McAfee > Theat Center > PUP Detail Page

Characteristics

"Deadeye" Software tricks the users into using their software in order to increase the speed/performance of the user’s systems.

File Information:

• MD5 - ADE9672454F6E32A07CAE45A02CBB382
• SHA - 521DE45116F3F9587D391F617824CDD18D7B4128

Characteristics:

This malware binary runs only with the presence of Java Runtime Environment in the system. Otherwise it tries to download JRE.EXE from the following site jre.[Removed]domain.com.

This malware binary creates a text file if Java Runtime Environment is not present in the system. The following snapshot shows the same.

Upon execution the following registry entries have been added:

This malware binary will drop the following files into the following system location:

• %UserProfile%\Start Menu\Programs\Startup\j.exe
• %SystemDir%\xseed.exe
• %SystemDir%\xs
• %SystemDir%\multiply.exe
• %SystemDir%\svcagent.exe
• %SystemDir%\jreew.exe
• %SystemDir%\jre.exe
• %WinDir%\Tasks\At1.job
• %WinDir%\Tasks\At2.job
• %WinDir%\Tasks\At3.job
• %WinDir%\jreew.exe
• %UserProfile%\Desktop\pulist.exe
• %UserProfile%\Desktop\reg.exe
• %UserProfile%\Desktop\install-jre.exe
• %UserProfile%\Desktop\multiply.exe
• %UserProfile%\Desktop\taskkill.exe
• %UserProfile%\Desktop\open.exe
• %UserProfile%\Desktop\svcagent.exe
• %UserProfile%\Desktop\sc.exe
• %UserProfile%\Desktop\tasklist.exe
• %UserProfile%\Desktop\jreew.exe
• %UserProfile%\Desktop\cp.cmd
• %UserProfile%\Desktop\set.cmd
• %UserProfile%\Desktop\ver.cmd
• %UserProfile%\Desktop\x.cmd
• %UserProfile%\Desktop\autorun.inf
• %CommonProgramFiles%\Adobe\Brick\jre.exe
• %CommonProgramFiles%\Adobe\Brick\svcagent.exe
• %CommonProgramFiles%\Adobe\Brick\x.jar
• %CommonProgramFiles%\Adobe\Brick\open.exe
• %CommonProgramFiles%\Adobe\Brick\cp.cmd
• %CommonProgramFiles%\Adobe\Brick\set.cmd
• %CommonProgramFiles%\Adobe\Brick\ver.cmd
• %CommonProgramFiles%"\Adobe\Brick\x.cmd
• %CommonProgramFiles%"\Adobe\Brick\autorun.inf
• %CommonProgramFiles%\Adobe\Brick\service.log
• %CommonProgramFiles%\Adobe\Brick\A.log
• %CommonProgramFiles%\Java\Update\jre.exe
• %CommonProgramFiles%\Java\Update\multiply.exe
• %CommonProgramFiles%\Java\Update\open.exe
• %CommonProgramFiles%\Java\Update\cp.cmd
• %CommonProgramFiles%\Java\Update\set.cmd
• %CommonProgramFiles%\Java\Update\ver.cmd
• %CommonProgramFiles%\Java\Update\x.cmd
• %CommonProgramFiles%\Java\Update\autorun.inf
• %ProgramFiles%\Adobe\Brick\jre.exe
• %ProgramFiles%\Adobe\Brick\svchost.exe

The following registry keys have been created:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcagent
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcagent\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcagent\Enum
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\JavaSoft
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\JavaSoft\Java2D
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\JavaSoft\Java2D\1.6.0_06
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\JavaSoft\Java2D\1.6.0_06\Drivers
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\JavaSoft\Java2D\1.6.0_06\Drivers\.DISPLAY1 VMware SVGA II
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\JavaSoft\Java2D\1.6.0_06\Drivers\.DISPLAY1 VMware SVGA II\32

The following registry values have been deleted:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  Adobe Reader Speed Launcher =  "%ProgramFiles%\Adobe\Reader 9.0\Reader\Reader_sl.exe""
  SmcService = " %ProgramFiles%\Sygate\SPF\smc.exe -startgui"
  SunJavaUpdateSched = "%ProgramFiles%\Java\jre1.6.0_06\bin\jusched.exe"

The following registry values have been added to the system:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  Xseed = "xseed.exe"
• [HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
  Xseed =  "xseed.exe"
  Multiply=  "%CommonProgramFiles%\Java\Update\multiply.exe"

The below registry entry confirms that the job file is executing the malware binary within the time frame of 48 hours.

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule]
  AtTaskMaxHours = “0x00000048”

When executed the malware binary creates the following services:

• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares\x:]
   'CSCFlags = 0
    MaxUses = 4294967295
    Path = “%WinDir%\x”
    Permissions = 63
    Type = 0'

The above entry creates a shared folder and sets attributes for the folder "X" and it allows the remote users to access the system.

• [[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcagent]
   Type =  0x00000110
   Start =  0x00000002
   ErrorControl =  0x00000000
   ImagePath = “%CommonProgramFiles%\Adobe\Brick\svcagent.exe"
   DisplayName =  "svcagent"

The following folders have been added:

• %WinDir%\x
• %CommonProgramFiles%\Adobe\Brick
• %ProgramFiles%\Adobe\Brick

The following folder [attributes] has been changed:

• %UserProfile%\Start Menu\Programs\Startup

The following commands are used to discover and infect remote computers :

• NETSH.EXE
• ATTRIB.EXE
• REG.EXE
• XCOPY.EXE
• FTP.EXE
• NET.EXE
• AT.EXE
• SC.EXE

These are general defaults for typical path variables. (Although they may differ, these examples are common.):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000),
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000),
%ProgramFiles% = \Program Files,
%UserProfile% = \Documents and Settings\ [UserName],
%CommonProgramFiles% = \Program Files\Common Files.

Symptoms:

• It disables firewall notifications
• It changes ICMP settings.
• This malware kills all McAfee running processes in the system
• It connects to the following site: ftp.[Removed]domain.com
• Presence of above mentioned registry and file entries.

Removal

Aliases

Aliases

N/A