Lavasofts Adware new defs

[plun]

SE1R51 21.06.2005


New defs:

Win32.Trojan.Agent.em
Win32.TrojanDownloader.Lastad.h

========================
Updated defs:

BargainBuddy +2
Claria +2
MagicControl
SahAgent +6
Win32.Backdoor.Rbot.gen
========================


No abetterinternet.......... ;(

 

[Stevie]

Plun generously supplied us with this Info...
Cheers M8ty
Steve

 

[Guest]

Have you got a hold of a sample of the abetterinternet
executables?

 

[plun]

Have you got a hold of a sample of the abetterinternet
executables?

Well, its just to download from abetterinternet
Everything is "For Free"...........

You can learn everything about "the gang" within
this page.

http://www.webhelper4u.com/

 

[Guest]

What I am saying is that if you have a sample of if and
you want it to be detected as soon as possible send it in
to:
http://www.lavasofthelp.com/submit/index2.shtml

-----Original Message-----

 

[plun]

(e-mail address removed) was thinking very hard :

What I am saying is that if you have a sample of if and
you want it to be detected as soon as possible send it in
to:
http://www.lavasofthelp.com/submit/index2.shtml

Hi

Well, this is already defined if Lavasoft read webhelper4u, maybe
MS also can do it............

Nevertheless I submitted this information to Lavasoft.

Latest transponder, Aurora.
http://www.webhelper4u.com/tnewswritigs/bolger_aurora.html

File Locations:
download.abetterinternet.com/download/UAC/Bolger.dll
download.abetterinternet.com/download/UAC/aurora.exe
download.abetterinternet.com/download/UAC/Poller.exe
download.abetterinternet.com/download/UAC/uacupg.exe
download.abetterinternet.com/download/UAC/Nail.exe
download.abetterinternet.com/download/UAC/thnall1ac.html
download.abetterinternet.com/download/UAC/DrPMon.dll
download.abetterinternet.com/download/UAC/svcproc.exe



Bolger.dll
Size: 172032
Version: 0.12.4.96
CRC-32: C8D089EF
MD5: 67DA1E869864F3B17DBD66E58A3D29C5
File version: 0, 12, 4, 96
Company name: Bolger
Internal name: bolger
Comments: www.abetterinternet.com
Legal copyright: Copyright © 2005
Legal trademarks:
Original filename: bolger.dll
Product name: bolger
Product version: 0, 12, 4, 96
File description: www.abetterinternet.com

HKCR
{
BolgerDll.BolgerDllObj.1 = s 'BolgerObj Class'
{
CLSID = s '{302A3240-4805-4a34-97D7-1645A0B08410}'
}
BolgerDll.BolgerDllObj = s 'Bolger Functional Class'
{
CLSID = s '{302A3240-4805-4a34-97D7-1645A0B08410}'
CurVer = s 'BolgerDll.BolgerDllObj.1'
}
NoRemove CLSID
{
ForceRemove {302A3240-4805-4a34-97D7-1645A0B08410} = s 'BolgerObj
Class'
{
ProgID = s 'Bolger.BolgerObj.1'
VersionIndependentProgID = s 'Bolger.BolgerObj'
ForceRemove 'Programmable'
InprocServer32 = s '%MODULE%'
{
val ThreadingModel = s 'Apartment'
}
'TypeLib' = s '{92daf5c1-2135-4e0c-b7a0-259abfcd3904}'
}
}
}

HKLM
{
NoRemove SOFTWARE
{
NoRemove Microsoft
{
NoRemove Windows
{
NoRemove CurrentVersion
{
NoRemove Explorer
{
NoRemove 'Browser Helper Objects'
{
ForceRemove {302A3240-4805-4a34-97D7-1645A0B08410}

