Win32/Adware.MultiPlug.H

If your anti-virus software is detecting a Win32/Adware.MultiPlug.H infection, this usually means that a PUP (Potentially Unwanted Program) has been detected on your computer. These types of infections are usually adware programs or browser hijackers that take the form of an extension of toolbar for your Web browser. Win32/Adware.MultiPlug.H infections are not particularly harmful and may be removed in a simple manner than with other, more severe types of threats. However, despite the fact that the Win32/Adware.MultiPlug.H infection is categorized as a PUP, this does not mean that Win32/Adware.MultiPlug.H is not severely disruptive. Many of the symptoms associated with Win32/Adware.MultiPlug.H may also appear in cases of more sophisticated threats like the Sirefef rootkit. Win32/Adware.MultiPlug.H infections may cause the appearance of pop-up windows and error messages and may cause unauthorized alterations to your computer and Web browser preferences.

The Annoying and Unwanted Advertisements Displayed by Win32/Adware.MultiPlug.H

Symptoms associated with Win32/Adware.MultiPlug.H may prevent computer users from using the infected computer effectively. The main purpose of Win32/Adware.MultiPlug.H and similar infections is to profit at the expense of the computer user, mainly using advertisement revenue and affiliate marketing schemes. Because of this, the main purpose of Win32/Adware.MultiPlug.H infections is to display advertisements on the infected Web browser or to force computer users to visit websites that contain advertisements and affiliate marketing links repeatedly. Win32/Adware.MultiPlug.H may also insert advertisements and links into online content that would normally not have these types of components. Some of the most visible symptoms of Win32/Adware.MultiPlug.H infections include the appearance of an unwanted toolbar on the infected Web browser, unauthorized changes to the affected Web browser's homepage and default search engine, browser redirects to websites associated with Win32/Adware.MultiPlug.H and poor system and Web browser performance and Internet connection speed.

How Win32/Adware.MultiPlug.H Invades a Computer

The main way in which Win32/Adware.MultiPlug.H is distributed is by bundling this adware infection with legitimate, free software. Often, shady marketers may hide Win32/Adware.MultiPlug.H and the option to opt out of installing these types of components. Browser toolbars associated with Win32/Adware.MultiPlug.H are very common when downloading free software from third-party websites with poorly regulated content. You can avoid these types of scams by paying attention to the installation process when installing new software on your computer.

Analysis Report

General information

Family Name:	Adware.MultiPlug.H
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: a3775d9d56a8da9987bdc4c33c633694 SHA1: e17495480e39bfee528a6f3ccfc9abd98ce15bba SHA256: 0522C021DFF0A09C013FFCA1D216321951B5800639B62B66F6347523762BCFDD File Size: 296.96 KB, 296960 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have security information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)

Show More

• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

File Traits

• HighEntropy
• No Version Info
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	194
Potentially Malicious Blocks:	14
Whitelisted Blocks:	172
Unknown Blocks:	8

Visual Map

? ? ? ? ? ? ? x x ? x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 2 3 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 0 0 2 2 1 0 0 1 0 0 1 1 1 0 0 0 0 0 1 0 0 0 0 0 2 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\programdata\{8bca7c6d-604a-3e47-8bca-a7c6d604f1b5}\e17495480e39bfee528a6f3ccfc9abd98ce15bba_0000296960	Generic Write,Read Attributes
c:\programdata\{8bca7c6d-604a-3e47-8bca-a7c6d604f1b5}\e17495480e39bfee528a6f3ccfc9abd98ce15bba_0000296960	Read Data,Read Attributes,Synchronize,Write Data
c:\programdata\{8bca7c6d-604a-3e47-8bca-a7c6d604f1b5}\e17495480e39bfee528a6f3ccfc9abd98ce15bba_0000296960.dat	Generic Write,Read Attributes
c:\windows\tasks\djkit.job	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\uninstall\73ba6c038cb0ab5::	IIfACmWI77rvpMztvqbkPuqPNbLrKSqkP3CnlkJ9dlEaDpu/LBSwsx2K9lKxh3SN4ROnjjdNQNvqom	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix	Cookie:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix	Visited:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey

Show More

HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey