Adware/Twaintech
Analysis
Specifics
This threat is commonly installed by a dropper or installer
Trojan from a hosted Internet server. This downloader/dropper
threat is typically installed when visiting web sites
which host adware. Common websites include porn sites,
video game cheat code sites and gambling web sites.
This threat will send machine specific configuration
data to a server side script using HTTP post.
Loading at Windows Startup
The threat is downloaded within a Microsoft cabinet
file named "twaintec.cab" (83,118 bytes).
Within the .CAB file is an installation file named "twaintec.inf"
which is used to place the file "twaintec.dll"
(139,264 bytes) into the Windows folder.
This threat when installed will load at Windows startup due to registry modifications made during installation. These are the related registry entries -
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\
"(Default)" = TwaintecObj Class
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32\
"(Default)" = C:\WINNT\twaintec.dll
"ThreadingModel" = Apartment
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID\
"(Default)" = Twaintec.TwaintecObj.1
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib\
"(Default)" = {11CC62B2-65F2-4A82-B332-5DE4E8384422}
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID\
"(Default)" = twaintec.twaintecObj
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\
"(Default)" = ITwaintecDllObj
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\ProxyStubClsid\
"(Default)" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\ProxyStubClsid32\
"(Default)" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\TypeLib\
"(Default)" = {690BCCB4-6B83-4203-AE77-038C116594EC}
"Version" = 1.1
HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1\
"(Default)" = twaintecObj Class
HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1\CLSID\
"(Default)" = {000020DD-C72E-4113-AF77-DD56626C6C42}
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\
"(Default)" = TwaintecDll 1.1 Type Library
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\0\win32\
"(Default)" = C:\WINNT\twaintec.dll
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\FLAGS\
"(Default)" = 0
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\HELPDIR\
"(Default)" = C:\WINNT\
HKEY_CLASSES_ROOT\VX2.VX2Obj\
"(Default)" = twaintec Functional Class
HKEY_CLASSES_ROOT\VX2.VX2Obj\CLSID\
"(Default)" = {000020DD-C72E-4113-AF77-DD56626C6C42}
HKEY_CLASSES_ROOT\VX2.VX2Obj\CurVer\
"(Default)" = TwaintecDll.TwaintecDllObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\twaintec\
"TTI4d5OfSDist" = POL14100
"TTI4d5OfSInst" = {1F034FE6-5BCA-4D77-910C-CC26844DDE27}
Machine Information Harvesting
This threat will send machine specific information to
a web site - the information includes registry data,
installed software, services running, operating system
and other machine-specific details. The information
is sent as a server-side HTTP post prior to the adware
installation, and then another set of data is sent after
the adware is installed. The data is gathered and submitted
as XML data - the content contains some or all of the
following types of information -
- Name of binary initiating the Internet call (commonly "insttt.exe")
- MACaddress, HostName
- Software installed
- List of processes currently running
- Log detail for insttt.exe
- Registry data for the following keys -
SOFTWARE\America Online\AOL\CurrentVersion
SOFTWARE\180solutions
SOFTWARE\Lavasoft\AD-Aware
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 5
SOFTWARE\BTIEIN
SOFTWARE\CLRSCH
SOFTWARE\DBi
SOFTWARE\DHost
SOFTWARE\Gator.com
SOFTWARE\GatorTest
SOFTWARE\intexp
SOFTWARE\IPInsight
SOFTWARE\McAfee.com
SOFTWARE\180solutions\msbb
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb
SOFTWARE\MSView
Software\mxtarget
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCase
SOFTWARE\PestPatrol
SOFTWARE\RespondMiter
SOFTWARE\TPS108
SOFTWARE\Twaintec
SOFTWARE\VB
Software\VoiceIP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast
SOFTWARE\WhenUSave
Software\Thinstaller\EnableLoggingToHDD
- Log information for the "twaintec.cab"
- Identify uninstall keys for certain software programs
by searching these keys -
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 5
SOFTWARE\CLRSCH
SOFTWARE\DBi
SOFTWARE\DHost
SOFTWARE\Gator.com
SOFTWARE\GatorTest
SOFTWARE\intexp
SOFTWARE\IPInsight
SOFTWARE\McAfee.com
SOFTWARE\180solutions\msbb
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb
SOFTWARE\MSView
Software\mxtarget
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCase
SOFTWARE\PestPatrol
SOFTWARE\RespondMiter
SOFTWARE\TPS108
SOFTWARE\VB
Software\VoiceIP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast
SOFTWARE\WhenUSave
The XML data is submitted using HTTP post to the Internet
address 'thinstall.abetterinternet.com'.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, add these IP addresses
and website names to the list of URLs to block -
69.90.32.140
69.90.32.141
thinstall.abetterinternet.com
download.abetterinternet.com
-
The adware can be removed by using regsvr32 to unregister the DLL twaintec.dll -
- enter a command prompt
- type "regsvr32 /u twaintec.dll"
- manually delete "twaintec.dll" from the Windows folder