pátek 24. února 2012

Adware:Win32/Gabpath


Encyclopedia entry
Updated: Dec 02, 2011  |  Published: Jul 16, 2010

Aliases
  • Trojan-Downloader.Win32.Agent.dwxx (Kaspersky)
  • Adware Generic4.AIUQ (AVG)
  • TR/Dldr.Agent.dwxx (Avira)
  • Trojan-Dropper.Agent (Ikarus)

Alert Level (?)
Moderate

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.85.1270.0
Released: Jul 02, 2010


 

Summary

Adware:Win32/Gabpath is a family of potentially unwanted programs that deliver pop-up style notifications based on the user's browsing habits.


 

Symptoms

System changes
The following system changes may indicate the presence of Adware:Win32/Gabpath:
  • The presence of the following files:

    %AppData%\Blammi\Blammi.exe
    %AppData%\Blammi\BMUninstall.exe
    %AppData%\Blammi\config.cfg
    %AppData%\Flipopia\config.cfg
    %AppData%\Flipopia\Flipopia.exe
    %AppData%\Flipopia\FPUninstall.exe
    %AppData%\GabPath\config.cfg
    %AppData%\GabPath\GabPath.exe
    %AppData%\GabPath\GPUninstall.exe
    %AppData%\Microsoft\Windows\<random characters>.exe
    %AppData%\Minoral\config.cfg
    %AppData%\Minoral\Minoral.exe
    %AppData%\nbt\config.cfg
    %AppData%\nbt\nbt.exe
    %AppData%\oncues\config.cfg
    %AppData%\oncues\OCUninstall.exe
    %AppData%\oncues\oncues.exe
    %AppData%\updchecker.exe
    %AppData%\Minoral\MNUninstall.exe
    %ProgramFiles%\Mozilla Firefox\components\bmff.dll
    %ProgramFiles%\Mozilla Firefox\components\fpff.dll
    %ProgramFiles%\Mozilla Firefox\components\gpff.dll
    %ProgramFiles%\Mozilla Firefox\components\mnff.dll
    %ProgramFiles%\Mozilla Firefox\components\ocff.dll

  • The presence of the following registry subkeys:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "NBT"
    With data: "%AppData%\NBT\nbt.exe"
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "NBT"
    With data: "%AppData%\NBT\nbt.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\nbt
    Sets value: "DisplayName"
    With data: "NBT"
    Sets value: "UninstallString"
    With data: "explorer.exe http://newbrandtest.com/data/<removed>/uninstaller/NBTUninstall.exe"
    In subkey: HKCU\Software\NBT
    Sets value: "ComputeKey"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Minoral"
    With data: "%AppData%\Minoral\Minoral.exe"
    Sets value: "updchecker"
    With data: "%AppData%\updchecker.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Minoral
    Sets value: "DisplayName"
    With data: "Minoral.exe"
    Sets value: "UninstallString"
    With data: "%AppData%\Minoral\MNUninstall.exe"
    In subkey: HKCU\Software\Minoral
    In subkey: HKCU\Software\UpdChecker
    Sets value: "UpdUrl"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Flipopia"
    With data: "%AppData%\Flipopia\flipopia.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Flipopia
    Sets value: "DisplayName"
    With data: "Flipopia.com"
    Sets value: "UninstallString"
    With data: "%AppData%\Flipopia\FPUninstall.exe"
    In subkey: HKCU\Software\Flipopia
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Blammi"
    With data: "%AppData%\Blammi\blammi.exe"
    Sets value: "updchecker"
    With data: "%AppData%\updchecker.exe"
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Blammi"
    With data: "%AppData%\Blammi\blammi.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Blammi
    Sets value: "DisplayName"
    With data: "Blammi"
    Sets value: "UninstallString"
    With data: "%AppData%\Blammi\BMUninstall.exe"
    In subkey: HKCU\Software\Blammi
    In subkey: HKCU\Software\UpdChecker
    Sets value: "UpdUrl"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Oncues"
    With data: "%AppData%\oncues\oncues.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Oncues
    Sets value: "DisplayName"
    With data: "Oncues"
    Sets value: "UninstallString"
    With data: "%AppData%\Oncues\OCUninstall.exe"
    Sets value: "HelpLink"
    With data: "http://<removed>.oncues.com"
    Sets value: "Publisher"
    With data: "Oncues"
    Sets value: "UrlInfoAbout"
    With data: "http://<removed>.oncues.com"
    In subkey: HKCU\Software\Oncues
    In subkey: HKCU\Software\Classes\CLSID\{CF28D5DD-ABB4-4B68-9E4F-801B0A971DD6}
    In subkey: HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{CF28D5DD-ABB4-4B68-9E4F-801B0A971DD6}
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "GabPath"
    With data: "%AppData%\GabPath\GabPath.exe"

