Adware.Pinball Corporation

by Atlantis on April 17th, 2012 in Malware Descriptions.

Detect: Adware.Pinball Corporation
Platform: Win32
Type: Adware
Size: 207544 bytes
Packer: UPX
Unpacked size: 449 KB
Language: C++
md5: 8C09805A8EB78C9917BDDEDCF7F45D62
sha1: 21ABC57D515487595CA17E63CCD98C096D86C52F

Summary

It is an advertising software designed to redirect requests to other web resources.


Technical Details 

Installation


The malicious program represents a loader of legal software installer – Xvid codec pack (http://www.xvid.org/). However, the malicious program does not only download Xvid installer, but installs components which allow tracking search requests the user enters to the browser address bar.

Once launched, the malicious software gathers the following information about infected system:

  • IP address
  • Windows Product ID. With that, system registry key value is read:

[HKLM\Software\Microsoft\Windows\CurrentVersion]

"ProductId"

  • Hard disk serial number
  • Computer name
  • User name
  • OS version

Then, gathered information is sent to one of the servers:

cfgi.clickpotato.tv

tei.clickpotato.tv

Afterwards, an updated version of the malicious software is downloaded from the server and saved in the temporary folder of the current user:

%Temp%\upg<random 2 digit number>.tmp

When the description was created, the file (size: 247992 bytes) was downloaded;

MD5: 0A178810DA75AD313CA1BA580BD0E8EC, SHA1: 7EB1BCDADC076600D87E3A1C9C08A799135EBC42.

Once the file is successfully downloaded, it is launched for execution. The downloaded file extracts following file from its body:

%Temp%\_te<number>.exe (94208 bytes)

In its turn, that file extracts the VBScript

%Temp%\stb<number>.tmp\stub.vbe (6018 bytes)

and launches it for execution using the "wscript.exe" Windows process.

The launched script downloads a file from the URL:

http://livefix.beatboxtriangle.com/install.aspx?b=basicscan&d=livefix

and saves it as:

%Temp%\stb< number>.tmp\setup.exe

When the description was created, the file (size: 1021851 bytes) was downloaded;

MD5: 4FFFDB83E1D4A7B47FF0BF7B7CC74B78 , SHA1: 557962B90B8BC60D6E8F470864AFAAFAAC973084.

Then the script launches the downloaded file.

Once launched, the "setup.exe" file extracts from its body those components which implement the basic functions of the malicious program:

%Program Files%\BasicScan\basicscan.dll (888832 bytes)

%Program Files%\BasicScan\basicscan.exe (23040 bytes)

%Program Files%\BasicScan\uninstall.exe (80700 bytes)

%Temp%\nsc<number>.tmp\System.dll (10240 bytes)

%Temp%\nsx< number>.tmp\basicscan.dll (888832 bytes)

%Temp%\nsx< number>.tmp\uninstall.exe (80700 bytes)

%Temp%\nsx< number>.tmp\basicscan.exe (23040 bytes)

%APPDATA%\BasicScan\basicscan<random 3 digit number>.exe (23040 bytes)

The following registry keys are added:

 [HKLM\Software\BasicScan]

"TempInstallDir" = "%Program Files%\BasicScan"

"Primary" = "13017"

"DllPath" = "%Program Files%\BasicScan\basicscan.dll"

"Version" = "65550"

"Cid" = "7912dcecb5094c979b2fea8524a265d9"

"Partner" = "BscscnPB"

"Src" = "basicscan"

"Initial" = "1"

"ShowToolbarButton" = "0"

"ShowBarSign" = "0"

"FXInstalled" = "1"

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BasicScan]

"DisplayName" = "BasicScan 1.0 build 114"

"UninstallString" = "%Program Files%\BasicScan\uninstall.exe _?=%Program Files%\BasicScan"

 

To create a new search service in Internet Explorer, the following registry keys are added:

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}]

"DisplayName" = "BasicScan"

"URL" = "http://www.basicscan.com/?prt=BscscnPB&keywords={searchTerms}"

In addition, the malicious software is installed as a Mozilla Firefox extension.

 

For this purpose, the following files are created:

%Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\install.rdf (1106 bytes)

%Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\chrome.manifest (302 bytes)

%Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\chrome\basicscan.jar (6436 bytes)

%Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\defaults\preferences\prefs.js (135 bytes)

%APPDATA%\Mozilla\Firefox\Profiles\juqoitgu.default\extensions.sqlite-journal (167936 bytes)

%Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\defaults\preferences\prefs.js (137 bytes)

During the installation process, the following windows appear:

Once the installation process is complete, the malicious software launches earlier extracted files for execution:

%Program Files%\BasicScan\basicscan.exe

%APPDATA%\BasicScan\basicscan<random 3 digit number>.exe

In addition, the malicious software downloads the Xvid codec pack installer and saves it as:

%Temp%\_te<random number>.exe

When the description was created, the file (size: 9639400 bytes) was downloaded;

MD5: 8E4ADF256FCA604F1143443ACBB359C6, SHA1: 05E6B82F688D119A1463F95177EE2B6424814523.

Once the file is successfully downloaded, the installer is launched for execution. The installer dialog box is as follows:

Payload

The malicious program injects the following library:

%Program Files%\BasicScan\basicscan.dll

into the address space of the process started by the browser user. This allows the malicious program to track search queries the user types in the address bar and return a list of URLs received from the server:

www.basicscan.com

In addition, the malicious software can updates its components downloading those updates from the intruder’s server.

Removal Recommendations

If you have not used any antivirus program to protect your computer from viruses and it gets infected with this malicious program, follow the steps listed below to remove it:

  1. Using Task Manager ( "How to End a Process with the Task Manager") terminate the following processes:
  2. basicscan.exe

    basicscan<random 3 digit number>.exe

  3. Close all open browsers.
  4. Delete the registry keys ("How to Work with System Registry"):
  5. [HKLM\Software\BasicScan]

    "TempInstallDir" = "%Program Files%\BasicScan"

    "Primary" = "13017"

    "DllPath" = "%Program Files%\BasicScan\basicscan.dll"

    "Version" = "65550"

    "Cid" = "7912dcecb5094c979b2fea8524a265d9"

    "Partner" = "BscscnPB"

    "Src" = "basicscan"

    "Initial" = "1"

    "ShowToolbarButton" = "0"

    "ShowBarSign" = "0"

    "FXInstalled" = "1"

     

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BasicScan]

    "DisplayName" = "BasicScan 1.0 build 114"

    "UninstallString" = "%Program Files%\BasicScan\uninstall.exe _?=%Program Files%\BasicScan"

     

    [HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}]

    "DisplayName" = "BasicScan"

    "URL" = "http://www.basicscan.com/?prt=BscscnPB&keywords={searchTerms}"

  6. Delete the following files:
  7. %Temp%\upg<random 2 digit number>.tmp

    %Temp%\_te< number >.exe

    %Program Files%\BasicScan\basicscan.dll

    %Program Files%\BasicScan\basicscan.exe

    %Program Files%\BasicScan\uninstall.exe

    %Temp%\nsc< number >.tmp\System.dll

    %Temp%\nsx< number >.tmp\basicscan.dll

    %Temp%\nsx< number >.tmp\uninstall.exe

    %Temp%\nsx< number >.tmp\basicscan.exe

    %APPDATA%\BasicScan\basicscan< random 3 digit number >.exe

    %Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\install.rdf

    %Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\chrome.manifest

    %Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\chrome\basicscan.jar

    %Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\defaults\preferences\prefs.js

    %APPDATA%\Mozilla\Firefox\Profiles\juqoitgu.default\extensions.sqlite-journal

    %Program Files%\Mozilla Firefox\extensions\{6AA54174-C9E8-4B07-95A0-0FBC19CBE64C}\defaults\preferences\prefs.js

  8. Delete the original malicious software file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  9. Clean the Temporary Internet Files folder, which contains infected files ("How to clean Temporary Internet Files folder").
  10. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).