Threat behavior
Dialer:Win32/MoneyTree is the detection for software that provides the ability to search for adult content on local disks. The software may also install programs that display pop-up advertisements. It may install other unwanted software as well, including a BHO (Browser Helper Object).
Dialer:Win32/MoneyTree may be installed without the user's consent, and may create registry entries that cause programs to run automatically each time Windows starts.
Installation
Dialer:Win32/MoneyTree may arrive in the system as a DLL file that is bundled inside a CAB file.
Once executed, it adds the following registry keys and entries for its BHO component:
Adds value: "@"
With data: "MultiDist"
To subkeys:
HKCR\MULTIDIST.MultiDistCtrl.1
HKLM\SOFTWARE\Classes\MULTIDIST.MultiDistCtrl.1
Adds value: "@"
With data: "{FC87A650-207D-4392-A6A1-82ADBC56FA64}"
To subkeys:
HKCR\MULTIDIST.MultiDistCtrl.1\CLSID
HKLM\SOFTWARE\Classes\MULTIDIST.MultiDistCtrl.1\CLSID
Adds subkeys:
- HKCR\CLSID\{BF279130-3F58-4E26-8043-CD5688A4D4C9}
HKCR\CLSID\{FC87A650-207D-4392-A6A1-82ADBC56FA64}
- HKCR\Interface\{563E5DF0-2C1C-4513-BBF5-D380536BB8FC}
HKCR\Interface\{F332D106-2EF3-45C4-BAF2-0F739D76B26A}
- HKCR\TypeLib\{11B6F65D-7B8D-43CB-9AAE-17234A1DB33A}\1.0
- HKLM\SOFTWARE\Classes\CLSID\{BF279130-3F58-4E26-8043-CD5688A4D4C9}
HKLM\SOFTWARE\Classes\CLSID\{FC87A650-207D-4392-A6A1-82ADBC56FA64}
- HKLM\SOFTWARE\Classes\Interface\{563E5DF0-2C1C-4513-BBF5-D380536BB8FC}
HKLM\SOFTWARE\Classes\Interface\{F332D106-2EF3-45C4-BAF2-0F739D76B26A}
- HKLM\SOFTWARE\Classes\TypeLib\{11B6F65D-7B8D-43CB-9AAE-17234A1DB33A}\1.0
It may also create the following registry key:
HKLM\Software\FCI\DyFuCA
Connects to Web sites
Dialer:Win32/MoneyTree may connect to the following Web sites, presumably as its source in displaying advertisements or to download other unwanted programs:
- cab.avenuemedia.com
- xbs.cocktailcash.com
- xbs.climaxbucks.com
- xbs.mtree.com
- xbs.nyc.mtree.com
- xbs.pao.mtree.com
- xbs.mtreexxx.nl
It may attempt to locate adult content in local disks by searching for the following keywords:
- *.sextracker.com
- *.mtree.com
- *.active-alert-server.com
- *.internet-optimizer.com
- *.avenuemedia.com
- *.cocktailcash.com
- *.climaxbucks.com
If any of the above strings is present it may download other components as the file 'stmtdlr.exe' in the following path:
%ProgramFiles%\Dialers\<dialer name>
where <dialer name> is a name specified by Dialer:Win32/MoneyTree.
Analysis by Francis Allan Tan Seng
Prevention
