Home / malwarePDF  

Infostealer.Newplayer


First posted on 04 October 2014.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Newplayer.

Explanation :

The Trojan arrives bundled with other software and claims to be a media player.



Once executed, the Trojan creates the following folders:
%UserProfile%\Local Settings\Application Data\newplayer%UserProfile%\Local Settings\Application Data\newplayer\config%UserProfile%\Local Settings\Application Data\newplayer\Playlists%UserProfile%\Local Settings\Application Data\newplayer\Snap%UserProfile%\Start Menu\Programs\NewPlayer
It then creates the following files:
%UserProfile%\Local Settings\Application Data\newplayer\config\config.ini%UserProfile%\Local Settings\Application Data\newplayer\log.txt%UserProfile%\Desktop\NewPlayer.lnk%UserProfile%\Start Menu\Programs\NewPlayer\NewPlayer.lnk%UserProfile%\Start Menu\Programs\NewPlayer\Uninstall.lnk%ProgramFiles%\NewPlayer\dotNetFx40_Full_setup.exe%ProgramFiles%\NewPlayer\icon.ico%ProgramFiles%\NewPlayer\Languages%ProgramFiles%\NewPlayer\Languages\Arabic.ini%ProgramFiles%\NewPlayer\Languages\Bulgarian.ini%ProgramFiles%\NewPlayer\Languages\Catalan.ini%ProgramFiles%\NewPlayer\Languages\ChineseS.ini%ProgramFiles%\NewPlayer\Languages\ChineseT.ini%ProgramFiles%\NewPlayer\Languages\Czech.ini%ProgramFiles%\NewPlayer\Languages\Danish.ini%ProgramFiles%\NewPlayer\Languages\Dutch.ini%ProgramFiles%\NewPlayer\Languages\English.ini%ProgramFiles%\NewPlayer\Languages\Estonian.ini%ProgramFiles%\NewPlayer\Languages\Finnish.ini%ProgramFiles%\NewPlayer\Languages\French.ini%ProgramFiles%\NewPlayer\Languages\German.ini%ProgramFiles%\NewPlayer\Languages\Greek.ini%ProgramFiles%\NewPlayer\Languages\HaitianCreole.ini%ProgramFiles%\NewPlayer\Languages\Hebrew.ini%ProgramFiles%\NewPlayer\Languages\Hindi.ini%ProgramFiles%\NewPlayer\Languages\Hungarian.ini%ProgramFiles%\NewPlayer\Languages\Indonesian.ini%ProgramFiles%\NewPlayer\Languages\Italian.ini%ProgramFiles%\NewPlayer\Languages\Japanese.ini%ProgramFiles%\NewPlayer\Languages\Korean.ini%ProgramFiles%\NewPlayer\Languages\Latvian.ini%ProgramFiles%\NewPlayer\Languages\Lithuanian.ini%ProgramFiles%\NewPlayer\Languages\Norwegian.ini%ProgramFiles%\NewPlayer\Languages\Polish.ini%ProgramFiles%\NewPlayer\Languages\Portuguese.ini%ProgramFiles%\NewPlayer\Languages\Romanian.ini%ProgramFiles%\NewPlayer\Languages\Russian.ini%ProgramFiles%\NewPlayer\Languages\Slovak.ini%ProgramFiles%\NewPlayer\Languages\Slovenian.ini%ProgramFiles%\NewPlayer\Languages\Spanish.ini%ProgramFiles%\NewPlayer\Languages\Swedish.ini%ProgramFiles%\NewPlayer\Languages\Thai.ini%ProgramFiles%\NewPlayer\Languages\Turkish.ini%ProgramFiles%\NewPlayer\Languages\Ukrainian.ini%ProgramFiles%\NewPlayer\Languages\Vietnamese.ini%ProgramFiles%\NewPlayer\LTV.exe%ProgramFiles%\NewPlayer\NewPlayer.exe%ProgramFiles%\NewPlayer\NewPlayerUpdater.exe%ProgramFiles%\NewPlayer\NewPlayerUpdaterService.exe%ProgramFiles%\NewPlayer\NewPlayerUpdaterService.InstallLog%ProgramFiles%\NewPlayer\NewPlayerUpdaterService.InstallState%ProgramFiles%\NewPlayer\Newtonsoft.Json.dll%ProgramFiles%\NewPlayer\PhotoLoader.dll%ProgramFiles%\NewPlayer\policy.2.0.taglib-sharp.config%ProgramFiles%\NewPlayer\policy.2.0.taglib-sharp.dll%ProgramFiles%\NewPlayer\references%ProgramFiles%\NewPlayer\references\extaudio.png%ProgramFiles%\NewPlayer\references\extvideo.png%ProgramFiles%\NewPlayer\references\ffmpeg.exe%ProgramFiles%\NewPlayer\references\folder.png%ProgramFiles%\NewPlayer\references\Interop.SHDocVw.dll%ProgramFiles%\NewPlayer\references\libreria.png%ProgramFiles%\NewPlayer\references\NDde.dll%ProgramFiles%\NewPlayer\references\NewPlayerChecker.exe%ProgramFiles%\NewPlayer\references\Newtonsoft.Json.dll%ProgramFiles%\NewPlayer\references\PhotoLoader.dll%ProgramFiles%\NewPlayer\references\policy.2.0.taglib-sharp.config%ProgramFiles%\NewPlayer\references\policy.2.0.taglib-sharp.dll%ProgramFiles%\NewPlayer\references\taglib-sharp.dll%ProgramFiles%\NewPlayer\references\Thumbs.db%ProgramFiles%\NewPlayer\taglib-sharp.dll%ProgramFiles%\NewPlayer\uninstall.exe%ProgramFiles%\NewPlayer\Windows%ProgramFiles%\NewPlayer\Windows\icon-play.ico%ProgramFiles%\NewPlayer\Windows\ifishplayer-icon.ico%ProgramFiles%\NewPlayer\Windows\Thumbs.db
The Trojan creates the following registry entries:
HKEY_CLASSES_ROOT\Applications\NewPlayer.exe\"FriendlyAppName" = "NewPlayer"HKEY_CLASSES_ROOT\Applications\NewPlayer.exe\shell\Play\command\"Default" = ""%ProgramFiles%\NewPlayer\NewPlayer.exe"" /m ""%1""""""HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying\"InitFlags" = "1"HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\"ProxyBypass" = "0"HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\"ProxyPort" = "50"HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\"ProxyStyle" = "1"HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\"ProxyBypass" = "0"HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\"ProxyPort" = "22a"HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\"ProxyStyle" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\"ComputerName" = "STARFLEE-205AC0"HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\"UniqueID" = "{8E1E74B2-D6AA-4830-91CE-B40F6B11D30C}"HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General\"VolumeSerialNumber" = "104bd201"HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\"JITDebug" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU" = "P" = "\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\"ArjCynlreFrghc.rkr" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACVQY:%pfvqy2%\ArjCynlre\"ArjCynlre.yax" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACVQY:%pfvqy2%\ArjCynlre\"Havafgnyy.yax" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore\"Count" = "3"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore\"Flags" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore\"Time" = "[HEXADECIMAL VALUE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore\"Type" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\"FriendlyAppName" = "NewPlayer"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\shell\Play\command\"Default" = ""%ProgramFiles%\NewPlayer\NewPlayer.exe"" /m ""%1""""""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewPlayer\"DisplayIcon" = "%ProgramFiles%\NewPlayer\NewPlayer.