Installation
It drops itself onto your PC as the file %APPDATA%\version.dll. It renames itself as HpM3Util.exe and places itself into the <startup folder> so that it starts every time Windows starts.
It creates certain registry values to store its configuration data. We have seen it modify the following registry entries:
In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLast_ReadedSpec"
With data: "<encrypted configuration>"
In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLastCollab_doc"
With data: "<encrypted configuration>"
In subkey: HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM
Sets value: "iTestPropulsion"
With data: "<encrypted configuration>"
In subkey: HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM
Sets value: "iTestShears"
With data: "<encrypted configuration>"
Payload
Disables features of security software
The threat runs one of the following files and injects the version.dll file into them:
This threat injects the version.dll copy into all running 32-bit processes and then tries to unload these DLL files:
These files are used by certain security software, so if this threat is successful in unloading these files, your security software won't run properly.
Connects to a server
This threat tries to collect the following information about your PC:
- What operating system version you're running
- If it's running in a virtual environment
- What version of Adobe Flash is installed in your PC
- How many processors you have in your PC
- Your PC's GUID
It then tries to send the information to a server with a name generated using a domain generation algorithm that it gets from its configuration information. We have seen the following used:
-
ceigqweqwaywiqgu.org
-
kuyuacgsiowawsqa.org
Depending on commands from the server, it might also do the following on your PC:
- Update itself
- Update its configuration (including the URL it uses for click-fraud and the algorithm it uses to create the server it sends information to)
- Load modules
Performs click-fraud
It performs click-fraud by generating fake clicks to ads on a server it obtains from its configuration information. We have observed it using the following servers:
-
95.211.193.11
(with referrer starmina.net)
-
searchlitter.com
-
searchwander.com
It also hooks these APIs to hide its click-fraud activities:
-
CoCreateInstance
-
DialogBoxIndirectParamAorW
-
GetCursorPos
-
waveOutOpen
-
waveOutSetVolume
Depending on how many processors you have in your PC, this threat might start one or multiple instances of these files, into which it injects itself for its click-fraud activities:
It also creates these registry values to make browser that does the click-fraud operate in Internet Explorer 9 mode:
In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Sets value: "twunk_32.exe"
With data: "9000"
Sets value: "winhlp32.exe"
With data: "9000"
Analysis by Shawn Wang