Monday, July 18, 2011

Spyware part 3

Well hello i am reporting the 3rd part of Spyware list that could damage your software. the programs i would like to introduce in this list is Torrent101, BitGrabber, BitRoll.

The report from Symantec is as follows

Updated:
July 3, 2007 2:15:40 PM
Type:Potentially Unwanted App
Name:Torrent101; BitGrabber; BitRoll
Version:3.2.0.0
Publisher:
WakeNet
Risk Impact:
Medium
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
When the program is executed, it creates the following folders:
%UserProfile%\Application Data\BitGrabber
%UserProfile%\Application Data\BitGrabber\Data
%UserProfile%\Application Data\BitRoll
%UserProfile%\Application Data\BitRoll\Data
%UserProfile%\Application Data\[RANDOM FOLDER NAME]
%UserProfile%\Application Data\Torrent101
%UserProfile%\Application Data\Torrent101\Data
%UserProfile%\Favorites\Online Gaming
C:\Documents and Settings\All Users\Application Data\[RANDOM FOLDER NAME]
C:\Documents and Settings\All Users\Start Menu\Programs\BitGrabber
C:\Documents and Settings\All Users\Start Menu\Programs\BitRoll
C:\Documents and Settings\All Users\Start Menu\Programs\Torrent101
%ProgramFiles%\BitGrabber
%ProgramFiles%\BitGrabber\Skins
%ProgramFiles%\BitGrabber\Support
%ProgramFiles%\BitRoll
%ProgramFiles%\BitRoll\Skins
%ProgramFiles%\BitRoll\Support
%ProgramFiles%\[RANDOM FOLDER NAME]
%ProgramFiles%\Torrent101
%ProgramFiles%\Torrent101\Skins
%ProgramFiles%\Torrent101\Support
%SystemDrive%\My Downloads

Next, the program drops the following files:
%UserProfile%\Application Data\BitGrabber\Data\downloads.dat
%UserProfile%\Application Data\BitGrabber\Data\downloads.dat.bkp
%UserProfile%\Application Data\BitGrabber\Data\metadata.dat
%UserProfile%\Application Data\BitGrabber\Data\metadata.dat.bkp
%UserProfile%\Application Data\BitRoll\Data\downloads.dat
%UserProfile%\Application Data\BitRoll\Data\downloads.dat.bkp
%UserProfile%\Application Data\BitRoll\Data\metadata.dat
%UserProfile%\Application Data\BitRoll\Data\metadata.dat.bkp
%UserProfile%\Application Data[RANDOM FOLDER NAME]\[RANDOM FILE NAME]
%UserProfile%\Application Data[RANDOM FOLDER NAME]\Dart Rect Creative.exe
%UserProfile%\Application Data[RANDOM FOLDER NAME]\[RANDOM FILE NAME ONE].exe
%UserProfile%\Application Data[RANDOM FOLDER NAME]\[RANDOM FILE NAME TWO].exe
%UserProfile%\Application Data[RANDOM FOLDER NAME]\[RANDOM FILE NAME THREE].exe
%UserProfile%\Application Data[RANDOM FOLDER NAME]\readmename.exe
%UserProfile%\Application Data\Torrent101\Data\downloads.dat
%UserProfile%\Application Data\Torrent101\Data\downloads.dat.bkp
%UserProfile%\Application Data\Torrent101\Data\metadata.dat
%UserProfile%\Application Data\Torrent101\Data\metadata.dat.bkp
C:\Documents and Settings\[CURRENT USER]\Cookies\[USER NAME]@ad.yieldmanager[ONE RANDOM NUMBER].txt
C:\Documents and Settings\[CURRENT USER]\Cookies\[USER NAME]@ayb.netbios-wait[ONE RANDOM NUMBER].txt
C:\Documents and Settings\[CURRENT USER]\Cookies\[USER NAME]@inside.bitroll[ONE RANDOM NUMBER].txt
C:\Documents and Settings\[CURRENT USER]\Cookies\[USER NAME]@inside.torrent101[ONE RANDOM NUMBER].txt
%UserProfile%\Desktop\BitGrabber.lnk
%UserProfile%\Desktop\BitRoll.lnk
%UserProfile%\Desktop\Torrent101.lnk
%UserProfile%\Local Settings\Temp\bis[ONE RANDOM CHARACTER FILE NAME ONE].exe
%UserProfile%\Local Settings\Temp\bis[ONE RANDOM CHARACTER FILE NAME TWO].exe
%UserProfile%\Local Settings\Temp\bis[ONE RANDOM CHARACTER FILE NAME THREE].exe
C:\Documents and Settings\All Users\Application Data\[RANDOM FOLDER NAME][RANDOM FILE NAME]
C:\Documents and Settings\All Users\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME ONE].exe
C:\Documents and Settings\All Users\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME TWO].exe
C:\Documents and Settings\All Users\Application Data\[RANDOM FOLDER NAME]\[RANDOM FILE NAME THREE].exe
C:\Documents and Settings\All Users\Start Menu\Programs\BitGrabber\BitGrabber.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\BitGrabber\Uninstall BitGrabber.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\BitRoll\BitRoll.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\BitRoll\Uninstall BitRoll.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Torrent101\Torrent101.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Torrent101\Uninstall Torrent101.lnk
%ProgramFiles%\BitGrabber\BitGrabber.exe
%ProgramFiles%\BitGrabber\BitGrabber.TRC
%ProgramFiles%\BitGrabber\minime.exe
%ProgramFiles%\BitGrabber\settings.ini
%ProgramFiles%\BitGrabber\settings.stp
%ProgramFiles%\BitGrabber\SkinCrafterDll.dll
%ProgramFiles%\BitGrabber\Skins\Quadro.skf
%ProgramFiles%\BitGrabber\Support\connecting.gif
%ProgramFiles%\BitGrabber\Support\default.htm
%ProgramFiles%\BitGrabber\Support\dots.gif
%ProgramFiles%\BitGrabber\Support\logo.jpg
%ProgramFiles%\BitGrabber\Support\porttest_error.htm
%ProgramFiles%\BitGrabber\Support\porttest_start.htm
%ProgramFiles%\BitGrabber\TorrentManager.dll
%ProgramFiles%\BitGrabber\unins000.dat
%ProgramFiles%\BitGrabber\unins000.exe
%ProgramFiles%\BitRoll\BitRoll.exe
%ProgramFiles%\BitRoll\BitRoll.TRC
%ProgramFiles%\BitRoll\minime.exe
%ProgramFiles%\BitRoll\settings.ini
%ProgramFiles%\BitRoll\settings.stp
%ProgramFiles%\BitRoll\SkinCrafterDll.dll
%ProgramFiles%\BitRoll\Skins\Flexi.skf
%ProgramFiles%\BitRoll\Support\connecting.gif
%ProgramFiles%\BitRoll\Support\default.htm
%ProgramFiles%\BitRoll\Support\dots.gif
%ProgramFiles%\BitRoll\Support\logo.jpg
%ProgramFiles%\BitRoll\Support\porttest_error.htm
%ProgramFiles%\BitRoll\Support\porttest_start.htm
%ProgramFiles%\BitRoll\TorrentManager.dll
%ProgramFiles%\BitRoll\unins000.dat
%ProgramFiles%\BitRoll\unins000.exe
%ProgramFiles%\Torrent101\minime.exe
%ProgramFiles%\Torrent101\settings.ini
%ProgramFiles%\Torrent101\settings.stp
%ProgramFiles%\Torrent101\SkinCrafterDll.dll
%ProgramFiles%\Torrent101\Skins\Zorg.skf
%ProgramFiles%\Torrent101\Support\connecting.gif
%ProgramFiles%\Torrent101\Support\default.htm
%ProgramFiles%\Torrent101\Support\dots.gif
%ProgramFiles%\Torrent101\Support\logo.jpg
%ProgramFiles%\Torrent101\Support\porttest_error.htm
%ProgramFiles%\Torrent101\Support\porttest_start.htm
%ProgramFiles%\Torrent101\Torrent101.exe
%ProgramFiles%\Torrent101\Torrent101.TRC
%ProgramFiles%\Torrent101\TorrentManager.dll
%ProgramFiles%\Torrent101\unins000.dat
%ProgramFiles%\Torrent101\unins000.exe
%Windir%\Tasks\[RANDOM FILE NAME].job