    Sets value: "gpupdate"
    With data: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GPUpdate.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GabPath
    Sets value: "DisplayName"
    With data: "GabPath.com"
    Sets value: "UninstallString"
    With data: "%AppData%\GabPath\GPUninstall.exe"
    In subkey: HKCU\Software\GabPath


 

Technical Information (Analysis)

Adware:Win32/Gabpath  is a family of potentially unwanted programs that deliver pop-up style notifications based on the user's browsing habits.
Installation
Adware:Win32/Gabpath may be bundled by SoftwareBundler:Win32/MPAccess and distributed as a media player, or downloaded from adult content sites.
Adware:Win32/Gabpath may create the following files on the user's computer:
  • %AppData%\Blammi\Blammi.exe
  •  %AppData%\Blammi\BMUninstall.exe
  •  %AppData%\Blammi\config.cfg
  •  %AppData%\Flipopia\config.cfg
  •  %AppData%\Flipopia\Flipopia.exe
  •  %AppData%\Flipopia\FPUninstall.exe
  • %AppData%\GabPath\config.cfg
  •  %AppData%\GabPath\GabPath.exe
  •  %AppData%\GabPath\GPUninstall.exe
  •  %AppData%\Microsoft\Windows\<random characters>.exe
  •  %AppData%\Minoral\config.cfg
  •  %AppData%\Minoral\Minoral.exe
  •  %AppData%\nbt\config.cfg
  •  %AppData%\nbt\nbt.exe
  •  %AppData%\oncues\config.cfg
  •  %AppData%\oncues\OCUninstall.exe
  •  %AppData%\oncues\oncues.exe
  •  %AppData%\updchecker.exe
  •  %AppData%\Minoral\MNUninstall.exe
  • %ProgramFiles%\Mozilla Firefox\components\bmff.dll
  • %ProgramFiles% \Mozilla Firefox\components\fpff.dll
  • %ProgramFiles% \Mozilla Firefox\components\gpff.dll
  • %ProgramFiles% \Mozilla Firefox\components\mnff.dll
  • %ProgramFiles% \Mozilla Firefox\components\ocff.dll
As part of its installation process, Adware:Win32/Gabpath may create the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "NBT"
With data: "%AppData%\NBT\nbt.exe"
Sets value: <random characters>
With data: <location of updater> (for example, "%AppData%\Microsoft\Windows\nsl6.exe")
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "NBT"
With data: "%AppData%\NBT\nbt.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\nbt
Sets value: "DisplayName"
With data: "NBT"
Sets value: "UninstallString"
With data: "explorer.exe http://newbrandtest.com/data/<removed>/uninstaller/NBTUninstall.exe"
In subkey: HKCU\Software\NBT
Sets value: "ComputeKey"
With data: <decryption key> (for example, "hex:54,5a,32,42,42,42,78,59,6a,4d,77,59,6a,4e,6c,4e,6a,4d,77,55,44,4e,6b,52,54,4f,31,45,6a,4e,68,68,54,5a,31,59,6d,59,6b,5a,54,4f,3d,41")
Sets value: <encrypted information> (for example "aeftgthrtfew")
With data: <encrypted information> (for example hex:41,4d,3d,3d)
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Minoral"
With data: "%AppData%\Minoral\Minoral.exe"
Sets value: <random characters> (for example, "SfKg6wIPuS")
With data: <location of updater> (for example, "%AppData%\Microsoft\Windows\inkywil.exe")
Sets value: "updchecker"
With data: "%AppData%\updchecker.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Minoral
Sets value: "DisplayName"
With data: "Minoral.exe"
Sets value: "UninstallString"
With data: "%AppData%\Minoral\MNUninstall.exe"
In subkey: HKCU\Software\Minoral
Sets value: <encrypted information> (for example "bdgjhdtcfgrldthdfhd")
With data: <encrypted information> (for example hex:2b,65,56,1d,63,c7,7f)
In subkey: HKCU\Software\UpdChecker
Sets value: "UpdUrl"
With data: <encrypted information> (for example "kVSVTP2EDMwACMTZWdJJDZ10DMmY1T9M2VulGZ39ycO...")
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Flipopia"
With data: "%AppData%\Flipopia\flipopia.exe"
Sets value: <random characters> (for example, "SfKg6wIPuS")
With data: <location of updater> (for example, "%AppData%\Microsoft\Windows\imholn.exe")
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Flipopia
Sets value: "DisplayName"
With data: "Flipopia.com"
Sets value: "UninstallString"
With data: "%AppData%\Flipopia\FPUninstall.exe"
In subkey: HKCU\Software\Flipopia
Seta value: <encrypted information> (for example "aeftgthrtfew")
With data: <encrypted information> (for example hex:41,4d,3d,3d)
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Blammi"
With data: "%AppData%\Blammi\blammi.exe"
Sets value: <random characters> (for example, "knrMkg37R8S")
With data: <location of updater> (for example, "%AppData%\Microsoft\Windows\nsa21.exe")
Sets value: "updchecker"
With data: "%AppData%\updchecker.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Blammi"
With data: "%AppData%\Blammi\blammi.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Blammi
Sets value: "DisplayName"
With data: "Blammi"
Sets value: "UninstallString"
With data: "%AppData%\Blammi\BMUninstall.exe"
In subkey: HKCU\Software\Blammi
Sets value: <encrypted information> (for example, "aeftgthrtfew")
With data: <encrypted information> (for example, hex:41,4d,3d,3d)
In subkey: HKCU\Software\UpdChecker
Sets value: "UpdUrl"
With data: <encrypted information> (for example, "kVSVTP3EDMwACMTZWdJJDZ10DMmc1T9M2VulGZ39ycOBCVXB3brJ3chRGdvlib1AjLgEnQpVGbuRWdi1XZgIiOgAjMwYCMTBXZ2JWalNFIhB2YgsiMtZWY9MjNhlTNjlTOzcGMxQTNyYTO3ITYllzNwkWNwMTMxgGN=I")
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Oncues"
With data: "%AppData%\oncues\oncues.exe"
Sets value: <random characters> (for example, "GxN7cLLBifFCp3brIXH")
With data: <location of updater> (for example, "%AppData%\Microsoft\Windows\koiqnp.exe")
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Oncues
Sets value: "DisplayName"
With data: "Oncues"
Sets value: "UninstallString"
With data: "%AppData%\Oncues\OCUninstall.exe"
Sets value: "HelpLink"
With data: "http://<removed>.oncues.com"
Sets value: "Publisher"
With data: "Oncues"
Sets value: "UrlInfoAbout"
With data: "http://<removed>.oncues.com"
In subkey: HKCU\Software\Oncues
Sets value: <encrypted information> (for example, "fsctsbccdtnfg")
With data: <encrypted information> (for example, hex:fd,a5)
In subkey: HKCU\Software\Classes\CLSID\{CF28D5DD-ABB4-4B68-9E4F-801B0A971DD6}
In subkey: HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{CF28D5DD-ABB4-4B68-9E4F-801B0A971DD6}
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "GabPath"
With data: "%AppData%\GabPath\GabPath.exe"
Sets value: <random characters> (for example, "Y86KHmGbmYBHV4wEyKVpUSuG3D1")
With data: <location of updater> (for example, "%AppData%\Microsoft\Windows\wnmgmh.exe")
Sets value: "gpupdate"
With data: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GPUpdate.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\GabPath
Sets value: "DisplayName"
With data: "GabPath.com"
Sets value: "UninstallString"
With data: "%AppData%\GabPath\GPUninstall.exe"
In subkey: HKCU\Software\GabPath
Sets value: <encrypted information> (for example, "bdgjhdtcfgrldthdfhd")
With data: <encrypted information> (for example, hex:2b,65,56,1d,60,c2,71,83,94,5b)
Additional information
The parent company responsible for Gabpath is NetNucleus, a company that specializes in online and search advertising:
Variants of Adware:Win32/Gabpath have been known to use the following interfaces and product names:
Adware:Win32/Gabpath may be bundled with the following programs:
The adware may store the user's browser history in order to taylor the advertisements it serves. The advertisements it displays vary, however the adware's product name may appear in the browser header:
Analysis by Michael Johnson

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.