Registry Entry:
[HKEY_CURRENT_USER\Software\Bolger]
"BLI9d1OfSInst"="{466BE6F9-0824-47F6-99C9-E08F8491AC67}"
"BLC9n1trMsgSDisp"=dword:00000000
"BLT9o1pListSPos"=dword:00000000
"BLs9t1icky1S"="0"
"BLs9t1icky2S"="0"
"BLs9t1icky3S"="0"
"BLs9t1icky4S"="0"
"BLC1o9d1eOfSFinalAd"="0"
"BLT9i1m4eOfSFinalAd"="0"
"BLD9s1tSSEnd"="??-?ÀÀÍ?´?Ì?´????Á??-À?Ý???ܽ?½"
"BL9N1a4tionSCode"="XX"
"BLP9D1om"="µ??-? ??????¾?Ì??¾"
"BLT9h1rshSCheckSIn"=dword:0000002d
"BLT9h1rshSMots"=dword:00000007
"BLM9o1deSSync"=dword:00000001
"BLI9n1ProgSCab"=dword:00000000
"BLI9n1ProgSEx"=dword:00000000
"BLI9n1ProgSLstest"=dword:00000000
"BLL9a1stMotsSDay"=dword:00000012
"BLL9a1stSSChckin"=dword:000009f4
"BLC9n1tFyl"=dword:00000004
"BLE9v1nt"="1"

Aurora.exe - This is their replacement to their buddy.exe that was
created by the ceres.dll and speer.dll files.

CRC-32: 01726162
MD5: 1F5CB7887DE415347034735CC05480BE

[HKEY_CURRENT_USER\Software\aurora]
"AUI3d5OfSDist"="139|1|0|0|THIN-139-1-X-X.EXE"
"AUI3d5OfSInst"="{C1D0B59A-0C94-4D44-BDCA-3A4E5BAA26D0}"
"AUC3n5trMsgSDisp"=dword:00000001
"AUT3o5pListSPos"=dword:00000000
"AUs3t5icky1S"="capdate%3D2723%26capdatedy%3D0427%26lupgtry%3D1%26lupgid%3
D225%26lupgdt%3D1114655164068%26lflshdt%3D1114655164%26lstkywd%3Dsdtzddejg%26lstlogdt%3
D20050427%26cntp%3D%260%3D%26capcntdy%3D4%26capcnt%3D3%26"
"AUs3t5icky2S"="rtmr%3D117%26fstcidt%3D1114655164068%260%3D%26rcntr%3D1%26"
"AUs3t5icky3S"="1-1114657827-3867:1035785:6381:28650:9343:172446:7003:5184000-35919:2592000:44538:172446"
"AUs3t5icky4S"="1-6813:1:117.453-6542:1:117.463-19316:1:117.461"
"AUC1o3d5eOfSFinalAd"="1"
"AUT3i5m7eOfSFinalAd"="1114657827|0|1114657677|0|0|0|0|1114657473|0|"
"AUD3s5tSSEnd"="??-?ÀÀÍ?´?Ì?´????Á??-À?Ý???ܽ?½"
"AU3N5a7tionSCode"="US"
"AUP3D5om"="???-?¤??????¾?Ì??¾"
"AUT3h5rshSCheckSIn"=dword:0000002d
"AUT3h5rshSMots"=dword:00000064
"AUM3o5deSSync"=dword:0000000b
"AUI3n5ProgSCab"=dword:00000000
"AUI3n5ProgSEx"=dword:00000000
"AUI3n5ProgSLstest"=dword:00000000
"AUB3D5om"="????´¦?????¤?¦-Ü?¤?´?????Á?¤?"
"AUE3v5nt"="0"
"AUT3h5rshSBath"=dword:00002710
"AUT3h5rshSysSInf"=dword:000007d0
"AUL3n5Title"=dword:0000001e
"AUC3u5rrentSMode"=dword:00000001
"AUC3n5tFyl"=dword:00000000
"AUI3g5noreS"="????

There will more updates to this page as I get more data on each of the
files listed above.

The Nail.exe will generate a random named *.exe file around 74kb in the
%windows% %system% folder and if not removed along with the Nail.exe
and bolger.dll at the same time, re-infestation can occur.
Also, if the any transponder variants and their component files are
installed from bundled installers like isearch.com, CPM 2ndthought,
etc., the bundle installer group has to be removed first as it will
reinstall any 3rd party adware it finds missing when it runs a transmit
or the computer is rebooted.