Tuesday, March 24, 2009

tube-funs-world-com Spyware (Privacy Components)

tube-funs-world.com - Rogue.AntiSpyware.Sysguard "Privacy components"

Privacy Components is another rogue antispyware that displays fake security alerts,
This program is known to be installed on computers without users approval,
dropped by a trojan or using other malicious technics.

Analysis:


 Fake PornTube website 
  
 hxxp://tube-funs-world.com/promo2/?aid=561&vname=free_dvd_rip
hxxp://tube-funs-world.com/promo2/?aid=561&vname=stream_player_plugin
 
 
 hxxp://tube-funs-world.com/promo2/2.php?aid=561&vname=stream_player_plugin
 stream_player_plugin.exe 
 
 
 Fake scannerwith the look of Windows Explorer
 
 hxxp://tube-funs-world.com/promo3/
 hxxp://tube-funs-world.com/promo3/get.php?aid=0&vname=protect
 protect.exe (same file - )
 
 
 Some java scripts
 
 hxxp://tube-funs-world.com/promo4/
 hxxp://tube-funs-world.com/promo4/get.php?aid=0&vname=stream_player_plugin
 stream_player_plugin.exe (same file)
 
 
 Another Fake PornTube website with the logo SexTube
 
 http://tube-funs-world.com/promo5/
 http://tube-funs-world.com/promo5/get.php?aid=0&vname=setup
 
 setup.exe (same file)
 
 
 File info:stream_player_plugin.exe 
 
 File size3159829 bytes 
 MD55cf2fcaaac2863b850aabd96f85c5ed8 
 
 
 Anubis:Report for protect.exe (same file) 
 
 Anubis:Report 
 ThreatExpert:Report 
 VirusTotal:Report 
 
 First received03.24.2009 02:07:47 (CET) 
 Results4/39 (10.26%) 
 
 Alias:Win32.SPRFraud.PrivC 
  Sus/Behav-113 
  Privacy components 
  Adware/Agent.gen 

Domain sharing IP with tube-funs-world.com [194.165.4.39]
 inetnum:194.165.4.0 - 194.165.5.255
netname:NTCOLO
descr:Plitochnik Lux LTD
descr:CO-LOCATION IN UA-IX
route: 194.165.4.0/23
AS: AS48669 NTCOLO-AS NTCOLO

privacy-tools-pack.com
privacyupdate445.com
privacyupdate446.com
privacyupdate447.com
tube-funs-world.com
turbo-tube-uploaderz.com
  
Privacy Center "Privacy components" removal information
 
- Kill processes: agent.exe, openvpn.exe, pc.exe, tapinstall.exe uninstall.exe
- Unregister DLLs (regsvr32 /u [dll_name]): sp.dll, spbho.dll

- Delete registry keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {D032570A-5F63-4812-A094-87D007C23012}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spbho.TIEAdvBHO
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\Privacy center
- Delete registry values:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

    agent.exe = "%ProgramFiles%\Privacy center\agent.exe"

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

    Shell = "%ProgramFiles%\Privacy center\pc.exe"

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {D032570A-5F63-4812-A094-87D007C23012}\ProgID]

    (Default) = "spbho.TIEBHO"

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {D032570A-5F63-4812-A094-87D007C23012}\InprocServer32]

    (Default) = "C:\PROGRA~1\PRIVAC~1\tools\sp\spbho.dll"
    ThreadingModel = "Apartment"

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spbho.TIEBHO\Clsid]

    (Default) = "{D032570A-5F63-4812-A094-87D007C23012}"

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spbho.TIEBHO]

    (Default) = ""

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}]

    (Default) = ""

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\Privacy center]

    DisplayName = "Privacy center"
    UninstallString = "%ProgramFiles%\Privacy center\uninstall.exe"
    NoModify = 0x00000001
    NoRepair = 0x00000001
- Delete files and folders:

  • ► %AppData%\Privacy center\
  • ► %Programs%\Privacy center\
  • ► %ProgramFiles%\Privacy center\