It then creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"army logo" = "%UserProfile%\Application Data[RANDOM FOLDER NAME]\readmename.exe"

The program then creates the following registry subkeys:
HKEY_CURRENT_USER\Software\BookDriveBat
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Setup Once Inside
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\keep inside loud
HKEY_CURRENT_USER\Software\WakeNet
HKEY_CLASSES_ROOT\.torrent
HKEY_CLASSES_ROOT\BitGrabber
HKEY_CLASSES_ROOT\BitRoll
HKEY_CLASSES_ROOT\CLSID\{D5792AA9-D373-4039-8670-2CDAB6A71F15}
HKEY_CLASSES_ROOT\Interface\{3FFBBD07-EB2D-4305-982B-21DA43DED39C}
HKEY_CLASSES_ROOT\Torrent101
HKEY_CLASSES_ROOT\TorrentManager.WebManager
HKEY_CLASSES_ROOT\TorrentManager.WebManager.1
HKEY_CLASSES_ROOT\TypeLib\{970CC246-0D83-4FFA-9832-62F19B4505CB}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5792AA9-D373-4039-8670-2CDAB6A71F15}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5792AA9-D373-4039-8670-2CDAB6A71F15}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitGrabber_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitRoll_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Torrent101_is1

It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\"DownloadUI" = "{D5792AA9-D373-4039-8670-2CDAB6A71F15}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\"netbios-wait.com" = ""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\"netsearchsoft.com" = ""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\"www.netbios-wait.com" = ""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\"www.netsearchsoft.com" = ""

The program can then be used as a Torrent client application.

It creates two hidden Internet Explorer processes that stay resident after the application is closed.

The program downloads a copy of Adware.Lop onto the computer.

It also installs a Browser Helper Object and displays advertisements in Internet Explorer.


Another program from this family is TorrentQ it also a same type of application that do all the things mentioned above.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)