English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Read us on

Home→Descriptions→not-a-virus:AdWare.Win32.WhiteSmoke.a

not-a-virus:AdWare.Win32.WhiteSmoke.a

Detected	Dec 21 2010 09:08 GMT
Released	Dec 21 2010 18:22 GMT
Published	Mar 28 2011 10:29 GMT

Technical Details
Payload
Removal instructions

Technical Details

This program downloads various malware from the Internet and installs it without the user's knowledge. It is a Windows application (PE EXE file). It is 129 288 bytes in size. It is packed using UPX. The unpacked file is approximately 404 KB in size. It is written in C++.

Payload

Once launched, the Trojan checks for current user's administrator privileges and if they are missing, displays the following message:

It performs the following actions:

When launched, it displays the following window:

When the program runs, it creates the following unique identifiers:

{FF4E366C-EB6E-4387-968D-B97175E24D5A}
Global\WST2010_Feature_<rnd>
Global\WST2010_{58343C24-CB4B-4a57-9B4D-E3DD88463B62}_INITIALIZE

where <rnd> is a random sequence of numbers.

It creates the following system registry keys:

[HKCU\Environment]
"WS_TARGET_DIR"="%Program Files%\\WhiteSmoke Translator"

[HKLM\Software\WhiteSmokeTranslator]
"InstallOption"=dword:0000000e
"DistID"=dword:0000138a

In the current user's temporary directory it creates the following directory:
```
%Temp%\~nsu.tmp\
```
Where the program places the following files:
```
%Temp%\~nsu.tmp\wsget.exe
```
The file is 61 952 bytes in size.

MD5: CB40B57461F84E92BA68DD6A77B0675D
SHA1: FF5C21B8753BF9BA3402059CD98AC3A32F19E82F
```
%Temp%\~nsu.tmp\boost.ico
```
The file is 13 942 bytes in size.

MD5: 576AE10DD9F5521A3285163D31EBD277
SHA1: 4D88D461ED307F6949FE51F4698C35767FEF8D84

The Trojan also creates the following files (where <user> is the name of the current user account):
```
%Documents and Settings%\All Users\Start Menu\Programs\Startup\WhiteSmoke Translator.lnk
%Documents and Settings%\<user>\Desktop\WhiteSmoke (continue installation).lnk

%Documents and Settings%\<user>\Desktop\Improve Your PC.lnk
```
The file is 1102 bytes in size.

MD5: 1A2F8DD3F951A4BDBA6E8F7683675E46
SHA1: 3D1ACB0DF365B2A422FEE42890A92A30CB7978FD
When this file is launched, the following links open in the default browser:
```
http://www.re***ster.com/L10n/geo-ws-597-di.php
```
At the time of writing, this link was inactive.
It launches the following file for execution:
```
%Temp%\~nsu.tmp\wsget.exe
```
It sends the following string to this file as a parameter:
```
"%Program Files%\WhiteSmoke Translator"
```
The launched file downloads and launches files from the following URL addresses:
```
http://get.w***moke.com/TranslatorTools/whitesmoke-silent.exe
```
The file is 251 200 bytes in size.

MD5: B2C1ECBB4E673505E9248A25DFC286B0
SHA1: DD472F78C5E8591AD7C57435C67B46CFABAFAFCF
```
http://get.w***moke.com/TranslatorTools/WhiteSmokeTranslator_rev1.exe
```
The file is 5 076 816 bytes in size.

MD5: 12C6D991CAE48AEE5A14F1175D2543DA
SHA1: 57859915C688EF98718C57500116DE2483ADEFCF

The files are saved under the following names, respectively:
```
%Temp%\~nsu.tmp\whitesmoke-silent.exe
%Temp%\~nsu.tmp\WhiteSmokeTranslator_rev1.exe
```

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).

Delete the following files:

%Temp%\~nsu.tmp\wsget.exe
%Temp%\~nsu.tmp\boost.ico
%Documents and Settings%\All Users\Start Menu\Programs\Startup\WhiteSmoke Translator.lnk
%Documents and Settings%\<user>\Desktop\WhiteSmoke (continue installation).lnk
%Documents and Settings%\<user>\Desktop\Improve Your PC.lnk
%Temp%\~nsu.tmp\whitesmoke-silent.exe
%Temp%\~nsu.tmp\WhiteSmokeTranslator_rev1.exe

Delete the following system registry keys:

[HKCU\Environment]
"WS_TARGET_DIR"="%Program Files%\\WhiteSmoke Translator"

[HKLM\Software\WhiteSmokeTranslator]
"InstallOption"=dword:0000000e
"DistID"=dword:0000138a

Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 3115E3A19CFFBB92F01EEB4EEC67693C
SHA1: 0B593692AE3C72E60A1CF61404F342505BF5BB83

Print

Share

Adware, Pornware and Riskware

Adware

Adware covers programs designed to display advertisements (usually in the form of banners), redirect search requests to advertising websites, and collect marketing-type data about the user (e.g. which types of websites s/he visits) in order to display customized advertising on the computer.

Other than displaying advertisements and collecting data, these types of program generally do not make their presence in the system known: there will be no signs of the program in the system tray, and no indication in the program menu that files have been installed. Often, Adware programs do not have any uninstall procedures and use technologies which border on virus technology to help the program stealthily penetrate the computer and run unnoticed.

Aliases

not-a-virus:AdWare.Win32.WhiteSmoke.a (Kaspersky Lab) is also known as:

Trojan.MulDrop1.50647 (DrWeb)
not-a-virus:AdWare.Win32.WhiteSmoke (Ikarus)
Downloader (NAV)
W32/SmallDrp.AZBZ (Norman)
Packer.Win32.Agent.GEN [Suspicious] (Rising)
1, (FSecure)
not-a-virus:AdWare.Win32.WhiteSmoke.a (FSecure)
(4, (FSecure)
400) (FSecure)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com