Installation
This
browser modifier often arrives on your PC as part of a
software bundler. The software bundler usually offers free software from a third-party, and during the installation it offers to install other programs.
During installation, you might see the following messages:
Clicking Disagree exits the installation. Clicking Agree & Continue installs the program:
This threat can create the following files on your PC:
It creates the following registry entries:
- HKEY_CLASSES_ROOT\Extension.jshep
- HKEY_CLASSES_ROOT\Extension.jshep.1
- HKEY_CLASSES_ROOT\AppID\mseff32.DLL
- HKEY_CLASSES_ROOT\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
- HKEY_CLASSES_ROOT\AppID\{4AC9981D-592D-4044-8C0A-8F6FE843D683}
- HKEY_CLASSES_ROOT\AppID\{94CB6BE7-AE1A-4751-AE74-1EDD6B567264}
- HKEY_CLASSES_ROOT\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}
- HKEY_CLASSES_ROOT\CLSID\{5081D2D4-1637-404c-B74F-50526718257D}
- HKEY_CLASSES_ROOT\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
- HKEY_CLASSES_ROOT\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
- HKEY_CLASSES_ROOT\Interface\{D1661A59-E9D3-4603-8822-2FBEADA5E097}
- HKEY_CLASSES_ROOT\Interface\{E309D526-009C-490B-9BB1-CF9D525F6854}
- HKEY_CLASSES_ROOT\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}
- HKEY_CLASSES_ROOT\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
- HKEY_CLASSES_ROOT\SOFTWARE\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}
- HKEY_CLASSES_ROOT\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
- HKEY_CLASSES_ROOT\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}
- HKEY_CLASSES_ROOT\TypeLib\{B5C4833B-847B-49CD-8EBE-CDD9B43C882F}
- HKEY_CURRENT_USER\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4083753433-3687147761-1040319118-1001\Software\shopperz
- HKEY_CURRENT_USER\Software\Classes\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}
- HKEY_LOCAL_MACHINE\SOFTWARE\shopperz
- HKEY_LOCAL_MACHINE\SOFTWARE\shopperz\Options
- HKEY_LOCAL_MACHINE\SOFTWARE\shopperz\Options\Procs
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\shopperz
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\shopperz\Options
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\shopperz\Options\Procs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.jshep
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Extension.jshep.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\mseff32.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4AC9981D-592D-4044-8C0A-8F6FE843D683}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{94CB6BE7-AE1A-4751-AE74-1EDD6B567264}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5081D2D4-1637-404c-B74F-50526718257D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1661A59-E9D3-4603-8822-2FBEADA5E097}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E309D526-009C-490B-9BB1-CF9D525F6854}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4C3E50F-5761-4BF8-95A0-939A819DF1C3}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9AE7A6AE-162E-44C4-9A2B-A6B4EF19909D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B5C4833B-847B-49CD-8EBE-CDD9B43C882F}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5081D2D4-1637-404c-B74F-50526718257D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5081D2D4-1637-404c-B74F-50526718257D}_is1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{random CLSID}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{random CLSID}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\70F4EEDB-1367-4b4f-8247-3133551A7415
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cherimoya
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\csrcc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\shopperz Updater
- HKEY_USERS\.DEFAULT\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz
It creates the following autostart registry entries:
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value:"shopperz"
With data: "%Program Files%\shopperz\wrex.exe"
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\70F4EEDB-1367-4b4f-8247-3133551A7415
Sets value:"ImagePath"
With data: ""%Program Files%\shopperz\grunt.exe""
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\csrcc
Sets value: "ImagePath"
With data: ""%Program Files%\shopperz\csrcc.exe""
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\shopperz Updater
Sets value: "ImagePath"
With data:"%Program Files%\shopperz\nseven.exe"
It creates the following registry entries:
In subkey: HKEY_CLASSES_ROOT\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32
Sets value:"(default)"
With data: "%Program Files%\shopperz\grunt.exe"
In subkey: HKEY_CLASSES_ROOT\CLSID\{5081D2D4-1637-404c-B74F-50526718257D}\InprocServer32
Sets value:"(default)"
With data: "%Program Files%\shopperz\mseff32.dll"
In subkey: HKEY_CLASSES_ROOT\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32
Sets value:"(default)"
With data: "%Program Files%\shopperz\csrcc.exe"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions
Sets value:"(default)"
With data: "{5081D2D4-1637-404c-B74F-50526718257D}"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions
Sets value:"{5081D2D4-1637-404c-B74F-50526718257D}"
With data: "%Program Files%\shopperz\Firefox"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5081D2D4-1637-404c-B74F-50526718257D}
Sets value:"(default)"
With data: "shopperz Helper"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
Sets value:"{5081D2D4-1637-404c-B74F-50526718257D}"
With data: "%Program Files%\shopperz\Firefox"
In subkey: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Approved Extensions
Sets value:"(default)"
With data: "{5081D2D4-1637-404c-B74F-50526718257D}"
It creates the following scheduled task:
It also adds a BHO without prompt:
Threat behavior
This threat installs a browser extension to Internet Explorer, Mozilla Firefox, and Chrome without prompt. The following images are examples of the installed browser extensions:
No warnings are displayed when opening a new browser window or tab. It can display ads such as the following:
Opening a new top or window will always display the following warning:
If you click Show all content, ads are displayed:
Analysis by Kathleen Mae Notario
