Jump to content

Malwarebytes

PrivacyRedeemer

Started by SpySentinel, Apr 10 2008 09:06 PM

1 reply to this topic

#1
SpySentinel
Posted 10 April 2008 - 09:06 PM

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 1,848 posts
  • Gender:Male
  • Location:The United States
  • Interests:Fighting/Analyzing Malware & Social Media
PrivacyRedeemer

hxxp://privacyredeemer.com/


The program connects to www.PrivacyRedeemer.com, which prompts the user to pay for a full license of the application in order to remove the errors.


Posted Image


Installation
When the program is executed, it creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Privacy Redeemer.lnk
* %UserProfile%\Application Data\Privacy Redeemer\BugReport.html.tpl
* %UserProfile%\Application Data\Privacy Redeemer\comdlg32.ocx
* %UserProfile%\Application Data\Privacy Redeemer\copy.gif
* %UserProfile%\Application Data\Privacy Redeemer\Debug.log
* %UserProfile%\Application Data\Privacy Redeemer\IEHistoryClear.cmd
* %UserProfile%\Application Data\Privacy Redeemer\left_bg.jpg
* %UserProfile%\Application Data\Privacy Redeemer\left_bg1.gif
* %UserProfile%\Application Data\Privacy Redeemer\logo1.jpg
* %UserProfile%\Application Data\Privacy Redeemer\msvbvm60.dll
* %UserProfile%\Application Data\Privacy Redeemer\openlocation.exe
* %UserProfile%\Application Data\Privacy Redeemer\PrivacyRedeemer.exe
* %UserProfile%\Application Data\Privacy Redeemer\PrivacyRedeemer.exe.manifest
* %UserProfile%\Application Data\Privacy Redeemer\PrivacyRedeemerMonitor.exe
* %UserProfile%\Application Data\Privacy Redeemer\right_bg.jpg
* %UserProfile%\Application Data\Privacy Redeemer\right_bg1.gif
* %UserProfile%\Application Data\Privacy Redeemer\snd.wav
* %UserProfile%\Application Data\Privacy Redeemer\style.css
* %UserProfile%\Application Data\Privacy Redeemer\title1_bg.gif
* %UserProfile%\Application Data\Privacy Redeemer\top.jpg
* %UserProfile%\Application Data\Privacy Redeemer\unins000.dat
* %UserProfile%\Application Data\Privacy Redeemer\unins000.exe
* %UserProfile%\Application Data\Privacy Redeemer\winhttp.dll
* %UserProfile%\Application Data\Privacy Redeemer\wmsrc.exe
* %UserProfile%\Application Data\Privacy Redeemer\mscomctl.ocx
* %UserProfile%\Desktop\Privacy Redeemer.lnk
* %UserProfile%\Local Settings\Temp\[RANDOM FILE NAME].tmp
* C:\Documents and Settings\All Users\Start Menu\Programs\Privacy Redeemer\Privacy Redeemer.lnk


The program creates the following registry entry so that it runs when Windows starts:
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"wmsrc.exe" = "C:\Documents and Settings\Administrator\Application Data\Privacy Redeemer\wmsrc.exe"

Next, the program creates the following registry entries:

* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"SaveMyAss"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"WindowsVersion" = "Major" =5 Minor" =1 Build" =2600 ServicePack" =2.0"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"AffiliateID" = "100"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"RegisterURL" = "http" =//privacyredeemer.com/order.php"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"CheckLicenseURL" = "https" =//secure.sweeptransact.com/Billing/API/CheckLicense.aspx"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"FirstLaunchURL" = ""
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"ActivationSuccessURL" = "http" =//privacyredeemer.com/activate-ok.php"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"FeedbackURL" = "http" =//privacyredeemer.com/bug-report.php"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"BuildVersion" = "8z s titlom"
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer\"isApplicationRunning" = "true"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = Setup Version" = "5.1.14"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = App Path" = "C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"InstallLocation" = "C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer\"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = Icon Group" = "Privacy Redeemer"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"Inno Setup" = User" = "Administrator"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"DisplayName" = "Privacy Redeemer"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"UninstallString" = ""C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer\unins000.exe""
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"QuietUninstallString" = ""C" =\Documents and Settings\Administrator\Application Data\Privacy Redeemer\unins000.exe" /SILENT"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"NoModify" = 0x00000001
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"NoRepair" = 0x00000001
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy RedeemerRedeemer_is1\"InstallDate" = "20080310"


It also creates the following registry subkeys:

* HKEY_ALL_USERS\Software\PrivacyRedeemer
* HKEY_ALL_USERS\Software\PrivacyRedeemer\PrivacyRedeemer
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy Redeemer_is1

It also modifies registry entries under the following subkeys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9043C85F6F2-101A-A3C9-08002B2F49FB}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSComDlg.CommonDialog
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}
Matt Russo
Social Media Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#2
SwampDiner
Posted 11 April 2008 - 03:43 AM

    True Member

  • Experts
  • PipPipPipPip
  • 419 posts
  • Location:The Internets
Added to blacklist but if this doesn't become a immediate threat we will not add it to the database at this time.
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us