ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 6 June 2012, 21:08:04
Processing time: 12 min 21 sec
Submitted sample:

File MD5: 0x85F91ED413B43E8B78BEA0E112386666
File SHA-1: 0xCCB9C6388C98793CCF692347C38808B49A1CADD8
Filesize: 3,493,192 bytes

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Adware.WhenU_SaveNow	SaveNow shows targeted pop-up advertisements and coupons based on user's Internet surfing habits. It is usually distributed with other third party software such as BearShare.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%CommonPrograms%\BearShare.lnk	700 bytes	MD5: 0x52179702A6CE030F2FB2435D9E3409AE SHA-1: 0x1F8E8F564E8068D525CB5242D8716C59311AA0E0
2	%DesktopDir%\BearShare Downloads.lnk	1,273 bytes	MD5: 0xE4A3137C23E38C191F92235B91B3944C SHA-1: 0x70DD8BCD9C313CB5F6DF345A220846C1FC5D4843
3	%DesktopDir%\BearShare.lnk	694 bytes	MD5: 0x5AEB385E00042A95BBEC9A232DDEEFED SHA-1: 0x28D46B38C3563A26E354ADE3BDF37ABBE32899BD
4	%Temp%\searchurl_en_us.txt	28 bytes	MD5: 0x5B56BD8A5FD1B53AD525C5DB97E7F200 SHA-1: 0x76D8975EFB75192CBAD0A1BC2D7B99BD2A3D687C
5	%ProgramFiles%\BearShare\BearShare.dat	8,815 bytes	MD5: 0xC872EC2FBD9020FB5B7E09701F15158D SHA-1: 0x7B329679F0479461862B20F54EF4F0C36EB35B64
6	%ProgramFiles%\BearShare\BearShare.exe	3,301,376 bytes	MD5: 0xBCF5EAE7EE0D015AA087819D7CD7F7B5 SHA-1: 0xE194B02789432B00F96441C5B8B9334F864AFD84
7	%ProgramFiles%\BearShare\BSidle.dll	24,576 bytes	MD5: 0x760911842FC80D9D54516BD5BA6931EF SHA-1: 0xA64410ECD2BAF150FD8D121707E0F910FCA6EAF9
8	%ProgramFiles%\BearShare\db\connect.txt	108,501 bytes	MD5: 0x1CCA694A038B9D4904B2E8DD35F0B0C1 SHA-1: 0x41C2BA9512EBFF6DA5E69CDA44503DC78E00AA77
9	%ProgramFiles%\BearShare\db\Hostiles.txt	3,768 bytes	MD5: 0x6170980361974BF98844DF7DBDF78858 SHA-1: 0x1770E21E7A80F2DFC143E8D0A77353C03E90D6FD
10	%ProgramFiles%\BearShare\db\library.2.db %ProgramFiles%\BearShare\db\library.2.db.lastgoodload.bak	59,392 bytes	MD5: 0x9150299BDCE0AC67DDE56EE69DC2547F SHA-1: 0xA0E2F9D594733681AADF1F0E493E278126B70C33
11	%ProgramFiles%\BearShare\db\library.db %ProgramFiles%\BearShare\db\library.db.lastgoodload.bak	59,392 bytes	MD5: 0xF13A08FED8B50D1C6678827644AD0271 SHA-1: 0xAC47380F861F28F50F67F8F78A42D9BA5CEAB82A
12	%ProgramFiles%\BearShare\FreePeers.ini	46,877 bytes	MD5: 0x18D0427E893E30C0110347BEF9142962 SHA-1: 0xA80CAC65CB0F169C37837D88EFD38FAA22777A48
13	%ProgramFiles%\BearShare\History.txt	32 bytes	MD5: 0x365F07C5E5D1F26B5A90FCD820E2703D SHA-1: 0x544638726619CF93BD5D8DEB6074D54EA11F0506
14	%ProgramFiles%\BearShare\INSTALL.LOG	8,038 bytes	MD5: 0xDDF497A1419EC51872934C3BF477D406 SHA-1: 0xF3C0340D8CA0AD50023156DD45DA0BCD3715C056
15	%ProgramFiles%\BearShare\Logs\hosts-state.txt	13 bytes	MD5: 0x0729FCB0ABA010BE2C3B3E8042F650D2 SHA-1: 0x1097496C989149760A6A161BA642BEB6906BFA2B
16	%ProgramFiles%\BearShare\Logs\memory.txt	13,046 bytes	MD5: 0x9908FD9C312B855F5FD93D3D2C9AF844 SHA-1: 0x9C2F647BCA4EF9464AC40CE21923EAC7B843B272
17	%ProgramFiles%\BearShare\Logs\ordinal.txt	2,096 bytes	MD5: 0x2C7C5340AF7E46D459A26E48C8786F16 SHA-1: 0x4C9AFCB920385EED4D9962FC81B502A80FF23EFA
18	%ProgramFiles%\BearShare\Logs\streams.txt	15 bytes	MD5: 0xE7364AB20091C0ECD7C12AB381C2CB28 SHA-1: 0xBDB2C67DA9440913D673C378E681A447E66205D8
19	%ProgramFiles%\BearShare\RunMSC.dll	57,344 bytes	MD5: 0xB938EDABE9EFC9B024E79697E6C01FEA SHA-1: 0xFD5090E617EEA7AA80B99608828CE78F05A630A3
20	%ProgramFiles%\BearShare\sounds\notify.wav	4,014 bytes	MD5: 0x4A61949290ADEBB4B096DE6655B24232 SHA-1: 0x4C8F681E6AD13FB800B3755F7B2025D18230DBB6
21	%ProgramFiles%\BearShare\UNWISE.EXE	153,088 bytes	MD5: 0x973567B98CDFC147DF4E60471D9DF072 SHA-1: 0x3C4735750C99C63E6861170A8C459A608594211E
22	%ProgramFiles%\BearShare\Webstats.bat	347 bytes	MD5: 0x3B1D35D193F6BA3F9E459530C3BFCD2B SHA-1: 0x6FA6866EB24F3D3AC1F5AF571A1716E85E140B0C
23	%ProgramFiles%\BearShare\Webstats.exe	294,912 bytes	MD5: 0x3114E2732C4315B27F4BD31355DE547F SHA-1: 0x89AE915ABB094209909DB722CE641AFAE94767DB
24	%ProgramFiles%\BearShare\Webstats.ini	3,159 bytes	MD5: 0x0C65B7A84781D5C016A04643D76A4F57 SHA-1: 0xD8624C2DE219C57F7E61DE84472FA1353DE37B60
25	[file and pathname of the sample #1]	3,493,192 bytes	MD5: 0x85F91ED413B43E8B78BEA0E112386666 SHA-1: 0xCCB9C6388C98793CCF692347C38808B49A1CADD8

Notes:

%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

c:\My Downloads
%ProgramFiles%\BearShare
%ProgramFiles%\BearShare\db
%ProgramFiles%\BearShare\Extras
%ProgramFiles%\BearShare\Installer
%ProgramFiles%\BearShare\Logs
%ProgramFiles%\BearShare\Playlists
%ProgramFiles%\BearShare\sounds
%ProgramFiles%\BearShare\Temp
%ProgramFiles%\BearShare\Webstats

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	3,502,080 bytes
GLB1.tmp	%Temp%\GLB1.tmp	28,672 bytes
webstats.exe	%ProgramFiles%\bearshare\webstats.exe	471,040 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gnu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnufile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnufile\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnufile\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnufile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\ddeexec
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\ddeexec\Application
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\ddeexec\Topic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BearShare
HKEY_LOCAL_MACHINE\SOFTWARE\BearShare
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
HKEY_LOCAL_MACHINE\SOFTWARE\Magnet
HKEY_LOCAL_MACHINE\SOFTWARE\Magnet\Handlers
HKEY_LOCAL_MACHINE\SOFTWARE\Magnet\Handlers\Bearshare
HKEY_LOCAL_MACHINE\SOFTWARE\Magnet\Handlers\Bearshare\Type
HKEY_USERS\.DEFAULT\AppEvents\EventLabels\BearShareChatNotifyMsg
HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\BearShare
HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg
HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.Current
HKEY_CURRENT_USER\AppEvents\EventLabels\BearShareChatNotifyMsg
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\BearShare
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.Current

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\VersionIndependentProgID]

(Default) = "BDATuner.DVBTuneRequest"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\TypeLib]

(Default) = "{9B085638-018E-11D3-9D8E-00C04F72D980}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\ProgID]

