Follow:

 

Trojan:Win32/AproposMedia


Trojan:Win32/AproposMedia is a software suite that is installed via a third party application, which may bundle AproposMedia as a toolbar. It may also be installed via drive-by downloads or through pop-up advertisements.
 
Trojan:Win32/AproposMedia displays pop-up advertisements in Internet Explorer and tracks and reports user habits. It may update itself or download and execute other files from the Internet without user knowledge or consent. Some variants of AproposMedia also use a system driver to make its detection and removal more difficult. A user may experience a decrease in Internet speed if AproposMedia is installed in the computer.


What to do now

Use Microsoft Windows Defender, Microsoft Security Essentials, the Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Trojan:Win32/AproposMedia is a software suite that is installed via a third party application, which may bundle AproposMedia as a toolbar. It may also be installed via drive-by downloads or through pop-up advertisements.
 
Trojan:Win32/AproposMedia displays pop-up advertisements in Internet Explorer and tracks and reports user habits. It may update itself or download and execute other files from the Internet without user knowledge or consent. Some variants of AproposMedia also use a system driver to make its detection and removal more difficult. A user may experience a decrease in Internet speed if AproposMedia is installed in the computer.
Installation
The Trojan:Win32/AproposMedia installer may arrive in the computer with the file name "install_ct.exe". When this installer is run, it creates the following files and folders:
 
%temp%\~apropos0\
%temp%\~apropos0\atla.dll
%temp%\~apropos0\atlw.dll
%temp%\~apropos0\CxtPls.exe
%temp%\~apropos0\ph.exe
%temp%\~apropos0\pm.exe
%temp%\~apropos0\setup.inf
 
%ProgramFiles%\CxtPls\
%ProgramFiles%\CxtPls\ace.dll
%ProgramFiles%\CxtPls\atl.dll
%ProgramFiles%\CxtPls\AI_<date>.log
%ProgramFiles%\CxtPls\CxtPls.dll
%ProgramFiles%\CxtPls\CxtPls.exe
%ProgramFiles%\CxtPls\data.bin
%ProgramFiles%\CxtPls\libexpat.dll
%ProgramFiles%\CxtPls\ProxyStub.dll
%ProgramFiles%\CxtPls\uninstaller.exe
%ProgramFiles%\CxtPls\WinGenerics.dll
 
It may also drop the following files in the Windows system folder:
 
jgdatcha.exe
shltedit.exe
sxlntr.exe
 
It may also download the following files as part of its installation routine:
 
AutoUpdater.exe
HookDll.dll
install_ct.exe
npf.sys
SysAI.exe
uninstaller.exe
 
Trojan:Win32/AproposMedia modifies the system registry so that its dropped files automatically run every time Windows starts, for example:
 
Adds value: "5stg3tX"
With data: "shltedit.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "hdloker"
With data: "<system folder>\sxlntr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "AutoLoaderAproposClient"
With data: "<system folder>\Cxtpls_loader.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "hdloker"
With data: "<system folder>\sxlntr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
Adds value: "load"
With data: "<system folder>\sxlntr.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
 
Modifies value: "shell"
From data: "explorer.exe"
To data: "explorer.exe <system folder>\sxlntr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
It also registers its dropped DLL files by creating some or all of the following subkeys:
 
HKCR\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
HKCR\CLSID\{6200BDDD-11D4-07C0-1A8F-500A15C9973}
HKCR\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
HKCR\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
HKCR\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
HKCR\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
HKCR\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
HKLM\SOFTWARE\Classes\CLSID\{6200BDDD-11D4-07C0-1A8F-500A15C9973}
HKLM\SOFTWARE\Classes\CLSID\{65D557EB-146A-2B46-36A7-8D6CB48FF4F}
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
 
It may also create the following registry subkeys and entries as part of its installation routine:
 
Adds value: "ClientName"
With data: "%ProgramFiles%\CxtPls\CxtPls.exe"
Adds value: "Plugin"
With data: "%ProgramFiles%\CxtPls\cxtpls.dll"
Adds value: "ProxyStub"
With data: "%ProgramFiles%\CxtPls\proxystub.dll"
Adds value: "ServerAddress"
With data: "adchannel.contextplus.net"
To subkey: HKLM\SOFTWARE\Apropos\Client
 
Adds subkeys:
HKLM\SOFTWARE\Envolo\AutoUpdate
HKLM\SOFTWARE\AutoLoader\5F261ZKKdbac
 
It also creates an uninstall entry for itself:
 
Adds value: "DisplayName"
With data: "CtxPls"
Adds value: "UninstallString"
With data: "%ProgramFiles%\CxtPls\uninstaller.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient
 
Trojan:Win32/AproposMedia may also create mutexes using any of the following names:
 
_AutoLoaderSession_AproposLoaderSessionIsStarted
ALActive_CtxPlus
AproposClient
CompoundInstallerIsRunning
Global_POB_C__WINDOWS_p2J2d
Payload
Downloads other components
Trojan:Win32/AproposMedia may create the following registry entries:
 
Adds value: "LoadUrl"
With data: "http:// download.contextplus.net/apropos/client/<version>/wb.pop/<try>/aproposclientinstaller.exe"
To subkey: HKLM\SOFTWARE\AutoLoader\AproposClient
 
where <version> and <try> are versions of the updated component.
 
