Home / malwarePDF  

Adware:Win32/Adposhel


First posted on 21 April 2016.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/Adposhel.

Explanation :

Installation
This threat can create files on your PC, including:

  • %ProgramData%\db219601\ffc52abc.dll
  • %ProgramFiles%\dns unlocker\consoleapplication1.dll
  • %ProgramFiles%\dns unlocker\unins000.dat
  • %ProgramFiles%\dns unlocker\unins000.exe
  • %TEMP%\is-r1q9h.tmp\_isetup\_shfoldr.dll
  • %TEMP%\is-r1q9h.tmp\consoleapplication1.dll
  • %TEMP%\13336722.t.exe


It can make various registry changes during its installation, including:

In subkey: HKLM\SOFTWARE\5da059a482fd494db3f252126fbc3d5b

Sets value: "DP"
With data: "55"

Sets value: "FX"
With data: "1"

Sets value: "SDP1"
With data: "00001"

Sets value: "SDP2"
With data: "00001"

Sets value: "UID"
With data: "84d027b1203d4c6bb6887723b4b99afc"

In subkey: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E1527582-8509-4011-B922-29E3FB548882}_is1

Sets value: "InstallDate"
With data: "20150915"

The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

Payload
Displays ads that you can't control

This program can show you extra ads. These ads can appear:
  • In your web browser: such as search helpers, hover links, and banner ads.
  • Outside of your web browser: such as pop ups, balloon ads, and toast notifications.


These advertisements would not be shown if this program wasn't installed on your PC.

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me using port 80
  • bubblesetter.info using port 80
  • www.hostgator.com using port 80
  • dynamaven.info using port 53
  • listcool.net using port 53
  • big4u.org using port 53
  • riyah.net using port 80
  • dyn.com using port 80
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate


Creates an uninstaller

This threat can create an uninstaller by modifying the registry. For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{db219601}

Sets value: "0"
With data: "cs5wvtuei6xoywhtikq07ceip_nxzpka2f0vwxaxsftrwtdrlqwtcmvyq8ooexwcsxhyfrfa4q"

Sets value: "1"
With data: "0x56e05a00"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E1527582-8509-4011-B922-29E3FB548882}_is1

Sets value: "DisplayName"
With data: "dns unlocker version 1.4"

Sets value: "DisplayVersion"
With data: "1.4"

Sets value: "EstimatedSize"
With data: "0x00000bab"

Sets value: "Inno Setup: App Path"
With data: "%ProgramFiles%\dns unlocker"

Sets value: "Inno Setup: Icon Group"
With data: "dns unlocker"

Sets value: "Inno Setup: Language"
With data: "english"

Sets value: "Inno Setup: Setup Version"
With data: "5.5.5 (a)"

Sets value: "Inno Setup: User"
With data: "administrator"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E1527582-8509-4011-B922-29E3FB548882}_is1

Sets value: "InstallDate"
With data: "20150915"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E1527582-8509-4011-B922-29E3FB548882}_is1

Sets value: "InstallDate"
With data: "20160309"

Sets value: "InstallLocation"
With data: "%ProgramFiles%\dns unlocker\"

Sets value: "MajorVersion"
With data: "0x00000001"

Sets value: "MinorVersion"
With data: "0x00000004"

Sets value: "NoModify"
With data: "0x00000001"

Sets value: "NoRepair"
With data: "0x00000001"

Sets value: "Publisher"
With data: "www.dnsunlocker.com"

Sets value: "QuietUninstallString"
With data: ""%ProgramFiles%\dns unlocker\unins000.exe" /silent"

Sets value: "UninstallString"
With data: ""%ProgramFiles%\dns unlocker\unins000.exe""

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564

Sets value: "0"
With data: "0x00000001"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6e9e32b9a6539227

Sets value: "0"
With data: "m8nespl_eg7h94q4u_cp-9atphabtycrzi87b0gicrk_3j17rfwlgncr26cheieuoywu8us76rouo3x3jjxnseiofknzllqjvwz5ci-u8dhnpnyc_isa5_8hwvbps0wps27rohzh5wo6gm8cp7t2qh3wikyqko_sbyfo92kwu5nwndvjvqwus_he3o1pjbfdu2o4fonzoeoh2i7nhie2ehbjnxj5vwuocneiuh613uxmoglxwmjgkdgax4tjoo02xwxkfrlltcgnkojkl6zwy9cw43dd8j76ex1pgonet20o1c3hfkkrqkxkrvz3qyozgaidleadyeoh2nyoljk2fbbjqpmt6kkxhadzpr6fhm-rqkon1nseyxztakv5adrgrzycbsh8pnpizjo_1w9ek8p5wrr3j2ex-l_mzuizg3hyyes3ykeqjpwk6d7cgxi2fb"

Sets value: "1"
With data: "dhvlx___efocwaxasgphyuvs0dip"

Additional information

Creates a mutex

This threat can create one or more mutexes on your PC. For example:
  • RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
  • RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000


It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.

This malware description was published using automated analysis of file SHA1 dd161b1ce04e1ecb8ce1a3724e3543ea80371c29.

Last update 21 April 2016

 

TOP

Malware :