(Default) = "BDATuner.DVBTuneRequest.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32]

(Default) = "%System%\msvidctl.dll"
ThreadingModel = "Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}]

(Default) = "BDA Tuning Model DVB Tune Request"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\VersionIndependentProgID]

(Default) = "RunMSC.Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\TypeLib]

(Default) = "{905D0DF2-3A0A-4D94-853C-54A12A745905}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\ProgID]

(Default) = "RunMSC.Loader.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}\InprocServer32]

(Default) = "%ProgramFiles%\BearShare\RunMSC.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}]

(Default) = "Loader Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}\TypeLib]

(Default) = "{905D0DF2-3A0A-4D94-853C-54A12A745905}"
Version = "1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}\ProxyStubClsid32]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}\ProxyStubClsid]

(Default) = "{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97}]

(Default) = "ILoader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0\0\win32]

(Default) = "%ProgramFiles%\BearShare\RunMSC.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0\HELPDIR]

(Default) = "%ProgramFiles%\BearShare\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0\FLAGS]

(Default) = "0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{905D0DF2-3A0A-4D94-853C-54A12A745905}\1.0]

(Default) = "RunMSC 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gnu]

(Default) = "gnufile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\ddeexec\Topic]

(Default) = "URLHandler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\ddeexec\Application]

(Default) = "BearShare"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\shell\open\command]

(Default) = ""%ProgramFiles%\bearshare\bearshare.exe" -noinstcheck -spawnedfromurl %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k\DefaultIcon]

(Default) = ""%ProgramFiles%\bearshare\bearshare.exe",-130"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ed2k]

URL Protocol = ""
(Default) = "URL:ed2k Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu\shell\open\command]

(Default) = ""%ProgramFiles%\BearShare\BearShare.exe" --noinstcheck -spawnedfromurl %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu\DefaultIcon]

(Default) = ""%ProgramFiles%\BearShare\BearShare.exe",-130"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnu]

URL Protocol = ""
(Default) = "URL:GNU Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnufile\shell\open\command]

(Default) = ""%ProgramFiles%\BearShare\BearShare.exe" "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnufile]

(Default) = "gnutella"
BrowserFlags = 0x00000008
EditFlags = 0x00010000

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\ddeexec\Topic]

(Default) = "URLHandler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\ddeexec\Application]

(Default) = "BearShare"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\shell\open\command]

(Default) = ""%ProgramFiles%\bearshare\bearshare.exe" -noinstcheck -spawnedfromurl %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella\DefaultIcon]

(Default) = ""%ProgramFiles%\bearshare\bearshare.exe",-130"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\gnutella]

URL Protocol = ""
(Default) = "URL:Gnutella Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\ddeexec\Topic]

(Default) = "URLHandler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\ddeexec\Application]

(Default) = "BearShare"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\ddeexec]

(Default) = "%1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\shell\open\command]

(Default) = ""%ProgramFiles%\bearshare\bearshare.exe" -noinstcheck -spawnedfromurl %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet\DefaultIcon]

(Default) = ""%ProgramFiles%\bearshare\bearshare.exe",-130"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet]

URL Protocol = ""
(Default) = "URL:Magnet Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader\CurVer]

(Default) = "RunMSC.Loader.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader\CLSID]

(Default) = "{9F95F736-0F62-4214-A4B4-CAA6738D4C07}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader]

(Default) = "Loader Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader.1\CLSID]

(Default) = "{9F95F736-0F62-4214-A4B4-CAA6738D4C07}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunMSC.Loader.1]

(Default) = "Loader Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}]

(Default) = "BearShare"
Version = "5,2,4,2"
ComponentID = "BearShare"
IsInstalled = 0x00000001
Locale = "EN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

BearShare = ""%ProgramFiles%\BearShare\BearShare.exe" /pause"

so that BearShare.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BearShare]

DisplayName = "BearShare"
UninstallString = "C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG"
DisplayVersion = "5.2.4.2"
HelpLink = "http://bearshare.com/help.htm"
Publisher = "Free Peers, Inc."
URLInfoAbout = "http://www.freepeers.com"
DisplayIcon = "%ProgramFiles%\BearShare\BearShare.exe,-128"

[HKEY_LOCAL_MACHINE\SOFTWARE\BearShare]

InstallDir = "%ProgramFiles%\BearShare"

