More about the “benefits” of VKontakte plugins or the story of WebPlugins
Hello!
Recently, in the social network "VKontakte" there appeared an offer to download a plug-in expanding network functionality (downloading of media content and other "chips" is added), as well as the YouTube site. When you click on a link to a computer, the setupWP.exe file is downloaded. As the study showed, this application is not completely reliable. In addition, it bypassed most anti-virus protection, due to some features of the implementation.
The offer is as follows:
')
The functionality of the plugin advertised on the site is as follows:
At the time of appearance, the installer had only three detekta, namely:
It should be noted that the installer itself and (running forward) all executable files are packed with UPX, and also signed with a valid digital signature. The signature has the following information:
issued by the infamous COMODO Code Signing CA 2.
setupWP.exe has a size of 400392 bytes (MD5 4028128db46e8f63a3fdd4df8d283a4e). After launch, setupWP.exe creates two files in% appdata%: WebPlugins.exe with a size of 239488 bytes (MD5 ef5fdd65d44e99b0fd8d0efe62893ced) and WebPluginsLauncher.exe with a size of 67456 bytes (MD5 16ca4708932d4d7c5a7ea7ch4 Files written in Microsoft Visual C ++ 8.
Also, setupWP.exe adds the addon to the default browser, for FireFox it was {91cbe447-0cab-4798-b096-45e5e33ac229} .xpi.
WebPluginsLauncher.exe seems to be a web installer: it links to offsite and downloads the latest version:
webplugins.exe just creates browser extensions (addon).
The main functionality is in the addon. It is written in JavaScript, you can see the code here . Yes, of course, the claimed addon snacks performs. And a spoonful of tar described in the "License Agreement", namely:
in the form of commercials - also adds. But the program does and what is not said neither in the "Agreement", nor on the site - namely: it sends spam from the account. Allegedly agrees with the user when working. It is quite possible, then the classification of this program is Adware, conditionally malicious.
At the same time, the authors quite frankly praise this . Perhaps it was not the authors. But the text of Google remembers.
Unfortunately, in connection with a valid digital signature, antivirus vendors reluctantly recognize the harmfulness of the file, and therefore we recommend that all victims manually delete all the files described in this review, and most importantly, remove the addon.
At the time of this writing, the VKontakte group (http://vkontakte.ru/club21410428) has already been blocked, but the offsite continues to work . The domain was registered through Reg.Ru by a private person.
The detection and analysis of WebPlugins became possible thanks to the VirusNet Association and specifically the SafeZone.cc resource. You can read more information here .
PS The author of WebPlugins appeared in the comments and promised to fix it. How much it will be decided in future versions is on the conscience of the author. We read comments.
Recently, in the social network "VKontakte" there appeared an offer to download a plug-in expanding network functionality (downloading of media content and other "chips" is added), as well as the YouTube site. When you click on a link to a computer, the setupWP.exe file is downloaded. As the study showed, this application is not completely reliable. In addition, it bypassed most anti-virus protection, due to some features of the implementation.
The offer is as follows:
')
The functionality of the plugin advertised on the site is as follows:
At the time of appearance, the installer had only three detekta, namely:
It should be noted that the installer itself and (running forward) all executable files are packed with UPX, and also signed with a valid digital signature. The signature has the following information:
CN = Chernyshov Victor
O = Chernyshov Victor
STREET = Stancionnaya str, 3-2, app. 31
L = Mytischi,
S = Moscow Region
PostalCode = 000000
C = RUissued by the infamous COMODO Code Signing CA 2.
setupWP.exe has a size of 400392 bytes (MD5 4028128db46e8f63a3fdd4df8d283a4e). After launch, setupWP.exe creates two files in% appdata%: WebPlugins.exe with a size of 239488 bytes (MD5 ef5fdd65d44e99b0fd8d0efe62893ced) and WebPluginsLauncher.exe with a size of 67456 bytes (MD5 16ca4708932d4d7c5a7ea7ch4 Files written in Microsoft Visual C ++ 8.
Also, setupWP.exe adds the addon to the default browser, for FireFox it was {91cbe447-0cab-4798-b096-45e5e33ac229} .xpi.
WebPluginsLauncher.exe seems to be a web installer: it links to offsite and downloads the latest version:
Internet connection: Connects to "217.172.177.31" on port 80.
Internet connection: Connects to "download.web-plugins.ru" on port 80.
Internet connection: Connects to "ref.web-plugins.ru" on port 80.webplugins.exe just creates browser extensions (addon).
The main functionality is in the addon. It is written in JavaScript, you can see the code here . Yes, of course, the claimed addon snacks performs. And a spoonful of tar described in the "License Agreement", namely:
8. Advertising. “WebPlugins” may change the ad units of the vkontakte.ru site during its
using. The method, mode and duration of changes in advertising on this site
in the software may vary. By using “WebPlugins”, you agree that Web Plugins is not responsible for any loss or damage associated with
with the activities of third-party advertisers.
in the form of commercials - also adds. But the program does and what is not said neither in the "Agreement", nor on the site - namely: it sends spam from the account. Allegedly agrees with the user when working. It is quite possible, then the classification of this program is Adware, conditionally malicious.
At the same time, the authors quite frankly praise this . Perhaps it was not the authors. But the text of Google remembers.
Unfortunately, in connection with a valid digital signature, antivirus vendors reluctantly recognize the harmfulness of the file, and therefore we recommend that all victims manually delete all the files described in this review, and most importantly, remove the addon.
At the time of this writing, the VKontakte group (http://vkontakte.ru/club21410428) has already been blocked, but the offsite continues to work . The domain was registered through Reg.Ru by a private person.
The detection and analysis of WebPlugins became possible thanks to the VirusNet Association and specifically the SafeZone.cc resource. You can read more information here .
PS The author of WebPlugins appeared in the comments and promised to fix it. How much it will be decided in future versions is on the conscience of the author. We read comments.
Source: https://habr.com/ru/post/131181/
All Articles