Home / malware

PDF

Trojan:MSIL/ProfileStylez

First posted on 06 September 2011.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:MSIL/ProfileStylez.

Explanation :

Trojan:MSIL/ProfileStylez is a trojan that steals Yahoo email credentials and may displays advertisements.
Top

Trojan:MSIL/ProfileStylez is a trojan that steals Yahoo email credentials and may displays advertisements.



Installation

Trojan:MSIL/ProfileStylez may be present on the computer as €œFreeCodec.exe€.

During Trojan:MSIL/ProfileStylez's installation process, it may display a dialog window such as those shown below:





Trojan:MSIL/ProfileStylezmay create the following files:

• %ProgramFiles%\profilestyleapp\extension_2_5_1.crx €“ detected as Trojan:JS/ProfileStylez.A
• %ProgramFiles%\profilestyleapp\interop.shdocvw.dll
• %ProgramFiles%\profilestyleapp\microsoft.mshtml.dll
• %ProgramFiles % \profilestyleapp\profilestyleapp.dll €“ detected as Trojan:MSIL/ProfileStylez.A
• %ProgramFiles%\profilestyleapp\profilestyleapp_Uninstall.exe
• %ProgramFiles% \profilestyleapp\profilestyleapp\chrome.manifest
• %ProgramFiles% \profilestyleapp\profilestyleapp\install.rdf €“ detected as Trojan:JS/ProfileStylez.A
• %ProgramFiles%\profilestyleapp\profilestyleapp\content\f56a30b23729a84e.js €“ detected as Trojan:MSIL/ProfileStylez.A
• %ProgramFiles% \profilestyleapp\profilestyleapp\content\firefoxOverlay.xul
• %ProgramFiles% \profilestyleapp\profilestyleapp\content\overlay.js €“ detected as Trojan:MSIL/ProfileStylez.A
• %ProgramFiles% \profilestyleapp\content\placeholder.js €“ detected as Trojan:MSIL/ProfileStylez.A
• %ProgramFiles%\ProfileStylez\extension_2_5_1.crx €“ detected as Trojan:JS/ProfileStylez.A
• %ProgramFiles%\ProfileStylez\Interop.SHDocVw.dll
• %ProgramFiles%\ProfileStylez\Microsoft.mshtml.dll
• %ProgramFiles%\ProfileStylez\ProfileStylez.dll €“ detected as Trojan:MSIL/ProfileStylez.A
• %ProgramFiles%\ProfileStylez\ProfileStylez_Uninstall.exe
• %ProgramFiles%\ProfileStylez\profilestylez\build.sh
• %ProgramFiles%\ProfileStylez\profilestylez\chrome.manifest
• %ProgramFiles%\ProfileStylez\profilestylez\config_build.sh
• %ProgramFiles% \ProfileStylez\profilestylez\install.rdf €“ detected as Trojan:JS/ProfileStylez.B
• %ProgramFiles%\ProfileStylez\profilestylez\readme.txt
• %ProgramFiles%\ProfileStylez\profilestylez\content\.DS_Store
• %ProgramFiles%\ProfileStylez\profilestylez\content\firefoxOverlay.xul
• %ProgramFiles%\ProfileStylez\profilestylez\content\installid.js
• %ProgramFiles%\ProfileStylez\profilestylez\content\overlay.js
• %ProgramFiles% \ProfileStylez\profilestylez\content\sudoku.js €“ detected as Trojan:JS/ProfileStylez.B
• %ProgramFiles%\ProfileStylez\profilestylez\defaults\.DS_Store
• %ProgramFiles%\ProfileStylez\profilestylez\defaults\preferences\sudoku.js
• %ProgramFiles%\ProfileStylez\profilestylez\locale\.DS_Store
• %ProgramFiles%\ProfileStylez\profilestylez\locale\en-US\.DS_Storee
• %ProgramFiles%\ProfileStylez\profilestylez\locale\en-US\sudoku.dtd
• %ProgramFiles%\ProfileStylez\profilestylez\locale\en-US\sudoku.properties
• %ProgramFiles%\ProfileStylez\profilestylez\skin\overlay.css

Internet Explorer

Trojan:MSIL/ProfileStylez can install itself as a Browser Helper Object (BHO) in Internet Explorer, and may make the following changes to the registry:

Creates the following subkeys:

• HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}
• HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85beadf3-d91b-3a3a-a4d3-22ccbd07663d}
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa6aa15d-feb4-3c0d-b711-8abb63f3f406}
• HKLM\SOFTWARE\Classes\BHO_HelloWorld.BHO