[HKEY_LOCAL_MACHINE\SOFTWARE\Licenses]

{R7C0DB872A3F777C0} = 4A 8D 7D 4C
{K7C0DB872A3F777C0} = 37 80 57 88 29 13 1F D6 AD BD 79 07 1E 46 2E 03 07 99 01 65 14 0F C8 1F F3 29 FB 4A 8D 7D 4C FF FF FF FF 87 30 0C C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F

[HKEY_LOCAL_MACHINE\SOFTWARE\Magnet\Handlers\Bearshare\Type]

urn:sha1 = 0x00000000
urn:bitprint = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Magnet\Handlers\Bearshare]

(Default) = "Bearshare"
Description = "Bearshare can automatically search for and download the selected content on its peer-to-peer network."
DefaultIcon = ""%ProgramFiles%\bearshare\bearshare.exe",-130"
ShellExecute = ""%ProgramFiles%\bearshare\bearshare.exe" -noinstcheck -spawnedfromurl %1"
DdeApplication = "BearShare"
DdeTopic = "URLHandler"

[HKEY_USERS\.DEFAULT\AppEvents\EventLabels\BearShareChatNotifyMsg]

(Default) = "Chat Message Waiting"

[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.Current]

(Default) = "%ProgramFiles%\BearShare\sounds\notify.wav"

[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg]

(Default) = ""

[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\BearShare]

(Default) = "BearShare"

[HKEY_CURRENT_USER\AppEvents\EventLabels\BearShareChatNotifyMsg]

(Default) = "Chat Message Waiting"

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.Current]

(Default) = "%ProgramFiles%\BearShare\sounds\notify.wav"

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg]

(Default) = ""

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\BearShare]

(Default) = "BearShare"

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

To mark the presence in the system, the following Mutex objects were created:

RAL1A8B7953
1A8B7953::WK
FreePeers_BearShare
c:

The following Host Names were requested from a host database:

24.165.49.128
update.bearshare.com
privateport1.bearshare.net
gwc.lame.net
www.xolox.nl
gwebcache.m2k1.net
gwc1.solutions.lv
www.la-forza.com
crab.bishopston.net
gcache.cloppy.net
private1.bearshare.net
gwebcache.bearshare.net
track.bearshare.com
search.bearshare.com
cache.kicks-ass.net

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
128.211.202.142	6348
172.215.71.115	6348
87.6.45.236	6348
67.163.229.117	6348
67.149.144.54	6348
24.131.233.215	6348
70.26.239.74	6348
84.150.85.49	6348
65.94.50.183	6348
80.42.31.50	6348
24.192.139.84	6346
24.188.173.13	6346
141.157.86.159	6346
86.128.28.230	6346
84.120.48.86	6346
84.58.203.234	6346
82.36.183.232	6346
172.202.196.129	6346
85.178.103.86	6346
81.228.39.94	6346
144.132.58.170	7100
80.146.90.73	6117
87.123.142.53	600

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.bearshare.com	80	(null)	(null)

The following HTTP URLs were started reading:

http://gwc.lame.net/gwcii.php?client=BEAR&version=5.2.4.2&urlfile=1
http://www.xolox.nl/gwebcache/default.asp?client=BEAR&version=5.2.4.2&urlfile=1
http://gwebcache.m2k1.net/mcache.php?client=BEAR&version=5.2.4.2&urlfile=1
http://gwc1.solutions.lv/pgc.cgi?client=BEAR&version=5.2.4.2&urlfile=1
http://www.la-forza.com/gnucache/gcache.php?client=BEAR&version=5.2.4.2&urlfile=1
http://gcache.cloppy.net/?client=BEAR&version=5.2.4.2&hostfile=1
http://gwebcache.bearshare.net/gcache.php?client=BEAR&version=5.2.4.2&hostfile=1

The data identified by the following URL was then requested from the remote web server:

http://track.bearshare.com/BSLITE524.htm

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 6348:

There was an outbound traffic produced on port 6346:

There was an outbound traffic produced on port 7100:

There was an outbound traffic produced on port 6117:

There was an outbound traffic produced on port 600:

There was an outbound traffic produced on port 9411:

There was an outbound traffic produced on port 8271:

There was an outbound traffic produced on port 6000:

There was an outbound traffic produced on port 6544:

There was an outbound traffic produced on port 8570:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.