{"id":1317,"date":"2017-10-13T15:38:51","date_gmt":"2017-10-13T15:38:51","guid":{"rendered":"https:\/\/blog.gridinsoft.com\/?p=1317"},"modified":"2021-12-06T08:08:56","modified_gmt":"2021-12-06T08:08:56","slug":"new-times-new-threats-adware-amonetize-investigation","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/new-times-new-threats-adware-amonetize-investigation\/","title":{"rendered":"New Times, New Threats: Adware.Amonetize investigation"},"content":{"rendered":"

Lately, our Team faced with complaints about Adware.amonetize virus. It hits most of the countries of Europe, the biggest quantity of infections is in China, Azerbaijan, Iran, Italy, Turkey, Saudi Arabia and Indonesia. It doesn’t matter Internet Explorer, Firefox, Google Chrome, Safari or other browsers do you use: you will see ads anyway. We investigated this virus and found that it spreads via a method we call bundling. It means that adware.amonetize sneaks into your system alongside with free software.<\/em><\/p>\n

How adware.amonetize works?<\/h2>\n

So what are main symptoms of this adware? Ads, ads and once more ads. You will see disturbing pop-ups, annoying banners, redirects in your browser. It is not a secret that every virus was created to gain profit, adware.amonetize is one of them. It gets pay-per-click revenue, so that is why you see so many ads. Every click and redirects on the sponsored website are coins in the money box. What is more interesting, we’ve noticed that adware.amonetize collects personal information of its victims! Browsing history, emails, messengers, name, locations and even banking credentials can fall into the hands of hackers.<\/p>\n

Where it is installed?<\/h2>\n

Our Analysts Team found out that Adware.Amonetize stored in %programfiles%, in a folder with a random name that contains 10 characters of the English alphabet + digits.
\nExamples:
\n% programfiles% \\ 04gcs4ypv6 \\ 04gcs4ypv.exe (check on Virus Total<\/a>)
\n% programfiles% \\ 0gp81q2mg5 \\ d5wn9p9nf.exe (check on Virus Total<\/a>)
\n% programfiles% \\ 39rossub2g \\ 39rossub2.exe (check on Virus Total<\/a>)<\/em><\/p>\n

\"Where
Where it is installed?<\/figcaption><\/figure>\n

These files are without a signature and add themselves to the startup list with random names:<\/p>\n

“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\UPCABJZUFTF7J48<\/strong>” >> “”%programfiles%\\04gcs4ypv6\\04gcs4ypv.exe””<\/em><\/p>\n

“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\9A00GNV8DAW655S<\/strong>” >> “”%programfiles%\\39rossub2g\\39rossub2.exe””<\/em><\/p>\n

“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ZXFX5IAHM64HROQ<\/strong>” >> “”%programfiles%\\e0in79xcut\\e0in79xcu.exe””<\/em><\/p>\n

Adware.amonetize is a very tricky, as you may already notice. To hide files on the disc it use software from Nir Sofer – NirCmd (check on Virus Total<\/a>).<\/p>\n

Exe file under the name chipset.exe is in the folder with a random name from the letters + numbers in %appdata%, %localappdata%, %commonappdata% or %temp% and is written in the titles with the name GoogleUpdateSecurityTaskMachine_XX and Optimize Start Menu Cache Files-S-XX (XX stands for any uppercase character).<\/p>\n

For example:
\nTask: “%system%\\Tasks\\GoogleUpdateSecurityTaskMachine_NL<\/strong>” >> “%localappdata%\\Temp\\02e22efae9e744b3a1fa6dae595a32e1\\chipset.exe exec hide GBCWKWPKVU.cmd ” <\/em><\/p>\n

Task: “%system%\\Tasks\\GoogleUpdateSecurityTaskMachine_OO<\/strong>” >> “%commonappdata%\\5cd66b2d442541229cdaf3947384919f\\chipset.exe exec hide EIUHMIJWVC.cmd “<\/em><\/p>\n

Task: “%system%\\Tasks\\Optimize Start Menu Cache Files-S-GZ<\/strong>” >> “%appdata%\\92dcc1e5f2854a97b66db725d3492ecf\\chipset.exe exec hide IDGSTZEJUB.cmd “<\/em><\/p>\n

Why is adware.amonetize dangerous?<\/h2>\n

As we already said, it collects your personal information. This reason should be enough to delete adware.amonetize ASAP. Also, it attracts other viruses to your pitiful system: malware, trojans, adware etc.<\/p>\n

Get Adware.Amonetize closer<\/h2>\n

This is what 255335e18ca3b54c7872f31603de52d527da69c93b485c5aa1e70f2052192ac5.exe (Sx3qqqq.exe) looks like.<\/p>\n

\"\"<\/p>\n

Loads the specified manifest resource from this assembly.
\n\"\"
\n\"\"<\/p>\n

Take a look at this command more detailed.
\nAssembly assembly = Assembly.Load(Convert.FromBase64String(Encoding.Default.GetString(new TripleDESCryptoServiceProvider(). CreateDecryptor(Convert.FromBase64String(gr8AA.vferv58rv85rvrvrvergv),
\n Convert.FromBase64String(gr8AA.scsce8f7er)).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length))));<\/em><\/p>\n

To make understanding more easy lets disassemble in parts.
\n\"\"
\n\"\"
\nstring st = Encoding.Default.GetString(new TripleDESCryptoServiceProvider().CreateDecryptor(KEY, IV).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));<\/p>\n

It creates a symmetric TripleDES decryption object with the specified key (Key)<\/em> and the initialization vector (IV)<\/em>. With the help of TransformFinalBlock <\/em> it converts the previously read block of data from the manifest. At the end, it converts everything into a string. The result is an executable file.<\/p>\n

How adware.amonetize slipped into your system?<\/h2>\n

As we already said the most popular way of spreading it is installing alongside with free software. We recommend to be careful and read Terms of Agreement before clicking on “Next” button in a hurry.<\/p>\n[contact-form][contact-field label=”Name” type=”name” required=”true” \/][contact-field label=”Email” type=”email” required=”true” \/][contact-field label=”Website” type=”url” \/][contact-field label=”Message” type=”textarea” \/][\/contact-form]\n","protected":false},"excerpt":{"rendered":"

Lately, our Team faced with complaints about Adware.amonetize virus. It hits most of the countries of Europe, the biggest quantity of infections is in China, Azerbaijan, Iran, Italy, Turkey, Saudi Arabia and Indonesia. It doesn’t matter Internet Explorer, Firefox, Google Chrome, Safari or other browsers do you use: you will see ads anyway. We investigated […]<\/p>\n","protected":false},"author":2,"featured_media":1332,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[32,21],"class_list":{"0":"post-1317","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-adware","9":"tag-virus"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2017\/10\/Picture12-1.png","author_info":{"display_name":"Vladislav Baglay","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/baglay\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/1317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=1317"}],"version-history":[{"count":1,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/1317\/revisions"}],"predecessor-version":[{"id":6566,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/1317\/revisions\/6566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/1332"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=1317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=1317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=1317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}