Win32/Diplugem

Installation

This threat can create the following files on your PC:

• <commonappdata> \<generated GUID>\<malware file name>.exe, for example <commonappdata>\8e57610c-745e-de5b-8e57-7610c7458431\sound forge Audio studio 10.0 keygen.exe
• <commonappdata> \<generated GUID>\<malwaree file name>.dat, for example <commonappdata>\8e57610c-745e-de5b-8e57-7610c7458431\sound forge Audio studio 10.0 keygen.dat
• %ProgramData% \<application name>\<random characters>.dat, for example %ProgramData%\Avira Browser Safety\Avira Browser Safety.dat 
• %ProgramData% \<application name>\<random characters>.dll, for example%ProgramData%\CutThePrice\dnwbF9wuEopox8.dll
• %ProgramData% \<application name>\<random characters>.tlb, for example%ProgramData%\CutThePrice\dnwbF9wuEopox8.tlb
• %ProgramData% \<application name>\<random characters>.exe, for example%ProgramData%\CCuttThEPrice\CCuttThEPrice.exe
• %ProgramData% \<application name>\<random characters>.x64.dll, for example%ProgramData%\dnwbF9wuEopox8.x64.dll

The <application name> is usually related to discounts, sales, and advertisement blocking. For example we have seen this threat using the following application names:

• AllSaver
• CutThePrice
• PriceChop
• SaverExtension
• UniSales
• YouTubeAdBlocker

It can also use misspelled versions of the above names, for example AlllSSavEr or SaverExtEonsiioon. We have also seen random application names, or names that imitate normal applications, such as:

• 8y1ONHho1IokJE
• Attachment Icons for Gmail
• dnwbF9wuEopox8
• Enforceware
• LiveWire
• WebTop Quick login tool

We have seen this threat create the following registry entries:

In subkey: HKCU\Software\WebApp\Styles
sets value: MaxScriptStatements
with data: dword:ffffffff

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
sets value: (Default)
with data: "ITinyJSObject"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32
sets value: (Default)
with data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: (Default)
With data: "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: Version
With data: "1.0"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0
Sets value: (Default)
With data: "JSIELib"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32
Sets value: (Default)
With data: "%TEMP%\<random name>\temp\<malware name>.exe", for example "%TEMP%\E8aC3A04e199\temp\sound forge Audio studio 10.0 keygen.exe"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS
Sets value: (Default)
With data: "0"

It creates the following scheduled task to run a copy of the malware:

Alternatively, it can add the following startup link:

• <startup folder> \<malware file>.lnk, for example <startup folder>\sound forge Audio studio 10.0 keygen.lnk

Behavior

Shows you online advertisements

This threat can inject additional advertisements into your web search results, for example:

In Bing:

In Google:

It can also show you extra advertisements as you browse the web, for example: