Win32/Adware.MultiPlug [Threat Name] go to Threat

Win32/Adware.MultiPlug.DJ [Threat Variant Name]

Category adware
Detection created Nov 01, 2014
Detection database version 10656
Aliases Win32/AdWare.MultiPlug.BN (Eset)
Short description

Win32/Adware.MultiPlug.DJ is a adware used for delivery of unsolicited advertisements.

Installation

The adware is a malicious Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Chromatic Browser, Comodo Dragon, Google Chrome Canary, Torch extension/plugin.


When executed, the adware creates the following files:

  • %temp%\­%randomhexnumber%\­%googlechromeextensionid%\­background.html
  • %temp%\­%randomhexnumber%\­%googlechromeextensionid%\­content.js
  • %temp%\­%randomhexnumber%\­%googlechromeextensionid%\­%variable1%.js (JS/Kryptik.ATB)
  • %temp%\­%randomhexnumber%\­%googlechromeextensionid%\­lsdb.js
  • %temp%\­%randomhexnumber%\­%googlechromeextensionid%\­manifest.json
  • %temp%\­%randomhexnumber%\­%mozillafirefoxextensionid%\­bootstrap.js
  • %temp%\­%randomhexnumber%\­%mozillafirefoxextensionid%\­chrome.manifest
  • %temp%\­%randomhexnumber%\­%mozillafirefoxextensionid%\­install.rdf
  • %temp%\­%randomhexnumber%\­%mozillafirefoxextensionid%\­content\­bg.js (JS/Kryptik.ATB)
  • %temp%\­%randomhexnumber%\­%variable2%.dat
  • %temp%\­%randomhexnumber%\­%variable3%.dll (Win32/Adware.MultiPlug.EG)
  • %temp%\­%randomhexnumber%\­%variable3%.tlb
  • %temp%\­%randomhexnumber%\­%variable3%.x64.dll (Win32/Adware.MultiPlug.E)

Selected files are copied into the following folders:

  • %appdata%\­Local\­Google\­Google\­Chrome\­User Data\­Default\­Extensions\­%googlechromeextensionid%\­
  • %appdata%\­Local\­Comodo\­Dragon\­User Data\­Default\­Extensions\­%googlechromeextensionid%\­
  • %appdata%\­Local\­Google\­Chrome SxS\­User Data\­Default\­Extensions\­%googlechromeextensionid%\­
  • %appdata%\­Local\­Torch\­User Data\­Default\­Extensions\­%googlechromeextensionid%\­
  • %appdata%\­Local\­Chromatic Browser\­User Data\­Default\­Extensions\­%googlechromeextensionid%\­
  • %appdata%\­Roaming\­Mozilla\­Firefox\­Profiles\­%variable%.default\­extensions\­staged\­%mozillafirefoxextensionid%\­
  • %programfiles%\­%internetexplorerextensionname%\­

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­%GUID%\­InprocServer32]
    • "(Default)" = "%programfiles%\­%internetexplorerextensionname%\­%variable3%.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­%guid%]
    • "(Default)" = "%internetexplorerextensionname%"

The adware can modify the following files:

  • %appdata%\­Local\­Google\­Chrome\­User Data\­Default\­Preferences
  • %programfiles%\­Google\­Chrome\­Application\­%version%\­chrome.dll

The adware may create the following files:

  • %system%\­GroupPolicy\­gpt.ini
  • %system%\­GroupPolicy\­Machine\­Registry.pol

A string with variable content is used instead of %randomhexnumber%, %guid%, %variable1-3% .


Information stealing

The adware collects sensitive information when the user browses certain web sites.


The following information is collected:

  • URLs visited
  • keywords entered into search engines

The adware attempts to send gathered information to a remote machine.

Other information

The adware acquires data and commands from a remote computer or the Internet.


The adware contains a list of (9) URLs. The HTTP protocol is used in the communication.


The adware injects JavaScript code into web pages visited by the user.


The adware displays dialogs within the Internet browser with various advertisements.


Some examples follow.

The adware may redirect the user to the specific web sites.

Please enable Javascript to ensure correct displaying of this content and refresh this page.