86)\WinZipper\layout\default\brower.xml
C:\Program Files (x86)\WinZipper\layout\default\compresspath.xml
C:\Program Files (x86)\WinZipper\layout\default\compresspwd.xml
C:\Program Files (x86)\WinZipper\layout\default\error.xml
C:\Program Files (x86)\WinZipper\layout\default\extractpath.xml
C:\Program Files (x86)\WinZipper\layout\default\install_msgbox.xml
C:\Program Files (x86)\WinZipper\layout\default\languageSelect.xml
C:\Program Files (x86)\WinZipper\layout\default\msgbox.xml
C:\Program Files (x86)\WinZipper\layout\default\OmigaZipInstall.xml
C:\Program Files (x86)\WinZipper\layout\default\overwrite.xml
C:\Program Files (x86)\WinZipper\layout\default\password.xml
C:\Program Files (x86)\WinZipper\layout\default\progress.xml
C:\Program Files (x86)\WinZipper\layout\default\rename.xml
C:\Program Files (x86)\WinZipper\layout\default\setting.xml
C:\Program Files (x86)\WinZipper\layout\default\uninstOmigaZip.xml
C:\Program Files (x86)\WinZipper\log\winzipersvc.log
C:\Program Files (x86)\WinZipper\style\install_style.xml
C:\Program Files (x86)\WinZipper\style\style.xml
C:\Program Files (x86)\WinZipper\uninstaller\OmigaZip.inst

It also usually installs a new folder in the Start Menu with two shortcuts, for example:

%startmenu%\Programs\qksee\uninstall.lnk

%startmenu%\Programs\qksee\qksee.lnk

Launching the "qksee" shortcut will show the QKSee interface:

This trojan also installs one of its files as a service to launch each time Windows starts.

QKSee example:

Service Name: qkseeService
Display Name: qkseeService
Description: qkseeService
Image Path: C:\Program Files (x86)\qksee\qkseeSvc.exe
Startup type: Automatic

WinZipper example:

Service Name: winzipersvc
Display Name: WinZiper service
Description: WinZipper service
Image Path: C:\Program Files (x86)\WinZipper\winzipersvc.exe
Startup type: Automatic

Payload

Modifies registry entries

The "WinZipper" variant of this trojan makes the following registry entry changes silently, without your consent, to associate itself with several archive file extensions, such as .zip and .rar. For example:

In subkey: HKCR\.zip
Sets value: "(Default)"
With data: "WinZippers.zip"

In subkey: HKCR\WinZippers.zip
Sets value: "(Default)"
With data: "WinZip"

In subkey: HKCR\WinZippers.zip\DefaultIcon
Sets value: "(Default)"
With data: "C:\Program Files (x86)\WinZipper\winziper.exe"

In subkey: HKCR\WinZippers.zip\shell\open\command
Sets value: "(Default)"
With data: ""C:\Program Files (x86)\WinZipper\winziper.exe" "o" "%1"

In subkey: HKCR\WinZippers.zip\shellex\DropHandler
Sets value: "(Default)"
With data: "{DC638EEA-2BA2-4459-9C46-85A2F0BE6040}"

In subkey: HKCR\.rar
Sets value: "(Default)"
With data: "WinZippers.rar"

In subkey: HKCR\WinZippers.rar
Sets value: "(Default)"
With data: "WinZip"

In subkey: HKCR\WinZippers.rar\DefaultIcon
Sets value: "(Default)"
With data: "C:\Program Files (x86)\WinZipper\winziper.exe,0"

In subkey: HKCR\WinZippers.rar\shell\open\command
Sets value: "(Default)"
With data: ""C:\Program Files (x86)\WinZipper\winziper.exe" "o" "%1""

Opening one of the above archive files launches the WinZipper interface:

Downloads and executes additional malware

The service that this trojan installs connects to a remote server to periodically check for instructions using HTTP requests. It can instruct it to silently download and run additional files. We have seen Xadupi's service download the following malware:

BrowserModifier:Win32/Sasquor

BrowserModifier:Win32/SupTab

Trojan:Win32/Ghokswa

Trojan:Win32/Sussab

Trojan:Win32/Chuckenit.A

Analysis by Hamish O'Dea
Last update 14 September 2016

TOP

Malware :

Last 20