It also specifies a server to which to connect from by creating a registry entry, for example:
 
Adds value: "SU"
With data: "http://au.contextplus.net/services/auserver"
To subkey: HKLM\SOFTWARE\C2ij6AzFKfqm\AU2
 
It may also connect to other pages within the Web site "contextplus.net" to download other files. These files may then be installed in the computer without the user's knowledge or consent.
 
Analysis by Patrik Vicol

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %temp%\~apropos0\
    %temp%\~apropos0\atla.dll
    %temp%\~apropos0\atlw.dll
    %temp%\~apropos0\CxtPls.exe
    %temp%\~apropos0\ph.exe
    %temp%\~apropos0\pm.exe
    %temp%\~apropos0\setup.inf
    %ProgramFiles%\CxtPls\
    %ProgramFiles%\CxtPls\ace.dll
    %ProgramFiles%\CxtPls\atl.dll
    %ProgramFiles%\CxtPls\AI_%date%.log
    %ProgramFiles%\CxtPls\CxtPls.dll
    %ProgramFiles%\CxtPls\CxtPls.exe
    %ProgramFiles%\CxtPls\data.bin
    %ProgramFiles%\CxtPls\libexpat.dll
    %ProgramFiles%\CxtPls\ProxyStub.dll
    %ProgramFiles%\CxtPls\uninstaller.exe
    %ProgramFiles%\CxtPls\WinGenerics.dll
    <system folder>\jgdatcha.exe
    <system folder>\shltedit.exe
    <system folder>\sxlntr.exe
    AutoUpdater.exe
    HookDll.dll
    install_ct.exe
    npf.sys
    SysAI.exe
    uninstaller.exe
  • The presence of the following registry modifications:
  • Adds value: "5stg3tX"
    With data: "shltedit.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
    Adds value: "hdloker"
    With data: "<system folder>\sxlntr.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
    Adds value: "AutoLoaderAproposClient"
    With data: "<system folder>\Cxtpls_loader.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
    Adds value: "hdloker"
    With data: "<system folder>\sxlntr.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
     
    Adds value: "load"
    With data: "<system folder>\sxlntr.exe"
    To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
     
    Modifies value: "shell"
    From data: "explorer.exe"
    To data: "explorer.exe <system folder>\sxlntr.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • The presence of the following subkeys:
  • HKCR\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
    HKCR\CLSID\{6200BDDD-11D4-07C0-1A8F-500A15C9973}
    HKCR\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
    HKCR\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
    HKCR\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
    HKCR\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
    HKCR\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
    HKLM\SOFTWARE\Classes\CLSID\{6200BDDD-11D4-07C0-1A8F-500A15C9973}
    HKLM\SOFTWARE\Classes\CLSID\{65D557EB-146A-2B46-36A7-8D6CB48FF4F}
    HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
    HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
    HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
    HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
    HKLM\SOFTWARE\Apropos\Client
    HKLM\SOFTWARE\Envolo\AutoUpdate
    HKLM\SOFTWARE\AutoLoader\5F261ZKKdbac
  • When surfing the Internet, your computer becomes very slow.

Prevention


Alert level: Severe
First detected by definition: 1.61.226.0
Latest detected by definition: 1.185.3495.0 and higher
First detected on: Jun 23, 2009
This entry was first published on: Feb 18, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Apropo.192512 (AhnLab)
  • W32/Apropo.R@dl (Command)
  • Trojan-Downloader.Win32.Apropo.ab (Kaspersky)
  • Trojan.DL.Apropo.L (VirusBuster)
  • TR/Dldr.Apropo.AB (Avira)
  • Trojan.AproposAd (Dr.Web)
  • Win32/TrojanDownloader.Apropo.AB (ESET)
  • W32/Apropo.R@dl (Frisk (F-Prot))
  • Virus.Win32.Porad.a (Ikarus)
  • Trojan-Downloader.Win32.Apropo.ab (Kaspersky)
  • Win32.Troj.Apropo.ab.40950 (Kingsoft)
  • Adware-Apropos (McAfee)
  • Spyware/Apropos (Panda)
  • Trojan.Win32.Apropo (Sunbelt Software)
  • Spyware.Apropos (Symantec)
  • ADW_APROPOS.O (Trend Micro)