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewPlayer\"DisplayName" = "NewPlayer"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewPlayer\"DisplayVersion" = "v2.1.1.9"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewPlayer\"EstimatedSize" = "7a1d"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewPlayer\"UninstallString" = "%ProgramFiles%\NewPlayer\uninstall.exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\Control\"*NewlyCreated*" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\Control\"ActiveService" = "NewPlayerUpdaterService"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\"DeviceDesc" = "NewPlayer Updater Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\"Legacy" = "1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000\"Service" = "NewPlayerUpdaterService"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEWPLAYERUPDATERSERVICE\"NextInstance" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\"ActiveService" = "RasMan"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\"ActiveService" = "TapiSrv"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\Control\"*NewlyCreated*" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\Control\"ActiveService" = "WPFFontCache_v0400"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\"DeviceDesc" = "Windows Presentation Foundation Font Cache 4.0.0.0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\"Legacy" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\0000\"Service" = "WPFFontCache_v0400"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPFFONTCACHE_V0400\"NextInstance" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\NewPlayerUpdaterService\"EventMessageFile" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Service1\"EventMessageFile" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\"Description" = "NewPlayer Updater Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\"DisplayName" = "NewPlayer Updater Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\Enum\"Count" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\Enum\"NextInstance" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\"ImagePath" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\Security\"Security" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\"Type" = "10"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying\"InitFlags" = "1"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\"ProxyBypass" = "0"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\"ProxyPort" = "50"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\"ProxyStyle" = "1"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\"ProxyBypass" = "0"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\"ProxyPort" = "22a"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\"ProxyStyle" = "0"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\Windows Media\WMSDK\General\"ComputerName" = "STARFLEE-205AC0"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\Windows Media\WMSDK\General\"UniqueID" = "{8E1E74B2-D6AA-4830-91CE-B40F6B11D30C}"HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\Windows Media\WMSDK\General\"VolumeSerialNumber" = "104bd201"
It also creates the following registry subkeys:
HKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\ProxyExcludeHKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\ProxyNameHKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyExcludeHKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyNameHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NewPlayerUpdaterService\Enum\0:Root\LEGACY_NEWPLAYERUPDATERSERVICE\0000HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyExcludeHKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyNameHKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\ProxyExcludeHKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP\ProxyNameHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\DefaultHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.3gpHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.aacHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.aifHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.aviHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.divxHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.flvHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.mkvHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.movHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.mp3HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.mp4HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.mpegHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.mpgHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.wavHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.wmaHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NewPlayer.exe\SupportedTypes\.wmvHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\NewPlayer\DEBUG\Trace LevelHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewPlayer\Publisher
The Trojan asks for payment card credentials in order to complete registration.

The Trojan monitors the user's Internet browsing activities and then displays targeted popup advertisements on the compromised computer. It also inserts advertisements into certain websites viewed on the compromised computer.

Last update 04 October 2014

 

TOP

Malware :

Family: