Nuevos tiempos, Nuevas amenazas: Adware.Amonetizar la investigación

New Times, New Threats: Adware.Amonetize investigation

Últimamente, Nuestro equipo se enfrenta a quejas sobre el virus Adware.amonetize. Golpea a la mayoría de los países de Europa., La mayor cantidad de infecciones está en China., Azerbaiyán, Irán, Italia, Pavo, Arabia Saudita e Indonesia. No importa Internet Explorer, Firefox, Google Chrome, Safari u otros navegadores que utilizas: Verás anuncios de todos modos.. We investigated this virus and found that it spreads via a method we call bundling. It means that adware.amonetize sneaks into your system alongside with free software.

How adware.amonetize works?

So what are main symptoms of this adware? Ads, ads and once more ads. You will see disturbing pop-ups, annoying banners, redirects in your browser. It is not a secret that every virus was created to gain profit, adware.amonetize is one of them. It gets pay-per-click revenue, so that is why you see so many ads. Every click and redirects on the sponsored website are coins in the money box. What is more interesting, we’ve noticed that adware.amonetize collects personal information of its victims! Browsing history, correos electrónicos, mensajeros, nombre, locations and even banking credentials can fall into the hands of hackers.

Where it is installed?

Our Analysts Team found out that Adware.Amonetize stored in %programfiles%, in a folder with a random name that contains 10 characters of the English alphabet + dígitos.
Ejemplos:
% programfiles% \ 04gcs4ypv6 \ 04gcs4ypv.exe (check on Total de virus)
% programfiles% \ 0gp81q2mg5 \ d5wn9p9nf.exe (check on Total de virus)
% programfiles% \ 39rossub2g \ 39rossub2.exe (check on Total de virus)

Where it is installed?
Where it is installed?

These files are without a signature and add themselves to the startup list with random names:

«HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UPCABJZUFTF7J48» >> «»%programfiles%\04gcs4ypv6\04gcs4ypv.exe»»

«HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9A00GNV8DAW655S» >> «»%programfiles%\39rossub2g\39rossub2.exe»»

«HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ZXFX5IAHM64HROQ» >> «»%programfiles%\e0in79xcut\e0in79xcu.exe»»

Adware.amonetize is a very tricky, as you may already notice. To hide files on the disc it use software from Nir SoferNirCmd (check on Total de virus).

Exe file under the name chipset.exe is in the folder with a random name from the letters + numbers in %appdata%, %localappdata%, %commonappdata% or %temp% and is written in the titles with the name GoogleUpdateSecurityTaskMachine_XX and Optimize Start Menu Cache Files-S-XX (XX stands for any uppercase character).

Por ejemplo:
Tarea: «%system%\Tasks\GoogleUpdateSecurityTaskMachine_NL» >> «%localappdata%\Temp\02e22efae9e744b3a1fa6dae595a32e1\chipset.exe exec hide GBCWKWPKVU.cmd »

Tarea: «%system%\Tasks\GoogleUpdateSecurityTaskMachine_OO» >> «%commonappdata%\5cd66b2d442541229cdaf3947384919f\chipset.exe exec hide EIUHMIJWVC.cmd «

Tarea: «%system%\Tasks\Optimize Start Menu Cache Files-S-GZ» >> «%appdata%\92dcc1e5f2854a97b66db725d3492ecf\chipset.exe exec hide IDGSTZEJUB.cmd «

Why is adware.amonetize dangerous?

As we already said, it collects your personal information. This reason should be enough to delete adware.amonetize ASAP. También, it attracts other viruses to your pitiful system: malware, troyanos, adware etc.

Get Adware.Amonetize closer

This is what 255335e18ca3b54c7872f31603de52d527da69c93b485c5aa1e70f2052192ac5.exe (Sx3qqqq.exe) looks like.

Loads the specified manifest resource from this assembly.

Take a look at this command more detailed.
Assembly assembly = Assembly.Load(Convert.FromBase64String(Encoding.Default.GetString(new TripleDESCryptoServiceProvider(). CreateDecryptor(Convert.FromBase64String(gr8AA.vferv58rv85rvrvrvergv),
Convert.FromBase64String(gr8AA.scsce8f7er)).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length))));

To make understanding more easy lets disassemble in parts.


string st = Encoding.Default.GetString(new TripleDESCryptoServiceProvider().CreateDecryptor(KEY, IV).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));

It creates a symmetric TripleDES decryption object with the specified key (Key) y el initialization vector (IV). Con la ayuda de TransformFinalBlock it converts the previously read block of data from the manifest. Al final, it converts everything into a string. The result is an executable file.

How adware.amonetize slipped into your system?

As we already said the most popular way of spreading it is installing alongside with free software. We recommend to be careful and read Terms of Agreement before clicking on «Próximo» button in a hurry.

Por Vladislav Baglay

I have been working as Malware Research Director at Gridinsoft for many years and am passionate about learning new virus schemes.

Dejar un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *