This threat gets onto your PC through a Nullsoft Scriptable Install System (NSIS) compiled installer. It is usually installed with the file name %APPDATA%\okitspace\protect\pluginprotect.exe without your consent.
It is then registered as a service with the name "Protect your browser's extensions" and modifies these registry entries:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "%AppData%\okitspace\protect\PluginProtect.exe"
Sets value: "DisplayName"
With data: "Protect your browser's extensions"
Sets value: "ObjectName"
With data: "LocalSystem"
It might also create the following registry subkey as part of its installation routine:
Steals your information
After the threat is registered as a service, it gets the following information about your PC:
- Current date
- Default browser
- Installed antivirus program
- Installed browsers
- Operating system and version
- User ID
It sends this information to a remote server.
We've seen it connecting to the following servers to send information and download files:
Installs plugins and displays ads in your browser
This threat downloads a .zip file called plugin.zip, which contains the plugins it installs.
Sample contents of plugin.zip are:
crxID - Contains text (Chrome ID)
OKitSpace.crx - Chrome extension to be installed
OKitSpace.crx.zip - Chrome extension to be installed
OKitSpace.pem - Cert file needed to install the Chrome extension
OKitSpace.dll - BHO to be installed on Internet Explorer
OKitSpace.xpi - Firefox plugin to be installed
version - Contains text (version of the plugin)
When these plugins are installed, they can display unwanted pop-up ads in Internet Explorer, Firefox, or Chrome browsers.
Here are some screenshots of what these plugins might look like:
- In Internet Explorer:
- In Firefox:
- In Chrome:
The threat monitors all the plugins it installs. If a plugin is disabled, it immediately re-enables or activates the plugin. If the plugin is removed, the threat downloads and installs another copy of the plugin.
Analysis by Ricardo Robielos