not-a-virus:AdWare.Win32.Sushi.a

Technical Details
Payload
Removal instructions

Technical Details

This adware is designed to redirect user's search queries to other web resources. It is a Windows application (PE EXE file). It is 1 416 432 bytes in size. It is written in C++.

Installation

This malware is installed as a browser add-in.

Internet Explorer
Google Chrome
Mozilla Firefox

Once launched, the malware performs the following actions:

• To ensure that its process is unique within the system, it creates a unique identifier:

  ps_installer_ps

• If the current user does not have administrator rights, it displays the following message:

  

  In this case the malware ceases running.
• It extracts files from its body which are saved in the system as

  %Program Files%\PlaySushi\psuninst.exe (188928 bytes)
  %Program Files%\PlaySushi\PSText.dll (356352 bytes)
  %Program Files%\PlaySushi\icon.ico (17542 bytes)
  %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome\pstextlinks.jar (5031 bytes)
  %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.xpt (177 bytes)
  %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll (198144 bytes)
  %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\install.rdf (1338 áàéò)
  %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome.manifest (469 áàéò)
  

• It creates the following system registry keys:

  [HKCU\Software\AppDataLow\PlaySushi]
  "autoupd" = "1"
  "snoozetime" = "64 EF 7D 4D 00 00 00 00"
  "updatcncl" = "0"
  "updtcnt" = "0"
  "updtfailed" = "0"
  "uid" = "5ab819ab-2aaf-4a93-b895-d61f19aa1b42"
  "ticket" = "HbAA38081000SPWXLa2h"
  
  [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Playsushi]
  "DisplayName" = "PlaySushi"
  "DisplayIcon" = "%Program Files%\PlaySushi\psuninst.exe"
  "Publisher" = "www.playsushi.com"
  "NoRepair" = "1"
  "NoModify" = "1"
  "UninstallString" = "%Program Files%\PlaySushi\psuninst.exe"
  "RecordedProfilePath" = "S-1-5-21-606747145-1060284298-839522115-1003"
  

• It uses the "regsvr32.exe" utility to register in the system the previously extracted "Stet.dll" library. It does so by launching the "cmd.exe" command interpreter with the following parameters:

  /c regsvr32.exe /s "%Program Files%\PlaySushi\PSText.dll"

  The following system registry keys are also created:

  [HKCR\AppID\{E89A07B5-BD7A-43F9-BDA4-0DAA48AC4FA5}]
  "(Default)" = "PlaySushi32"
  
  [HKCR\AppID\PSText.DLL]
  "AppID" = "{E89A07B5-BD7A-43F9-BDA4-0DAA48AC4FA5}"
  
  [HKCR\PSText.IEButton.1]
  "(Default)" = "IEButton Class"
  
  [HKCR\PSText.IEButton.1\CLSID]
  "(Default)" = "{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}"
  
  [HKCR\PSText.IEButton]
  "(Default)" = "IEButton Class"
  
  [HKCR\PSText.IEButton\CLSID]
  "(Default)" = "{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}"
  
  [HKCR\PSText.IEButton\CurVer]
  "(Default)" = "PSText.IEButton.1"
  
  [HKCR\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}]
  "(Default)" = "GoClient"
  
  [HKCR\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\ProgID]
  "(Default)" = "PSText.IEButton.1"
  
  [HKCR\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\VersionIndependentProgID]
  "(Default)" = "PSText.IEButton"
  
  [HKCR\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\InprocServer32]
  "(Default)" = "%Program Files%\PlaySushi\PSText.dll"
  "ThreadingModel" = "Apartment"
  
  [HKCR\CLSID\{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}\TypeLib]
  "(Default)" = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}"
  
  [HKCR\PlaySushi32.PlaySushi.1]
  "(Default)" = "PlaySushi"
  
  [HKCR\PlaySushi32.PlaySushi.1\CLSID]
  "(Default)" = "{21608B66-026F-4DCB-9244-0DACA328DCED}"
  
  [HKCR\PlaySushi32.PlaySushi]
  "(Default)" = "PlaySushi"
  
  [HKCR\PlaySushi32.PlaySushi\CLSID]
  "(Default)" = "{21608B66-026F-4DCB-9244-0DACA328DCED}"
  
  [HKCR\PlaySushi32.PlaySushi\CurVer]
  "(Default)" = "PlaySushi32.PlaySushi.1"
  
  [HKCR\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}]
  "(Default)" = "PlaySushi"
  
  [HKCR\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\ProgID]
  "(Default)" = "PlaySushi32.PlaySushi.1"
  
  [HKCR\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\VersionIndependentProgID]
  "(Default)" = "PlaySushi32.PlaySushi"
  
  [HKCR\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\InprocServer32]
  "(Default)" = "%Program Files%\PlaySushi\PSText.dll"
  "ThreadingModel" = "Apartment"
  
  [HKCR\CLSID\{21608B66-026F-4DCB-9244-0DACA328DCED}\TypeLib]
  "(Default)" = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}"
  
  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21608B66-026F-4DCB-9244-0DACA328DCED}]
  "(Default)" = "PlaySushi"
  "NoExplorer" = "1"
  
  [HKCR\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0]
  "(Default)" = "PlaySushi32 1.0 Type Library"
  
  [HKCR\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\FLAGS]
  "(Default)" = "0"
  
  [HKCR\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\0\win32]
  "(Default)" = "%Program Files%\PlaySushi\PSText.dll"
  
  [HKCR\TypeLib\{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}\1.0\HELPDIR]
  "(Default)" = "%Program Files%\PlaySushi"
  
  [HKCR\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}]
  "(Default)" = "_IPluginEvents"
  
  [HKCR\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\ProxyStubClsid]
  "(Default)" = "{00020420-0000-0000-C000-000000000046}"
  
  [HKCR\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\ProxyStubClsid32]
  "(Default)" = "{00020420-0000-0000-C000-000000000046}"
  
  [HKCR\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}\TypeLib]
  "(Default)" = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}"
  "Version" = "1.0"
  
  [HKCR\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}]
  "(Default)" = "IPlugin"
  
  [HKCR\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\ProxyStubClsid]
  "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  
  [HKCR\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\ProxyStubClsid32]
  "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  
  [HKCR\Interface\{5272CCD4-4199-4B04-BF68-B28A0DCF0151}\TypeLib]
  "(Default)" = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}"
  "Version" = "1.0"
  
  [HKCR\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}]
  "(Default)" = "IIEButton"
  
  [HKCR\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ProxyStubClsid]
  "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  
  [HKCR\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\ProxyStubClsid32]
  "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  
  [HKCR\Interface\{45A8F904-D9CA-439B-9CBB-11097B45D9E1}\TypeLib]
  "(Default)" = "{975BBCC0-19DF-47C2-9AE2-D78EEFA96821}"
  "Version" = "1.0"
  

• The following windows are displayed during malware installation:

  

  

  

  

• During installation, the malware may install the following applications on the infected computer:

  Desktop Weather
  Ask Toolbar
  Dogpile Toolbar
  XOBNI Outlook Plugin
  Dealio Toolbar
  McAfee Security Scan
  Shop To Win 8
  

  It downloads their installation files from the following links:

  http://www.pla***hi.com/download/dogpiletoolbar/Dogpile_Toolbar.exe
  http://web1.pl***dn.com/download/dogpiletoolbar/Dogpile_Toolbar.exe
  http://www.pla***shi.com/download/asktoolbar/ask1910.exe
  http://web1.pl***n.com/download/asktoolbar/ask1910.exe
  http://www.pla***shi.com/download/xobni/XobniSetup.exe
  http://www.pla***shi.com/download/xobni/XobniSetup.exe
  http://downlo***serbar.com/kits/963557/DealioToolbar-stub-1.exe
  http://downlo***her.com/web/dwzeus/dw6/install/stub/sushiif_StubInstaller.exe
  http://web1.pl***dn.com/download/shoptowin/ShopToWin8_FF.exe
  http://www.pl***ushi.com/download/shoptowin/ShopToWin8_FF.exe
  http://web1.pl***dn.com/download/mcafee/mss_generic.exe
  http://www.pl***shi.com/download/mcafee/mss_generic.exe
  

