1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Audit: PUA.Downloader Activity 5

Audit: PUA.Downloader Activity 5

Severity: Low

This attack poses a minor threat. Corrective action may not be possible or is not required.

Description

This signature detects traffic generated by WinterSoftInstaller which could lead to further infection of the affected system.

Additional Information

When the program is installed, it creates the following files:
%ProgramFiles%\EZDownloader\EZDownloader.Core.dll
%ProgramFiles%\EZDownloader\EZDownloader.exe
%ProgramFiles%\EZDownloader\EZDownloader.exe.config
%ProgramFiles%\EZDownloader\EZDownloader.Extension.dll
%ProgramFiles%\EZDownloader\EZDownloader.Spider.dll
%ProgramFiles%\EZDownloader\ICSharpCode.SharpZipLib.dll
%ProgramFiles%\EZDownloader\Interop.SHDocVw.dll
%ProgramFiles%\EZDownloader\TabStrip.dll
%ProgramFiles%\EZDownloader\unins000.dat
%ProgramFiles%\EZDownloader\unins000.exe
%ProgramFiles%\SearchNewTab\GqrqgA4zqE.dat
%ProgramFiles%\SearchNewTab\GqrqgA4zqE.dll
%ProgramFiles%\SearchNewTab\GqrqgA4zqE.tlb
%ProgramFiles%\SearchNewTab\GqrqgA4zqE.x64.dll
%ProgramFiles%\Sk-Enhancer\psupport.dll
%ProgramFiles%\Sk-Enhancer\uninstall.exe
%ProgramFiles%\surf aand! keep\kbHO1t.dat
%ProgramFiles%\surf aand! keep\kbHO1t.dll
%ProgramFiles%\surf aand! keep\kbHO1t.tlb
%ProgramFiles%\surf aand! keep\kbHO1t.x64.dll
%ProgramFiles%\WebSearch\sprotector.dll
%ProgramFiles%\WebSearch\uninstall.exe
%ProgramFiles%\YoutubeAdblocker\mU.dat
%ProgramFiles%\YoutubeAdblocker\mU.dll
%ProgramFiles%\YoutubeAdblocker\mU.tlb
%ProgramFiles%\YoutubeAdblocker\mU.x64.dll

The program creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\and!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kueepp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kueepp\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kueepp\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kueepp.2.19
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kueepp.2.19\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kueepp.sourff
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab.1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchNewTab.SearchNewTab.1.0\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sourff
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1458DCF5-1B5F-66D7-95A3-E3D6D06D9023}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4BFC4F9E-AE60-6098-6AD8-44F45107A1C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECDEC2C8-F1B1-80C6-0D5A-64BA9C37FC13}
HKEY_LOCAL_MACHINE\SOFTWARE\Sk-Enhancer
HKEY_LOCAL_MACHINE\SOFTWARE\Sk-Enhancer\1943217956
HKEY_LOCAL_MACHINE\SOFTWARE\Sk-Enhancer\1943217956\NP6yu5+tnZZH0OQIKE1/gD3hJMqT/
HKEY_LOCAL_MACHINE\SOFTWARE\SP Global
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\info
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\_b0285714
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\_b0285714\0caebbe2
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\_b0285714\2038a74d
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\_b0285714\7fe0f877
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\_b0285714\eae10f9d
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\_d5615630
HKEY_LOCAL_MACHINE\SOFTWARE\SProtector\_d5615630\eae10f9d
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ECDEC2C8-F1B1-80C6-0D5A-64BA9C37FC13}
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\3\0\1\0\0
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\18
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\ShellNoRoam\Bags\18\Shell
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector\_b0285714
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector\_b0285714\0caebbe2
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector\_b0285714\2038a74d
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector\_b0285714\7fe0f877
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector\_b0285714\eae10f9d
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector\_d5615630
HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\AppDataLow\SProtector\_d5615630\eae10f9d

The program modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page:
http://websearch.search-guide.info/?pid=711

The program then installs software without full user consent, including the following:
EZDownloader
SearchNewTab
SeUrf and keePa
SK-Enhancer
WebSearch
YoutubeAdblocker
SProtector

There is no visible presence of the programs after installation is complete.

After installation, the browser homepage and default search engine may be changed.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube