Adware.PPRich

SUMMARY

Behavior

Adware.PPRich is a program that displays Internet advertisements in Chinese on the compromised computer.

Protection

• Initial Rapid Release version September 14, 2006
• Latest Rapid Release version June 24, 2008 revision 049
• Initial Daily Certified version September 14, 2006
• Latest Daily Certified version June 25, 2008 revision 003
• Initial Weekly Certified release date September 20, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS

Adware.PPRich is a program that displays internet advertisements in Chinese on the compromised computer.

Once executed, the risk creates the following files:
%ProgramFiles%\SystemInspect\config.ini
%ProgramFiles%\SystemInspect\iexplore.exe
%ProgramFiles%\SystemInspect\SerInf.ini
%ProgramFiles%\SystemInspect\SVCHAST.exe
%ProgramFiles%\SystemInspect\SystemInspect1.dll
%ProgramFiles%\SystemInspect\download\iexplore.exe
%ProgramFiles%\SystemInspect\download\SVCHAST.exe
%ProgramFiles%\SystemInspect\download\SystemInspect.dll
%ProgramFiles%\SystemInspect\Log\[EXECUTION DATE].Log
%ProgramFiles%\PPRich\Logo.swf
%ProgramFiles%\PPRich\MiniPPGou.dll
%ProgramFiles%\PPRich\MiniPPGou.exe
%ProgramFiles%\PPRich\MiniPPGou2Core.dll
%ProgramFiles%\PPRich\PPRich.ocx
%ProgramFiles%\PPRich\PPRichFileSource.ax
%ProgramFiles%\PPRich\PPSConfig.bin
%ProgramFiles%\PPRich\sysOption.fsc
%ProgramFiles%\PPRich\MiniData\CurrentDownFileList.blb
%ProgramFiles%\PPRich\MiniData\CurrentDownFileList.dat
%ProgramFiles%\PPRich\MiniData\CurrentDownFileList.idx
%ProgramFiles%\PPRich\MiniData\ShareFileList.dat
%ProgramFiles%\PPRich\MiniData\ShareFileList.idx
%ProgramFiles%\PPRich\MiniData\Users.dat
%ProgramFiles%\PPRich\MiniData\Users.idx
%ProgramFiles%\PPRich\Temp\Logo.swf
%ProgramFiles%\PPRich\Temp\MiniPPGou.dll
%ProgramFiles%\PPRich\Temp\MiniPPGou.exe
%ProgramFiles%\PPRich\Temp\PPRich.ocx
%ProgramFiles%\PPRich\Temp\PPRichFileSource.ax
%ProgramFiles%\PPRich\Temp\sysOption.fsc
%Windir%\SysPPMultThd.dll
%Windir%\SysPPHash.dll

The risk creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{4CCBC79C-7F0D-4BE0-94D7-E69E236488CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CCBC79C-7F0D-4BE0-94D7-E69E236488CF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D966685-3D58-4170-B008-05BD7C1628B0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4CA69A9-5CA7-4110-9922-62DFDD902A07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57523ABF-6C26-4FB9-B6EA-6CECFC403764}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B32AA76-2071-4B16-AE16-D206FC99EA5A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{780BB4CB-F55B-4965-8CEC-86834D7A14D8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{45E3D498-DA44-40D2-8F3B-59B34426FFAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{819B7E0D-3ED5-4217-9FD6-5E8241AE6A25}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniPPGou.CoMiniPPGou
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniPPGou.CoMiniPPGou\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PPRich.Player
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PPRich.Player\Clsid

The risk then modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.9991.com/indexjim.htm"

Next, the risk creates a service with the following properties:
Service Name: SystemInspect
Display Name: SVCHAST
Image Path: %Program Files%\SystemInspect\SVCHAST.exe

The risk then downloads the latest version of itself if it is available.

The risk changes the home page of Internet Explorer to "http://www.9991.com/indexjim.htm".

The risk then displays advertisements on Internet Explorer periodically.