Virus

Adware/Twaintech

Analysis


Specifics
This threat is commonly installed by a dropper or installer Trojan from a hosted Internet server. This downloader/dropper threat is typically installed when visiting web sites which host adware. Common websites include porn sites, video game cheat code sites and gambling web sites. This threat will send machine specific configuration data to a server side script using HTTP post.


Loading at Windows Startup
The threat is downloaded within a Microsoft cabinet file named "twaintec.cab" (83,118 bytes). Within the .CAB file is an installation file named "twaintec.inf" which is used to place the file "twaintec.dll" (139,264 bytes) into the Windows folder.

This threat when installed will load at Windows startup due to registry modifications made during installation. These are the related registry entries -

HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\
"(Default)" = TwaintecObj Class
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\InprocServer32\
"(Default)" = C:\WINNT\twaintec.dll
"ThreadingModel" = Apartment
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\ProgID\
"(Default)" = Twaintec.TwaintecObj.1
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\TypeLib\
"(Default)" = {11CC62B2-65F2-4A82-B332-5DE4E8384422}
HKEY_CLASSES_ROOT\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42}\VersionIndependentProgID\
"(Default)" = twaintec.twaintecObj
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\
"(Default)" = ITwaintecDllObj
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\ProxyStubClsid\
"(Default)" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\ProxyStubClsid32\
"(Default)" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-06A0D843444A}\TypeLib\
"(Default)" = {690BCCB4-6B83-4203-AE77-038C116594EC}
"Version" = 1.1
HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1\
"(Default)" = twaintecObj Class
HKEY_CLASSES_ROOT\TwaintecDll.TwaintecDllObj.1\CLSID\
"(Default)" = {000020DD-C72E-4113-AF77-DD56626C6C42}
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\
"(Default)" = TwaintecDll 1.1 Type Library
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\0\win32\
"(Default)" = C:\WINNT\twaintec.dll
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\FLAGS\
"(Default)" = 0
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-038C116594EC}\1.1\HELPDIR\
"(Default)" = C:\WINNT\
HKEY_CLASSES_ROOT\VX2.VX2Obj\
"(Default)" = twaintec Functional Class
HKEY_CLASSES_ROOT\VX2.VX2Obj\CLSID\
"(Default)" = {000020DD-C72E-4113-AF77-DD56626C6C42}
HKEY_CLASSES_ROOT\VX2.VX2Obj\CurVer\
"(Default)" = TwaintecDll.TwaintecDllObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\twaintec\
"TTI4d5OfSDist" = POL14100
"TTI4d5OfSInst" = {1F034FE6-5BCA-4D77-910C-CC26844DDE27}


Machine Information Harvesting
This threat will send machine specific information to a web site - the information includes registry data, installed software, services running, operating system and other machine-specific details. The information is sent as a server-side HTTP post prior to the adware installation, and then another set of data is sent after the adware is installed. The data is gathered and submitted as XML data - the content contains some or all of the following types of information -

  • Name of binary initiating the Internet call (commonly "insttt.exe")
  • MACaddress, HostName
  • Software installed
  • List of processes currently running
  • Log detail for insttt.exe
  • Registry data for the following keys -
    SOFTWARE\America Online\AOL\CurrentVersion
    SOFTWARE\180solutions
    SOFTWARE\Lavasoft\AD-Aware
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 5
    SOFTWARE\BTIEIN
    SOFTWARE\CLRSCH
    SOFTWARE\DBi
    SOFTWARE\DHost
    SOFTWARE\Gator.com
    SOFTWARE\GatorTest
    SOFTWARE\intexp
    SOFTWARE\IPInsight
    SOFTWARE\McAfee.com
    SOFTWARE\180solutions\msbb
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb
    SOFTWARE\MSView
    Software\mxtarget
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCase
    SOFTWARE\PestPatrol
    SOFTWARE\RespondMiter
    SOFTWARE\TPS108
    SOFTWARE\Twaintec
    SOFTWARE\VB
    Software\VoiceIP
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast
    SOFTWARE\WhenUSave
    Software\Thinstaller\EnableLoggingToHDD
  • Log information for the "twaintec.cab"
  • Identify uninstall keys for certain software programs by searching these keys -
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 5
    SOFTWARE\CLRSCH
    SOFTWARE\DBi
    SOFTWARE\DHost
    SOFTWARE\Gator.com
    SOFTWARE\GatorTest
    SOFTWARE\intexp
    SOFTWARE\IPInsight
    SOFTWARE\McAfee.com
    SOFTWARE\180solutions\msbb
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb
    SOFTWARE\MSView
    Software\mxtarget
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCase
    SOFTWARE\PestPatrol
    SOFTWARE\RespondMiter
    SOFTWARE\TPS108
    SOFTWARE\VB
    Software\VoiceIP
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast
    SOFTWARE\WhenUSave

The XML data is submitted using HTTP post to the Internet address 'thinstall.abetterinternet.com'.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, add these IP addresses and website names to the list of URLs to block -

    69.90.32.140
    69.90.32.141
    thinstall.abetterinternet.com
    download.abetterinternet.com

  • The adware can be removed by using regsvr32 to unregister the DLL twaintec.dll -

    - enter a command prompt
    - type "regsvr32 /u twaintec.dll"
    - manually delete "twaintec.dll" from the Windows folder