SecurityHome.eu BrowserModifier:Win32/Shopperz

Home / malware PDF

BrowserModifier:Win32/Shopperz

First posted on 06 May 2016.
Source: Microsoft
Aliases :
There are no other names known for BrowserModifier:Win32/Shopperz.
Explanation :
Installation
This browser modifier often arrives on your PC as part of a software bundler. The software bundler usually offers free software from a third-party, and during the installation it offers to install other programs. During installation, you might see the following messages: Clicking Disagree exits the installation. Clicking Agree & Continue installs the program: This threat can create the following files on your PC:

%SystemDrive% user.js

%ProgramFiles% \shopperz\csrcc.exe

%ProgramFiles% \shopperz\Firefox\chrome\content\libraries\DataExchangeScript.js

%ProgramFiles% \shopperz\Firefox\chrome\content\main.js

%ProgramFiles% \shopperz\Firefox\chrome\content\main.xul

%ProgramFiles% \shopperz\Firefox\chrome\content\resources\LocalScript.js

%ProgramFiles% \shopperz\Firefox\chrome\locale\en-US\overlay.dtd

%ProgramFiles% \shopperz\Firefox\chrome\skin\overlay.css

%ProgramFiles% \shopperz\Firefox\chrome.manifest

%ProgramFiles% \shopperz\Firefox\defaults\preferences\defaults.js

%ProgramFiles% \shopperz\Firefox\icon.png

%ProgramFiles% \shopperz\Firefox\install.rdf

%ProgramFiles% \shopperz\Firefox\{5081D2D4-1637-404c-B74F-50526718257D}.xpi

%ProgramFiles% \shopperz\garrus.dll

%ProgramFiles% \shopperz\grunt.exe

%ProgramFiles% \shopperz\kasumi32.dll

%ProgramFiles% \shopperz\kasumi64.dll

%ProgramFiles% \shopperz\krios.dll

%ProgramFiles% \shopperz\krios64.dll

%ProgramFiles% \shopperz\liara.dll

%ProgramFiles% \shopperz\liara64.dll

%ProgramFiles% \shopperz\libraries\DataExchangeScript.js

%ProgramFiles% \shopperz\mseff32.dll

%ProgramFiles% \shopperz\nfregdrv32.exe

%ProgramFiles% \shopperz\nseven.exe

%ProgramFiles% \shopperz\resources\LocalScript.js

%ProgramFiles% \shopperz\tree.js

%ProgramFiles% \shopperz\tsoni.dll

%ProgramFiles% \shopperz\tsoni64.dll

%ProgramFiles% \shopperz\unins000.dat

%ProgramFiles% \shopperz\unins000.exe

%ProgramFiles% \shopperz\wrex.exe

%ProgramFiles% \shopperz\wrex64.exe

%ProgramFiles% \shopperz\zaeed.bat

%APPDATA% \LocalLow\Company\Product\1.0\localStorageIE.txt

%APPDATA% \LocalLow\Company\Product\1.0\localStorageIE_backup.txt

%APPDATA% \LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\config.js

%APPDATA% \LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\sts.js

%APPDATA% \LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\tree.js

%APPDATA% \LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\wlist.js

%SystemDrive% \drivers\cherimoya.sys

It creates the following registry entries:

HKEY_CLASSES_ROOT\Extension.jshep

HKEY_CLASSES_ROOT\Extension.jshep.1

HKEY_CLASSES_ROOT\AppID\mseff32.DLL

HKEY_CLASSES_ROOT\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}

HKEY_CLASSES_ROOT\AppID\{4AC9981D-592D-4044-8C0A-8F6FE843D683}

HKEY_CLASSES_ROOT\AppID\{94CB6BE7-AE1A-4751-AE74-1EDD6B567264}

HKEY_CLASSES_ROOT\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}

HKEY_CLASSES_ROOT\CLSID\{5081D2D4-1637-404c-B74F-50526718257D}

HKEY_CLASSES_ROOT\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}

HKEY_CLASSES_ROOT\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}

HKEY_CLASSES_ROOT\Interface\{D1661A59-E9D3-4603-8822-2FBEADA5E097}

HKEY_CLASSES_ROOT\Interface\{E309D526-009C-490B-9BB1-CF9D525F6854}

HKEY_CLASSES_ROOT\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}

HKEY_CLASSES_ROOT\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}

HKEY_CLASSES_ROOT\SOFTWARE\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}

HKEY_CLASSES_ROOT\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}

HKEY_CLASSES_ROOT\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}

HKEY_CLASSES_ROOT\TypeLib\{B5C4833B-847B-49CD-8EBE-CDD9B43C882F}

HKEY_CURRENT_USER\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4083753433-3687147761-1040319118-1001\Software\shopperz

HKEY_CURRENT_USER\Software\Classes\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}

HKEY_LOCAL_MACHINE\SOFTWARE\shopperz

HKEY_LOCAL_MACHINE\SOFTWARE\shopperz\Options

HKEY_LOCAL_MACHINE\SOFTWARE\shopperz\Options\Procs

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\shopperz

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\shopperz\Options

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\shopperz\Options\Procs

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.jshep

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.jshep.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\mseff32.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4AC9981D-592D-4044-8C0A-8F6FE843D683}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{94CB6BE7-AE1A-4751-AE74-1EDD6B567264}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5081D2D4-1637-404c-B74F-50526718257D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1661A59-E9D3-4603-8822-2FBEADA5E097}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E309D526-009C-490B-9BB1-CF9D525F6854}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B5C4833B-847B-49CD-8EBE-CDD9B43C882F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5081D2D4-1637-404c-B74F-50526718257D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5081D2D4-1637-404c-B74F-50526718257D}_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{random CLSID}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{random CLSID}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\70F4EEDB-1367-4b4f-8247-3133551A7415

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cherimoya

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\csrcc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\shopperz Updater

HKEY_USERS\.DEFAULT\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz

It creates the following autostart registry entries:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value:"shopperz"
With data: "%Program Files%\shopperz\wrex.exe"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\70F4EEDB-1367-4b4f-8247-3133551A7415
Sets value:"ImagePath"
With data: ""%Program Files%\shopperz\grunt.exe""

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\csrcc
Sets value: "ImagePath"
With data: ""%Program Files%\shopperz\csrcc.exe""

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\shopperz Updater
Sets value: "ImagePath"
With data:"%Program Files%\shopperz\nseven.exe"

It creates the following registry entries:

In subkey: HKEY_CLASSES_ROOT\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32
Sets value:"(default)"
With data: "%Program Files%\shopperz\grunt.exe"

In subkey: HKEY_CLASSES_ROOT\CLSID\{5081D2D4-1637-404c-B74F-50526718257D}\InprocServer32
Sets value:"(default)"
With data: "%Program Files%\shopperz\mseff32.dll"

In subkey: HKEY_CLASSES_ROOT\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32
Sets value:"(default)"
With data: "%Program Files%\shopperz\csrcc.exe"

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions
Sets value:"(default)"
With data: "{5081D2D4-1637-404c-B74F-50526718257D}"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions
Sets value:"{5081D2D4-1637-404c-B74F-50526718257D}"
With data: "%Program Files%\shopperz\Firefox"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5081D2D4-1637-404c-B74F-50526718257D}
Sets value:"(default)"
With data: "shopperz Helper"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
Sets value:"{5081D2D4-1637-404c-B74F-50526718257D}"
With data: "%Program Files%\shopperz\Firefox"

In subkey: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Approved Extensions
Sets value:"(default)"
With data: "{5081D2D4-1637-404c-B74F-50526718257D}"

It creates the following scheduled task:

It also adds a BHO without prompt:

Threat behavior

This threat installs a browser extension to Internet Explorer, Mozilla Firefox, and Chrome without prompt. The following images are examples of the installed browser extensions:

No warnings are displayed when opening a new browser window or tab. It can display ads such as the following:

Opening a new top or window will always display the following warning:

If you click Show all content, ads are displayed:

Analysis by Kathleen Mae Notario
Last update 06 May 2016

TOP

Malware :

Last 20