Home / malwarePDF  

Adware:Win32/Brya


First posted on 28 April 2015.
Source: Microsoft

Aliases :

There are no other names known for Adware:Win32/Brya.

Explanation :

Threat behavior

Installation

This adware is dropped by an installer with the SHA1: 0794996d44dbf7620837cb0088dd4ac575841cfe.

It opens up a browser page to hxxp://www.arabyonline.com//PPUP.php?src=CHOMP. Then, it directs you another advertisement site, hxxp://trendtradingpartner.com//suspendedpage.cgi?engsec=15.

Since it does not have a user interface, you cannot easily uninstall it. After the installation, the installer deletes itself.

This adware is installed in the following path, and then runs Chomp.exe in the background:

  • %USERPROFILE% \Application Data\Popper\diag\Chomp.exe


This threat can also create files on your PC, including:

  • %USERPROFILE% \Application Data\Popper\ChompUpd.exe


It adds the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: Eei
With data: C:\Users\rdp\AppData\Local\diag\Chomp.exe

This adware also adds the following registry entries as part of its installation routine:

In subkey: HKEY_CURRENT_USER\Software\Popper\Data
Sets value: "CurrentVersion"
With data: "1"

In subkey: HKEY_CURRENT_USER\Software\Popper\Data
Sets value: "UpdateURL"
With data: "https://s3.amazonaws.com//ver.txt"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adsfree
Sets value: "Id"
With data: "{9E85F0AC-3100-4D38-91CC-C6E3489244AF}"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Popper
Sets value: "Id"
With data: "{C3D72B52-F6AA-4E18-8C5C-B76C012571E3}"

The URL hxxps://s3.amazonaws.com//ver.txt contains the following code:




silent

https://s3.amazonaws.com//Chomper.exe

Win7
New version is available
SHA-512





Chomper.exe seems like an updated version of the adware, but is no longer accessible.

Payload

Adds scheduled tasks in your PC

This adware adds these two scheduled tasks which runs upon user logon:



  • Adsfree - %USERPROFILE%\Application Data\Popper\ChompUpd.exe



  • Popper - %USERPROFILE%\Application Data\Popper\diag\Chomp.exe



New variants come in the following names:



  • 9A5A8340-6B15 - %USERPROFILE%\Application Data\Roaming\ARHome\Updater.exe



  • Java Update - C:\Program Files\Java\Java.exe



  • Office - C:\Program Files\Office\Office.exe



.

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these files in the following directories:
    • %USERPROFILE%\Application Data\Popper\diag\Chomp.exe
    • %USERPROFILE%\Application Data\Popper\ChompUpd.exe
  • You see registry modifications such as:
    • In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: Eei
      With data: C:\Users\rdp\AppData\Local\diag\Chomp.exe
    • In subkey: HKEY_CURRENT_USER\Software\Popper\Data
      Sets value: "CurrentVersion"
      With data: "1"
    • In subkey: HKEY_CURRENT_USER\Software\Popper\Data
      Sets value: "UpdateURL"
      With data: https://s3.amazonaws.com//ver.txt
    • In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adsfree
      Sets value: "Id"
      With data: "{9E85F0AC-3100-4D38-91CC-C6E3489244AF}"
    • In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Popper
      Sets value: "Id"
      With data: "{C3D72B52-F6AA-4E18-8C5C-B76C012571E3}"

Last update 28 April 2015

 

TOP

Malware :