In subkey: HKLM\SOFTWARE\Classes\BHO_HelloWorld.BHO
Sets value: <default>
With data: "BHO_HelloWorld.BHO"

And, depending on the variant, may make one or many of the following changes to the registry:

In subkey: HKLM\SOFTWARE\Classes\BHO_HelloWorld.BHO\CLSID
Sets value: <default>
With data: "{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}"

In subkey: HKLM\SOFTWARE\Classes\BHO_HelloWorld.BHO\CLSID
Sets value: <default>
With data: "{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85beadf3-d91b-3a3a-a4d3-22ccbd07663d}
Sets value: "NoExplorer"
With data: €œdword:00000001€

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa6aa15d-feb4-3c0d-b711-8abb63f3f406}
Sets value: "NoExplorer"
With data: €œdword:00000001€

In subkey: HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}
Sets value: <default>
With data: "BHO_HelloWorld.BHO"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}
Sets value: <default>
With data: "BHO_HelloWorld.BHO"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}\Implemented Categories
Sets value: <default>
With data: €œhex(0):,00€

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}\Implemented Categories
Sets value: <default>
With data: €œhex(0):,00€

In subkey: HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}
Sets value: <default>
With data: €œhex(0):,00€

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}
Sets value: <default>
With data: €œhex(0):,00€

In subkey: HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}\InprocServer32
Sets value: <default>
With data: "mscoree.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}\InprocServer32
Sets value: <default>
With data: "mscoree.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}\InprocServer32\1.0.0.0
Sets value: "Assembly"
With data: "profilestyleapp, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
Seta value: "Class"
With data: "BHO_HelloWorld.BHO"
Sets value: "CodeBase"
With data: "file:///C:/Program Files/profilestyleapp/profilestyleapp.DLL"
Sets value: "RuntimeVersion"
With data: "v2.0.50727"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}\InprocServer32\2.2.4.3
Sets value: "Assembly"
With data: "ProfileStylez, Version=2.2.4.3, Culture=neutral, PublicKeyToken=null"
Sets value: "Class"
With data: "BHO_HelloWorld.BHO"
Sets value: "CodeBase"
With data: "file:///C:/Program Files/ProfileStylez/ProfileStylez.DLL"
Sets value: "RuntimeVersion"
With data: "v2.0.50727"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}\InprocServer32
Sets value: "Assembly"
With data: "profilestyleapp, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
Sets value: "Class"
With data: "BHO_HelloWorld.BHO"
Sets value: "CodeBase"
With data: "file:///C:/Program Files/profilestyleapp/profilestyleapp.DLL"
Sets value: "RuntimeVersion"
With data: "v2.0.50727"
Sets value: "ThreadingModel "
With data: "Both"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}\InprocServer32
Sets value: "Assembly"
With data: "ProfileStylez, Version=2.2.4.3, Culture=neutral, PublicKeyToken=null"
Sets value: "Class"
With data: "BHO_HelloWorld.BHO"
Sets value: "CodeBase"
With data: "file:///C:/Program Files/ProfileStylez/ProfileStylez.DLL"
Sets value: "RuntimeVersion"
With data: "v2.0.50727"
Sets value: "ThreadingModel "
With data: "Both"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{85BEADF3-D91B-3A3A-A4D3-22CCBD07663D}\ProgId
Sets value: <default>
With data: "BHO_HelloWorld.BHO"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{AA6AA15D-FEB4-3C0D-B711-8ABB63F3F406}\ProgId
Sets value: <default>
With data: "BHO_HelloWorld.BHO"

Once installed in Internet Explorer, the trojan's presence can be seen in the 'Manage Add-ons' window that can be accessed from the Tools menu. The image below displays a 'Manage Add-ons' window with the trojan listed as 'BHO_HelloWorld.BHO'.



Google Chrome

Trojan:MSIL/ProfileStylezcan also install itself as a Google Chrome extension by making one or many of the following changes to the registry:

Creates a subkey, for example:

HKLM\SOFTWARE\Google\Chrome\Extensions\adfcngjjaokkbbagaablppejfmacdaao
HKLM\SOFTWARE\Google\Chrome\Extensions\bkleoojholhbbbpfmfaefpohnhhhjeap

In subkey: HKLM\SOFTWARE\Google\Chrome\Extensions\adfcngjjaokkbbagaablppejfmacdaao
Sets value: "path"
With data: "C:\\Program Files\\profilestyleapp\\extension_2_5_1.crx"
Sets value: "version"
With data: "2.5.1"

In subkey: HKLM\SOFTWARE\Google\Chrome\Extensions\bkleoojholhbbbpfmfaefpohnhhhjeap
Sets value: "path"
With data: "C:\\Program Files\\ProfileStylez\\extension_2_5_1.crx"
Sets value: "version"
With data: "2.5.1"

Mozilla Firefox

Trojan:MSIL/ProfileStylez can also install itself as a Firefox extension by making one of the following changes to the registry:

In subkey: HKCU\Software\Mozilla\Firefox\Extensions
Sets value: "{EB132DB0-A4CA-11DF-9732-0E29E0D72085}"
With data: "C:\\Program Files\\profilestyleapp\\profilestyleapp"

In subkey: HKCU\Software\Mozilla\Firefox\Extensions
Sets value: "{EB132DB0-A4CA-11DF-9732-0E29E0D72085}"
With data: "C:\\Program Files\\ProfileStylez\\ProfileStylez"

Once installed in Firefox, the trojan's presence can be seen in the €˜Add-ons' window. The image below displays a 'Manage Add-ons' window with the trojan listed as €˜profilestyleapp €“ Change your layout!€™.



The trojan may make some of the following changes in order to install its own uninstaller:

Creates the following subkeys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProfileApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Profile Stylez

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProfileApp
Sets value: "DisplayIcon"
With data: "C:\\Program Files\\profilestyleapp\\profilestyleapp.dll"
Sets value: "DisplayName"
With data: "ProfileApp "
Sets value: "DisplayVersion"
With data: €œ€
Sets value: "Publisher"
With data: "profilestyleapp"
Sets value: "URLInfoAbout"
With data: "hxxp://www.profilestyleapp.com"
Sets value: "UninstallString"
With data: "C:\\Program Files\\profilestyleapp\\profilestyleapp_Uninstall.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Profile Stylez
Sets value: "DisplayIcon"
With data: "C:\\Program Files\\ProfileStylez\\ProfileStylez.dll"
Sets value: "DisplayName"
With data: "Profile Stylez"
Sets value: "DisplayVersion"
With data: €œ€
Sets value: "Publisher"
With data: "Profile Stylez"
Sets value: "URLInfoAbout"
With data: "hxxp://www.ProfileStylez.com"
Sets value: "UninstallString"
With data: "C:\\Program Files\\ProfileStylez\\ProfileStylez_Uninstall.exe"



Payload

Steals user credentials from Yahoo!Mail

If the user logs into a Yahoo!Mail account, Trojan:MSIL/ProfileStylez may:

• Add a new contact to the user€™s contacts list with the following credentials:
  
  Contact name: €œnews letter€
  Email: €œmindex at mymedialinez.com€
• Steal the following information about the affected user, and send the details to its own remote server:
  
  User name
  Email address
  List of all contacts
  Nickname
  YahooID
  OtherID
  Phone details
  Job title
  Company
  Notes
  Link
  Custom
  Full name
  Address
  Birthday and anniversary

Inserts advertisements into iFrames

Trojan:MSIL/ProfileStylez looks for webpages that use iFrames, and that do not have any of the following strings in the URL:

• Facebook
• Youporn
• Youjizz
• 4tube
• Hamster
• Redtube
• Xxx
• Sex
• Porn
• Yahoo
• Ymail

If a website meeting the aforementioned criteria is found, Trojan:MSIL/ProfileStylezchecks iFrame sizes and inserts its own advertisements into these iFrames.

The following image displays a webpage affected by Trojan:MSIL/ProfileStylez:





Displays advertisements on YouTube

If Trojan:MSIL/ProfileStylez is installed and a user visits YouTube, the trojan will display advertisements before listing search results.

The following image is an example of YouTube search results affected by Trojan:MSIL/ProfileStylez:





Displays advertisements on Facebook

If Trojan:MSIL/ProfileStylez is installed and a user visits Facebook, the trojan will display advertisements on the user€™s page.

The following image is an example of a Facebook page affected by Trojan:MSIL/ProfileStylez

:



At the time of writing, Trojan:MSIL/ProfileStylezwas equipped with functionality to post links to a user€™s Facebook profile, however this functionality was not operational at the time of analysis.


Displays desktop shortcut

Trojan:MSIL/ProfileStylezmay display an icon, such as the one below:





Analysis by Michael Johnson

Last update 06 September 2011

 

TOP