Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DictionaryBoss Search Scope Monitor' = '"%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4srchmn.exe" /m=2 /w /h'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DictionaryBoss Browser Plugin Loader' = '%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DictionaryBoss' = 'rundll32 %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4bar.dll,S'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DictionaryBoss Home Page Guard 32 bit' = '"%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\AppIntegrator.exe"'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\DictionaryBossService] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4SrchMn.exe' /m=2 /w /h /r
- '%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brmon.exe'
- '%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4highin.exe' v4tpinst.dll,#5
- '%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4barsvc.exe' -remove
- '%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4barsvc.exe' -install
- '%PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4barsvc.exe'
Executes the following:
- '<SYSTEM32>\ntvdm.exe' -f -i3
- '<SYSTEM32>\ntvdm.exe' -f -i2
- '<SYSTEM32>\ntvdm.exe' -f -i1
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4mlbtn.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4Plugin.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4ieovr.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4medint.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4reghk.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4regiet.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4radio.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4regfft.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4idle.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4feedmg.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4highin.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8EXTEX.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8EXTPEX.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4htmlmu.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4httpct.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4hkstub.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8HTML.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4script.dll
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\Temp\scs3.tmp
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\VERIFY.DLL
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs6.tmp
- %PROGRAM_FILES%\DictionaryBoss\bar\Settings\s_pid.dat
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs5.tmp
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\UNIFIEDLOGGING.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4SrcAs.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4SrchMn.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4skin.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4skplay.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4tpinst.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\TPIMANAGERCONSOLE.EXE
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4srchmr.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8TICKER.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\ASSISTMONITOR.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\ASSISTMONITOR64.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\APPINTEGRATORSTUB.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\AppIntegratorStub64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\CREXT.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\CrExtPv4.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\BOOTSTRAP.JS
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\CHROME.MANIFEST
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\AppIntegrator64.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8RES.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4barsvc.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8EPMSUP.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\APPINTEGRATOR.EXE
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\DPNMNGR.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brmon64.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brstub.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4bprtct.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brmon.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4dlghk.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4dlghk64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brstub64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4datact.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4bar.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\Hpg64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\INSTALL.RDF
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\EXEMANAGER.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\FF-NativeMessagingDispatcher.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4auxstb.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4auxstb64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\LOGO.BMP
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\NPv4Stub.dll
Deletes the following files:
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4Plugin.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4radio.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4medint.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4mlbtn.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4regiet.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4script.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4regfft.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4reghk.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4ieovr.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4highin.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4hkstub.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8EXTPEX.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4feedmg.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4httpct.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4idle.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8HTML.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4htmlmu.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\ARBITER64.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\ASSIST.EXE
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\VERIFY.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\ARBITER.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8EPMSUP.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8RES.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\assists\ie_default_search_provider\CONFIG.XML
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4barsvc.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\UNIFIEDLOGGING.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4SrcAs.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4SrchMn.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4skin.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4skplay.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4tpinst.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\TPIMANAGERCONSOLE.EXE
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4srchmr.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8TICKER.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\T8EXTEX.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\ASSISTMONITOR64.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\BOOTSTRAP.JS
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\AppIntegratorStub64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\ASSISTMONITOR.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\CrExtPv4.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\DPNMNGR.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\CHROME.MANIFEST
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\CREXT.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\APPINTEGRATORSTUB.DLL
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs2.tmp
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\APPINTEGRATOR.EXE
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\AppIntegrator64.exe
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs6.tmp
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brmon64.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brstub.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4bprtct.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brmon.exe
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4dlghk.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4dlghk64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4brstub64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4datact.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4bar.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\Hpg64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\INSTALL.RDF
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\EXEMANAGER.DLL
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\FF-NativeMessagingDispatcher.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4auxstb.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\v4auxstb64.dll
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\LOGO.BMP
- %PROGRAM_FILES%\DictionaryBoss\bar\1.bin\NPv4Stub.dll
Miscellaneous:
Searches for the following windows:
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b98.b9c.3a0001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b5c.b60.390001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b44.b48.380001'