  The downloaded files are saved in the current user's temporary files directory "%Temp%" using the following names:

  %Temp%\Dogpile_Toolbar.exe
  %Temp%\ask1910.exe
  %Temp%\XobniSetup.exe
  %Temp%\DealioToolbar-stub-1.exe
  %Temp%\sushiif_StubInstaller.exe
  %Temp%\ShopToWin8_FF.exe
  %Temp%\mss_generic.exe
  

  Once downloaded, the files are launched for execution.
• It launches the system command interpreter "cmd.exe" with the following parameters:

  /c rundll32.exe "%\Program Files%\PlaySushi\PSText.dll", ShowWelcomePage"

  This leads to a call to the function "ShowWelcomePage" in the "PSText.dll" library previously extracted by the malware. This function displays the following window in the lower right corner of the screen:

  

• It launches Internet Explorer (the "iexplore.exe" process) with the "-nohome" parameter.

The installation process is then complete. The original malware's file will de deleted when the system is rebooted.

Payload

The main functionality of this malware is implemented by previously extracted libraries:

%Program Files%\PlaySushi\PSText.dll
%APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll

The malware can track and redirect search queries, input by the user on Google search engine's sites. In response, the user is shown a list of links received from the server:

playsushi.com

The malware can also update itself by contacting the following link:

http://pla***shi.com/index.php?page=client.Update

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
2. Close the browsers:

   Internet Explorer
   Google Chrome
   Mozilla Firefox
   

3. Cancel the registration of "PSText.dll" library. To do so, launch the "regsvr32.exe" system utility with the following parameters:

   /u "%Program Files%\PlaySushi\PSText.dll"

4. Delete the following system registry keys (see What is a system registry and how do I use it?):

   [HKCU\Software\AppDataLow\PlaySushi]
   "autoupd" = "1"
   "snoozetime" = "64 EF 7D 4D 00 00 00 00"
   "updatcncl" = "0"
   "updtcnt" = "0"
   "updtfailed" = "0"
   "uid" = "5ab819ab-2aaf-4a93-b895-d61f19aa1b42"
   "ticket" = "HbAA38081000SPWXLa2h"
   
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Playsushi]
   "DisplayName" = "PlaySushi"
   "DisplayIcon" = "%Program Files%\PlaySushi\psuninst.exe"
   "Publisher" = "www.playsushi.com"
   "NoRepair" = "1"
   "NoModify" = "1"
   "UninstallString" = "%Program Files%\PlaySushi\psuninst.exe"
   "RecordedProfilePath" = "S-1-5-21-606747145-1060284298-839522115-1003"
   

5. Delete the following files:

   %Program Files%\PlaySushi\psuninst.exe
   %Program Files%\PlaySushi\PSText.dll
   %Program Files%\PlaySushi\icon.ico
   %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome\pstextlinks.jar 
   %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.xpt 
   %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll
   %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\install.rdf 
   %APPDATA%\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome.manifest 
   %Temp%\Dogpile_Toolbar.exe
   %Temp%\ask1910.exe
   %Temp%\XobniSetup.exe
   %Temp%\DealioToolbar-stub-1.exe
   %Temp%\sushiif_StubInstaller.exe
   %Temp%\ShopToWin8_FF.exe
   %Temp%\mss_generic.exe
   

6. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: EF45C4BA4D9CDC26148046ACE86310F4
SHA1: 1768A97A53C117D9ABEDAFA1752F61A9AE59EB21