Trojan:Win32/MotePro may display advertisement pop-ups, and download programs from predefined Web sites. When installed, Win32/MotePro runs as a Web Browser Helper Object (BHO). Win32/MotePro may be installed by other programs.
Installation
When installed, Win32/MotePro may exist as the following file:
<system folder>\promote.dll
The registry is modified to run Win32/MotePro at each Windows start.
Adds value: @
With data: "Promote Class"
To subkey: HKEY_CLASSES_ROOT\PromoteDemo.Promote
Adds value: @
With data: "{0FA24E3E-422C-4D94-A125-104F32352C90}"
To subkey: HKEY_CLASSES_ROOT\PromoteDemo.Promote\CLSID
Adds value: @
With data: "PromoteDemo.Promote.1"
To subkey: HKEY_CLASSES_ROOT\PromoteDemo.Promote\CurVer
Adds value: @
With data: "Promote Class"
To subkey: HKEY_CLASSES_ROOT\PromoteDemo.Promote.1
Adds value: @
With data: "{0FA24E3E-422C-4D94-A125-104F32352C90}"
To subkey: HKEY_CLASSES_ROOT\PromoteDemo.Promote.1\CLSID
Adds value: @
With data: "Promote Class"
To subkey: HKEY_CLASSES_ROOT\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}
Adds value: @
With data: promote.dll
To subkey: HKEY_CLASSES_ROOT\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\InprocServer32
Adds value: @
With data: "PromoteDemo.Promote.1"
To subkey: HKEY_CLASSES_ROOT\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\ProgID
Adds value: @
With data: "{24DBFE5E-3A0D-4891-998C-FB99832D46EE}"
To subkey: HKEY_CLASSES_ROOT\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\TypeLib
Adds value: @
With data: "PromoteDemo.Promote"
To subkey: HKEY_CLASSES_ROOT\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\VersionIndependentProgID
Adds value: @
With data: "IPromote"
To subkey: HKEY_CLASSES_ROOT\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}
Adds value: @
With data: "{00020424-0000-0000-C000-000000000046}"
To subkey: HKEY_CLASSES_ROOT\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\ProxyStubClsid
Adds value: @
With data: "{00020424-0000-0000-C000-000000000046}"
To subkey: HKEY_CLASSES_ROOT\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\ProxyStubClsid32
Adds value: @
With data: "{24DBFE5E-3A0D-4891-998C-FB99832D46EE}"
To subkey: HKEY_CLASSES_ROOT\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\TypeLib
Adds value: Version
With data: "1.0"
To subkey: HKEY_CLASSES_ROOT\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\TypeLib
Adds value: @
With data: "PromoteDemo 1.0 Type Library"
To subkey: HKEY_CLASSES_ROOT\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0
Adds value: @
With data = promote.dll
To subkey: HKEY_CLASSES_ROOT\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0\0\win32
Adds value: @
With data: "0"
To subkey: HKEY_CLASSES_ROOT\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0\FLAGS
Adds value: @
With data: <system folder>
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PromoteDemo.Promote
Adds value: @
With data: "Promote Class"
To subkey: HKEY_CLASSES_ROOT\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0\HELPDIR
Adds value: @
With data: "{0FA24E3E-422C-4D94-A125-104F32352C90}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PromoteDemo.Promote\CLSID
Adds value: @
With data: "PromoteDemo.Promote.1"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PromoteDemo.Promote\CurVer
Adds value: @
With data: "Promote Class"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PromoteDemo.Promote.1
Adds value: @
With data: "{0FA24E3E-422C-4D94-A125-104F32352C90}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PromoteDemo.Promote.1\CLSID
Adds value: @
With data: "Promote Class"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}
Adds value: @
With data: promote.dll
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\InprocServer32
Adds value: @
With data: "PromoteDemo.Promote.1"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\ProgID
Adds value: @
With data: "{24DBFE5E-3A0D-4891-998C-FB99832D46EE}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\TypeLib
Adds value: @
With data: "PromoteDemo.Promote"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FA24E3E-422C-4D94-A125-104F32352C90}\VersionIndependentProgID
Adds value: @
With data: "IPromote"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}
Adds value: @
With data: "{00020424-0000-0000-C000-000000000046}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\ProxyStubClsid
Adds value: @
With data: "{00020424-0000-0000-C000-000000000046}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\ProxyStubClsid32
Adds value: @
With data: "{24DBFE5E-3A0D-4891-998C-FB99832D46EE}"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\TypeLib
Adds value: Version
With data: "1.0"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39A0428F-85F6-4295-85CB-9F6E129F26B5}\TypeLib
Adds value: @
With data: "PromoteDemo 1.0 Type Library"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0
Adds value: @
With data: promote.dll
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0\0\win32
Adds value: @
With data: "0"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0\FLAGS
Adds value: @
With data: "<system folder>"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{24DBFE5E-3A0D-4891-998C-FB99832D46EE}\1.0\HELPDIR
Adds value: {0FA24E3E-422C-4D94-A125-104F32352C90}
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Payload
Displays Pop-Up Advertisements
Win32/MotePro may display pop-up advertisements while browsing Internet Web pages.
Downloads and Executes Arbitrary Files
Win32/MotePro may attempt to download files from other sites, such as the following:
<Web site.com>/internet/index.php
<Web site.com>/bbs/inter/test.php
Analysis by Francis Allan Tan Seng
