New Times, New Threats: Adware.Amonetize investigation

Lately, our Team faced with complaints about Adware.amonetize virus. It hits most of the countries of Europe, the biggest quantity of infections is in China, Azerbaijan, Iran, Italy, Turkey, Saudi Arabia and Indonesia. It doesn’t matter Internet Explorer, Firefox, Google Chrome, Safari or other browsers do you use: you will see ads anyway. We investigated this virus and found that it spreads via a method we call bundling. It means that adware.amonetize sneaks into your system alongside with free software.

How adware.amonetize works?

So what are main symptoms of this adware? Ads, ads and once more ads. You will see disturbing pop-ups, annoying banners, redirects in your browser. It is not a secret that every virus was created to gain profit, adware.amonetize is one of them. It gets pay-per-click revenue, so that is why you see so many ads. Every click and redirects on the sponsored website are coins in the money box. What is more interesting, we’ve noticed that adware.amonetize collects personal information of its victims! Browsing history, emails, messengers, name, locations and even banking credentials can fall into the hands of hackers.

Where it is installed?

Our Analysts Team found out that Adware.Amonetize stored in %programfiles%, in a folder with a random name that contains 10 characters of the English alphabet + digits.
% programfiles% \ 04gcs4ypv6 \ 04gcs4ypv.exe (check on Virus Total)
% programfiles% \ 0gp81q2mg5 \ d5wn9p9nf.exe (check on Virus Total)
% programfiles% \ 39rossub2g \ 39rossub2.exe (check on Virus Total)

Where it is installed?

Where it is installed?

These files are without a signature and add themselves to the startup list with random names:

“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UPCABJZUFTF7J48” >> “”%programfiles%\04gcs4ypv6\04gcs4ypv.exe””

“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9A00GNV8DAW655S” >> “”%programfiles%\39rossub2g\39rossub2.exe””

“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ZXFX5IAHM64HROQ” >> “”%programfiles%\e0in79xcut\e0in79xcu.exe””

Adware.amonetize is a very tricky, as you may already notice. To hide files on the disc it use software from Nir Sofer – NirCmd (check on Virus Total).

Exe file under the name chipset.exe is in the folder with a random name from the letters + numbers in %appdata%, %localappdata%, %commonappdata% or %temp% and is written in the titles with the name GoogleUpdateSecurityTaskMachine_XX and Optimize Start Menu Cache Files-S-XX (XX stands for any uppercase character).

For example:
Task: “%system%\Tasks\GoogleUpdateSecurityTaskMachine_NL” >> “%localappdata%\Temp\02e22efae9e744b3a1fa6dae595a32e1\chipset.exe exec hide GBCWKWPKVU.cmd ”

Task: “%system%\Tasks\GoogleUpdateSecurityTaskMachine_OO” >> “%commonappdata%\5cd66b2d442541229cdaf3947384919f\chipset.exe exec hide EIUHMIJWVC.cmd “

Task: “%system%\Tasks\Optimize Start Menu Cache Files-S-GZ” >> “%appdata%\92dcc1e5f2854a97b66db725d3492ecf\chipset.exe exec hide IDGSTZEJUB.cmd “

Why is adware.amonetize dangerous?

As we already said, it collects your personal information. This reason should be enough to delete adware.amonetize ASAP. Also, it attracts other viruses to your pitiful system: malware, trojans, adware etc.

Get Adware.Amonetize closer

This is what 255335e18ca3b54c7872f31603de52d527da69c93b485c5aa1e70f2052192ac5.exe (Sx3qqqq.exe) looks like.

Loads the specified manifest resource from this assembly.

Take a look at this command more detailed.
Assembly assembly = Assembly.Load(Convert.FromBase64String(Encoding.Default.GetString(new TripleDESCryptoServiceProvider(). CreateDecryptor(Convert.FromBase64String(gr8AA.vferv58rv85rvrvrvergv),
Convert.FromBase64String(gr8AA.scsce8f7er)).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length))));

To make understanding more easy lets disassemble in parts.

string st = Encoding.Default.GetString(new TripleDESCryptoServiceProvider().CreateDecryptor(KEY, IV).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));

It creates a symmetric TripleDES decryption object with the specified key (Key) and the initialization vector (IV). With the help of TransformFinalBlock it converts the previously read block of data from the manifest. At the end, it converts everything into a string. The result is an executable file.

How adware.amonetize slipped into your system?

As we already said the most popular way of spreading it is installing alongside with free software. We recommend to be careful and read Terms of Agreement before clicking on “Next” button in a hurry.

Related Post

Why Free Browser Extensions Can Be Dangerous On a daily basis we make use of different browsers to surf the internet using our PCs and these browsers develop adds up new features especially exten...
Age restriction of popular sites and platforms tha... The world is moving forward with information and technology. The Internet is also available as well. Now everything is happening within reach of peopl...
Adware Everywhere: Who Knows What Is Happening? Perhaps you’ve heard the familiar whirlwind that no harm can ever hit your pricey gadget, maybe because everything from official App Stores is 100% cl...
5 REASONS TO START CLEANING YOUR PC RIGHT NOW It's a tradition already trying to start a new life and making new habits on New Year. So as you GridinSoft Team sums up the results of the previou...