New Times, New Threats: Adware.Amonetize investigation

Lately, our Team faced with complaints about Adware.amonetize virus. It hits most of the countries of Europe, the biggest quantity of infections is in China, Azerbaijan, Iran, Italy, Turkey, Saudi Arabia and Indonesia. It doesn’t matter Internet Explorer, Firefox, Google Chrome, Safari or other browsers do you use: you will see ads anyway. We investigated this virus and found that it spreads via a method we call bundling. It means that adware.amonetize sneaks into your system alongside with free software.

How adware.amonetize works?

So what are main symptoms of this adware? Ads, ads and once more ads. You will see disturbing pop-ups, annoying banners, redirects in your browser. It is not a secret that every virus was created to gain profit, adware.amonetize is one of them. It gets pay-per-click revenue, so that is why you see so many ads. Every click and redirects on the sponsored website are coins in the money box. What is more interesting, we’ve noticed that adware.amonetize collects personal information of its victims! Browsing history, emails, messengers, name, locations and even banking credentials can fall into the hands of hackers.

Where it is installed?

Our Analysts Team found out that Adware.Amonetize stored in %programfiles%, in a folder with a random name that contains 10 characters of the English alphabet + digits.
% programfiles% \ 04gcs4ypv6 \ 04gcs4ypv.exe (check on Virus Total)
% programfiles% \ 0gp81q2mg5 \ d5wn9p9nf.exe (check on Virus Total)
% programfiles% \ 39rossub2g \ 39rossub2.exe (check on Virus Total)

Where it is installed?

Where it is installed?

These files are without a signature and add themselves to the startup list with random names:

“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UPCABJZUFTF7J48” >> “”%programfiles%\04gcs4ypv6\04gcs4ypv.exe””

“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9A00GNV8DAW655S” >> “”%programfiles%\39rossub2g\39rossub2.exe””

“HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ZXFX5IAHM64HROQ” >> “”%programfiles%\e0in79xcut\e0in79xcu.exe””

Adware.amonetize is a very tricky, as you may already notice. To hide files on the disc it use software from Nir Sofer – NirCmd (check on Virus Total).

Exe file under the name chipset.exe is in the folder with a random name from the letters + numbers in %appdata%, %localappdata%, %commonappdata% or %temp% and is written in the titles with the name GoogleUpdateSecurityTaskMachine_XX and Optimize Start Menu Cache Files-S-XX (XX stands for any uppercase character).

For example:
Task: “%system%\Tasks\GoogleUpdateSecurityTaskMachine_NL” >> “%localappdata%\Temp\02e22efae9e744b3a1fa6dae595a32e1\chipset.exe exec hide GBCWKWPKVU.cmd ”

Task: “%system%\Tasks\GoogleUpdateSecurityTaskMachine_OO” >> “%commonappdata%\5cd66b2d442541229cdaf3947384919f\chipset.exe exec hide EIUHMIJWVC.cmd “

Task: “%system%\Tasks\Optimize Start Menu Cache Files-S-GZ” >> “%appdata%\92dcc1e5f2854a97b66db725d3492ecf\chipset.exe exec hide IDGSTZEJUB.cmd “

Why is adware.amonetize dangerous?

As we already said, it collects your personal information. This reason should be enough to delete adware.amonetize ASAP. Also, it attracts other viruses to your pitiful system: malware, trojans, adware etc.

Get Adware.Amonetize closer

This is what 255335e18ca3b54c7872f31603de52d527da69c93b485c5aa1e70f2052192ac5.exe (Sx3qqqq.exe) looks like.

Loads the specified manifest resource from this assembly.

Take a look at this command more detailed.
Assembly assembly = Assembly.Load(Convert.FromBase64String(Encoding.Default.GetString(new TripleDESCryptoServiceProvider(). CreateDecryptor(Convert.FromBase64String(gr8AA.vferv58rv85rvrvrvergv),
Convert.FromBase64String(gr8AA.scsce8f7er)).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length))));

To make understanding more easy lets disassemble in parts.

string st = Encoding.Default.GetString(new TripleDESCryptoServiceProvider().CreateDecryptor(KEY, IV).TransformFinalBlock(inputBuffer, 0, inputBuffer.Length));

It creates a symmetric TripleDES decryption object with the specified key (Key) and the initialization vector (IV). With the help of TransformFinalBlock it converts the previously read block of data from the manifest. At the end, it converts everything into a string. The result is an executable file.

How adware.amonetize slipped into your system?

As we already said the most popular way of spreading it is installing alongside with free software. We recommend to be careful and read Terms of Agreement before clicking on “Next” button in a hurry.

Related Post

5 REASONS TO START CLEANING YOUR PC RIGHT NOW It's a tradition already trying to start a new life and making new habits on New Year. So as you GridinSoft Team sums up the results of the previou...
Age restriction of popular sites and platforms tha... The world is moving forward with information and technology. The Internet is also available as well. Now everything is happening within reach of peopl...
6 Terrifying Samples How Marketers Use Adware While Spyware and Adware are arguably the fastest growing malicious threats to computers, proponents of these software programs are quite an intellige...
Unknown Google tricks for better searching Google Chrome is considered to be one of the most used browsers on the internet. It was introduced by Google in 2008, and it has grown to become the m...