Počet zobrazení stránky

čtvrtek 26. dubna 2012

not-a-virus:AdWare.Win32.WhiteSmoke.a


Technical Details

This program downloads various malware from the Internet and installs it without the user's knowledge. It is a Windows application (PE EXE file). It is 129 288 bytes in size. It is packed using UPX. The unpacked file is approximately 404 KB in size. It is written in C++.

Payload

Once launched, the Trojan checks for current user's administrator privileges and if they are missing, displays the following message:
It performs the following actions:
  • When launched, it displays the following window:
  • When the program runs, it creates the following unique identifiers:
    {FF4E366C-EB6E-4387-968D-B97175E24D5A}
Global\WST2010_Feature_<rnd>
Global\WST2010_{58343C24-CB4B-4a57-9B4D-E3DD88463B62}_INITIALIZE
    where <rnd> is a random sequence of numbers.
  • It creates the following system registry keys:
    [HKCU\Environment]
"WS_TARGET_DIR"="%Program Files%\\WhiteSmoke Translator"

[HKLM\Software\WhiteSmokeTranslator]
"InstallOption"=dword:0000000e
"DistID"=dword:0000138a
  • In the current user's temporary directory it creates the following directory:
    %Temp%\~nsu.tmp\
    Where the program places the following files:
    %Temp%\~nsu.tmp\wsget.exe
    The file is 61 952 bytes in size.
    MD5: CB40B57461F84E92BA68DD6A77B0675D
    SHA1: FF5C21B8753BF9BA3402059CD98AC3A32F19E82F
    %Temp%\~nsu.tmp\boost.ico
    The file is 13 942 bytes in size.
    MD5: 576AE10DD9F5521A3285163D31EBD277
    SHA1: 4D88D461ED307F6949FE51F4698C35767FEF8D84
    The Trojan also creates the following files (where <user> is the name of the current user account):
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\WhiteSmoke Translator.lnk
%Documents and Settings%\<user>\Desktop\WhiteSmoke (continue installation).lnk

%Documents and Settings%\<user>\Desktop\Improve Your PC.lnk
    The file is 1102 bytes in size.
    MD5: 1A2F8DD3F951A4BDBA6E8F7683675E46
    SHA1: 3D1ACB0DF365B2A422FEE42890A92A30CB7978FD
    When this file is launched, the following links open in the default browser:
    http://www.re***ster.com/L10n/geo-ws-597-di.php
    At the time of writing, this link was inactive.
  • It launches the following file for execution:
    %Temp%\~nsu.tmp\wsget.exe
    It sends the following string to this file as a parameter:
    "%Program Files%\WhiteSmoke Translator"
    The launched file downloads and launches files from the following URL addresses:
    http://get.w***moke.com/TranslatorTools/whitesmoke-silent.exe
    The file is 251 200 bytes in size.
    MD5: B2C1ECBB4E673505E9248A25DFC286B0
    SHA1: DD472F78C5E8591AD7C57435C67B46CFABAFAFCF
    http://get.w***moke.com/TranslatorTools/WhiteSmokeTranslator_rev1.exe
    The file is 5 076 816 bytes in size.
    MD5: 12C6D991CAE48AEE5A14F1175D2543DA
    SHA1: 57859915C688EF98718C57500116DE2483ADEFCF
    The files are saved under the following names, respectively:
    %Temp%\~nsu.tmp\whitesmoke-silent.exe
%Temp%\~nsu.tmp\WhiteSmokeTranslator_rev1.exe

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following files:
    %Temp%\~nsu.tmp\wsget.exe
%Temp%\~nsu.tmp\boost.ico
%Documents and Settings%\All Users\Start Menu\Programs\Startup\WhiteSmoke Translator.lnk
%Documents and Settings%\<user>\Desktop\WhiteSmoke (continue installation).lnk
%Documents and Settings%\<user>\Desktop\Improve Your PC.lnk
%Temp%\~nsu.tmp\whitesmoke-silent.exe
%Temp%\~nsu.tmp\WhiteSmokeTranslator_rev1.exe
  3. Delete the following system registry keys:
    [HKCU\Environment]
"WS_TARGET_DIR"="%Program Files%\\WhiteSmoke Translator"

[HKLM\Software\WhiteSmokeTranslator]
"InstallOption"=dword:0000000e
"DistID"=dword:0000138a
Vystavil v
Štítky:

Žádné komentáře:

Okomentovat

Přihlásit se k odběru: Komentáře k příspěvku (Atom)