Home / malwarePDF  

Trojan:Win32/Speesipro.A


First posted on 05 September 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Speesipro.A.

Explanation :

Arrival and installation

This threat may be downloaded from the web, for example:

  • hxxp://cdn[.]pcspeeduppro[.]net/pcspnet/c2/securedl/pcspsetupsite[.]exe


It may be installed as any of the following software:
  • Advance PC Care
  • Advanced-PCFixer
  • Advance System Care
  • CC Cleaner
  • Easy File Opener
  • File Opener Windows
  • PC-Speedup-Pro
  • Smart System Care
  • US System Care


It can adds a scheduled task so that it runs every time you sign in, for example:



This threat is a software that scans your PC for issues and possible unwanted threats, for example:

After scanning, this software displays a summary of issues it finds:



If you click "Start Repair", it loads a page that asks for payment for activation.

Payload

Installs malware

During installation, this threat also installs a program called "Windows File Opener" without your consent.

It creates the folder%APPDATA%\FileOpenerWindows for {HostName} and adds the following files:
  • %APPDATA%\FileOpenerWindows for {HostName}\files.txt
  • %APPDATA%\FileOpenerWindows for {HostName}\langswfo.db
  • %APPDATA%\FileOpenerWindows for {HostName}\System.Data.SQLite.DLL
  • %APPDATA%\FileOpenerWindows for {HostName}\wfo.exe
  • %APPDATA%\FileOpenerWindows for {HostName}\wfo.exe.config
  • %APPDATA%\FileOpenerWindows for {HostName}\x64\SQLite.Interop.dll
  • %APPDATA%\FileOpenerWindows for {HostName}\x86\SQLite.Interop.dll


Some versions can create any of the following folders instead:
  • %APPDATA%\EasyFileOpener
  • %APPDATA%\efo
  • %APPDATA%\FileOpenerWindows
  • %APPDATA%\WindowsFileOpener
  • %APPDATA%\winfo


It creates the following registry entries:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command
Sets value: "@"
With data: "%APPDATA%\FileOpenerWindows for {HostName}\wfo.exe "%1""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command
Sets value: "windowsfileopener.Dat"
With data: "C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,OpenAs_RunDLL %1"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command
Sets value: "@"
With data: "%APPDATA%\FileOpenerWindows for {HostName}\wfo.exe "%1""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command
Sets value: "windowsfileopener.Dat"
With data: "C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,OpenAs_RunDLL %1"

Note that this program does not have uninstall registry entries. Even if you uninstall the primary software (for example, PC-Speedup-Pro), the program "Windows File Opener" and all its related files and registry entries remain intact.

The registry entries are created so that every time you open an unknown file type, it displays the following:



If you choose "Search from web...", this threat opens the browser and loads the following page:



This behavior hijacks the normal Windows experience. If you choose "Open file through Windows", you get the normal Windows options:



Downloads and installs other software

In some versions of this threat, the main interface displays an advertisement for a software called "Driver Updater". If you click the ad, this threat automatically downloads and installs the software without your consent or control. The download dialog box has the window name "Download Updates", but in reality the threat downloads and installs a software:

Last update 05 September 2017

 

TOP

Malware :

Family: