Virus

Riskware/SoftPulse

Analysis


  • The application attempts to connect to the following sites (among others):
    • 9zqvef8333{Removed}.tyo8hbshm6.com
    • www.xgaz7{Removed}.com
    • www.congratulat{Removed}.com
    • app.tyo8hb{Removed}.com
    • revive.adsultima{Removed}.com
    • www.wordpro{Removed}.com
    • gp387a.saz{Removed}.com

  • The application downloads and installs other applications onto the user's computer. Some examples of installed applications include:
    • Word Proser
    • Cloud Guard
    • Desktop Dock
    • Shopperz
    • TV Wizard
    • Games Desktop
    • Pro PC Cleaner
    • Data Remarketer
    • Media Player

  • The application drops files related to the bundled applications. Some examples of dropped files include:
    • undefinedTempundefined\[Alphanumeric Character]tmp\games desktop.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\setspz.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\launcher_11002.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\vopackage.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\setup.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\cloudscout.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\propccleaner.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\wordproser-setup-1.10.0.2.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\savepass_20141120.exe
    • undefinedAppDataundefined\VOPackage\VOPackage.exe
    • undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe

  • Registry modifications such as the following are applied:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • shopperzXP = C:\Program Files\shopperz\custer.bat
      • shopperz = C:\Program Files\shopperz\unity.exe
      • gmsd_ca_11 = C:\Program Files\gmsd_ca_11\gmsd_ca_11.exe
      • upgmsd_ca_11 = undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe -runhelper -addpck
      This automatically executes the dropped files every time a user logs on to the computer.

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.