Adware-NewNext

This page shows details and results of our analysis on the malware Adware-NewNext

Overview

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Aliases –

  • a2        -     Adware.Win32.Agent (A)
  • drweb        -     Adware.NextLive.1
  • Kaspersky            -           not-a-virus:AdWare.Win32.Agent.ahgx
  • gdata         -            Win32.Adware.NextLive.A


Minimum DAT

7349 (2014-02-14)

Updated DAT

7354 (2014-02-19)

Minimum Engine

5400.1158

File Length

varies

Description Added

2014-02-20

Description Modified

2014-02-20

Malware Proliferation

Characteristics

Adware-NewNext” is detection for a potentially unwanted program that contains adware, installs toolbars. It is not a virus or a Trojan. It is a application that allows you to manage the entire content of your Android phone with the help of your computer. This type of program is also called Android synchronization software.

Upon execution the file connects to the below IP Addresses.
  • 54.[removed].97
  • 50.[removed].69
Upon execution the following files have been added to the system.
  • %temp%\607FEC0282D4ADFFF3D8A35BC061212F07E44354
  • %temp%\Realplayer2.exe
  • %temp%\Mobogenie_Setup_2.1.37_666.exe
  • %programfiles%\Mobogenie\MgAssist.exe
  • %programfiles%\Mobogenie\Mobogenie.exe
  • %userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Mobogenie.lnk
  • %userprofile%\Desktop\Mobogenie.lnk
  • %temp%\nsg6C.tmp
  • %temp%\nsg6C.tmp\background.bmp
  • %temp%\nsg6C.tmp\BgWorker.dll
  • %temp%\nsg6C.tmp\btn_min.bmp
  • %temp%\nsg6C.tmp\install.ico
  • %temp%\nsg6C.tmp\KillProcDLL.dll
  • %temp%\nsg6C.tmp\nsis7z.dll
  • %temp%\nsg6C.tmp\SkinBtn.dll
  • %temp%\nsg6C.tmp\System.dll
  • %temp%\nsg6C.tmp\uninstall.ico
  • %temp%\nsw6B.tmp
  • %userprofile%\Start Menu\Programs\Mobogenie\Mobogenie.lnk
  • %programfiles%\Mobogenie\aapt.exe
  • %programfiles%\Mobogenie\AdbWinApi.dll
  • %programfiles%\Mobogenie\AdbWinUsbApi.dll
  • %programfiles%\Mobogenie\AutoItX3.dll
  • %programfiles%\Mobogenie\AutoItX3_x64.dll
  • %programfiles%\Mobogenie\configure.mu
  • %programfiles%\Mobogenie\CrashReport.exe
  • %programfiles%\Mobogenie\CrashRpt.dll
  • %programfiles%\Mobogenie\DaemonProcess.exe
  • %programfiles%\Mobogenie\DCR.dll
  • %programfiles%\Mobogenie\devcon_x64.exe
  • %programfiles%\Mobogenie\devcon_x86.exe
  • %programfiles%\Mobogenie\Device.dll
  • %programfiles%\Mobogenie\DriverInstall_x64.exe
  • %programfiles%\Mobogenie\DriverInstall_x86.exe
  • %programfiles%\Mobogenie\imageformats\qgif4.dll
  • %programfiles%\Mobogenie\imageformats\qico4.dll
  • %programfiles%\Mobogenie\imageformats\qjpeg4.dll
  • %programfiles%\Mobogenie\imageformats\qmng4.dll
  • %programfiles%\Mobogenie\imageformats\qsvg4.dll
  • %programfiles%\Mobogenie\imageformats\qtga4.dll
  • %programfiles%\Mobogenie\imageformats\qtiff4.dll
  • %programfiles%\Mobogenie\lang.mu
  • %programfiles%\Mobogenie\libeay32.dll
  • %programfiles%\Mobogenie\lsusb.exe
  • %programfiles%\Mobogenie\mgadb.exe
  • %programfiles%\Mobogenie\mgusb.exe
  • %programfiles%\Mobogenie\mobileu_chinese.qm
  • %programfiles%\Mobogenie\mobileu_traditional.qm
  • %programfiles%\Mobogenie\mobileu_vietnamese.qm
  • %programfiles%\Mobogenie\Mobogenie.7z
  • %programfiles%\Mobogenie\mobogenie.apk
  • %programfiles%\Mobogenie\Mobogenie.url
  • %programfiles%\Mobogenie\msvcp100.dll
  • %programfiles%\Mobogenie\msvcr100.dll
  • %programfiles%\Mobogenie\MUServer.apk
  • %programfiles%\Mobogenie\nengine.dll
  • %programfiles%\Mobogenie\OutlookOperatorC.exe
  • %programfiles%\Mobogenie\phonon_backend\phonon_ds94.dll
  • %programfiles%\Mobogenie\phonon4.dll
  • %programfiles%\Mobogenie\QtCore4.dll
  • %programfiles%\Mobogenie\QtGui4.dll
  • %programfiles%\Mobogenie\QtNetwork4.dll
  • %programfiles%\Mobogenie\QtSql4.dll
  • %programfiles%\Mobogenie\QtWebKit4.dll
  • %programfiles%\Mobogenie\shortcut.ico
  • %programfiles%\Mobogenie\Source.mu
  • %programfiles%\Mobogenie\sqldrivers\qsqlite4.dll
  • %programfiles%\Mobogenie\ssleay32.dll
The following registry keys have been added to the system.
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MOBOGENIE.EXE           
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MOBOGENIE.EXE\\INSTALLER LANGUAG   
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MOBOGENIEADD\\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MOBOGENIEADD\\DAYADD
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MOBOGENIE\\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MOBOGENIE\\DISPLAYICON
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MOBOGENIE\\DISPLAYNAME
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MOBOGENIE\\PUBLISHER
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MOBOGENIE\\UNINSTALLSTRING
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MOBOGENIE\\URLINFOABOUT
The following registry values have been added to the system:
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\PROXYENABLE
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\\PROXYBYPASS
The above registry key values confirm that the application tries to bypass the proxy settings


Symptoms

Presence of above mentioned activities.   

Method of Infection

This is not a virus or Trojan. PUPs do not "infect" systems. They may be installed by a user individually or possibly as a part of a software package (in a bundle, for example).

Removal

Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants