English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsPorn-Tool.Win32.StripDance.d

Porn-Tool.Win32.StripDance.d

Published Mar 23 2011 10:36 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malware displays adult-content video clips. It is a Windows dynamic library (PE DLL file). It is 1 959 592 bytes in size. It is written in C++.


Payload

This malicious library is loaded into the address space of a certain process. The malware's main functionality is launched when the "StartProgram" function of the exported library is called. The following system registry keys are then created: 

[HKCU\Software\pchd]
"DataVolume" = "C:\"
"Lang" = "0"
"Date" = "<number>"
where <number> is the number, generated by a special algorithm that uses current system date. 
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCHDPlayer" = "<number>"
where <path> is the complete path to the executable file of the process, in which address space the malicious library was loaded. This way, the executable file of this process will be launched automatically each time the system is rebooted. The following key values are also modified: 
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKCU\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"

[HKLM\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***lta.ru"
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKLM\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"

[HKU\.Default\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***lta.ru"
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKU\.Default\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"

[HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***lta.ru"
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"

[HKU\S-1-5-19_CLASSES\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***lta.ru"
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKU\S-1-5-19_CLASSES\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"

[HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***lta.ru"
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"

[HKU\S-1-5-20_CLASSES\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***lta.ru"
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKU\S-1-5-20_CLASSES\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"

[HKCU\Software\Classes\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://w***lta.ru"
"Default_Page_URL" = "http://w***lta.ru"
"Default_Search_URL" = "http://w***lta.ru/poisk"
"Search Bar" = "http://w***lta.ru/poisk"
"Search Page" = "http://w***lta.ru/poisk"

[HKCU\Software\Classes\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://w***lta.ru/poisk"
This modifies Internet Explorer's settings. The following files are also created: 
%APPDATA%\defaults.cfg
C:\pchd\report.pcdat
The malware's operation logs are saved to the following files: 
C:\pchd\logs\.log
The malware then displays the following message:

When the user clicks the OK button the following windows is displayed:

The following system registry keys are also created: 

[HKCU\Software\pchd]
"Login" = "<number>"
"Error" = "<number>"
"Active" = "1"
"ShowOptsTooltip" = "0"
where <number> are sequences of hexadecimal numbers.

The main malware functionality is then launched. During its operation, the malware displays the following icon in the notification area:

The malware displays adult-content video clips on the Desktop, overlapping all open windows. For example:

Data to be displayed in these clips is downloaded from the following hosts: 

94.***.240.43
94.***.240.44
ldst.***o.ru
pc.***o.ru
pix.***o.ru
It is saved in the following directories: 
C:\pchd\download
C:\pchd\m<number>
The program menu is called by right mouse clicking on the icon in the notification area:

Clicking on My Cabinet, All Girls, Help menu items opens the following links in the default browser: 

http://***o.ru/profile.php
http://***o.ru/all_girls.php
http://***o.ru/help.php
Clicking on the Settings menu item opens the following program configuration window:

When the Exit item is selected, the malware terminates the process, which address space contains this malware's library.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Terminate the process, which address space contains this malware's library.
  2. Delete the original malicious file (the location will depend on how the program originally penetrated the infected computer).
  3. Delete the following system registry keys (see What is a system registry and how do I use it?): 
    [HKCU\Software\pchd]
"DataVolume" = "C:\"
"Lang" = "0"
"Date" = "<number>"
"Login" = "<number>"
"Error" = "<number>"
"Active" = "1"
"ShowOptsTooltip" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"PCHDPlayer" = "<path>"
  4. Restore the original system registry key values (What is a system registry and how do I use it?): 
    HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page" 

[HKCU\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"

[HKLM\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page"

[HKLM\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"

[HKU\.Default\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page"

[HKU\.Default\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"

[HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page"

[HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"

[HKU\S-1-5-19_CLASSES\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page"

[HKU\S-1-5-19_CLASSES\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"

[HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page"

[HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"

[HKU\S-1-5-20_CLASSES\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page"

[HKU\S-1-5-20_CLASSES\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"

[HKCU\Software\Classes\Software\Microsoft\Internet Explorer\Main]
"Start Page" 
"Default_Page_URL" 
"Default_Search_URL"
"Search Bar" 
"Search Page"

[HKCU\Software\Classes\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"
  5. Delete the following directory and all of its contents: 
    C:\pchd
  6. Delete the following file: 
    %APPDATA%\defaults.cfg
  7. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: 3D563E908BFC3E75D94D2A17CD10EF3F
SHA1: D3CD96411CDF854AB7DA4940397D1883D9C4C5A6



Print
Bookmark and Share
Share

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search