CoolMirage

Category: Adware and PUAs Protection available since:13 Sep 2013 01:39:28 (GMT)
Type: Unspecified PUA Last Updated:18 Nov 2014 01:42:51 (GMT)

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

CoolMirage  is an installer which bundles legitimate applications with offers for additional third party applications that may be unwanted by the user. Such third party applications are typically installed onto users’ computers by default, but may include an option to ‘opt-out’ during or after the installation process.

Examples of CoolMirage include:

Example 1

File Information

Size
296K
SHA-1
00071bdd23d33f3fccb43ed5d3cabe83280aa68d
MD5
ae7861586206226407e01a231355e141
CRC-32
a1074a43
File type
Windows executable
First seen
2013-09-08

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd4.tmp\System.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd4.tmp\inetc3.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd4.tmp\dAg
  • c:\Documents and Settings\test user\Local Settings\Temp\nsd4.tmp\load_0.bmp
Registry Keys Created
  • HKCR\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
    id0
    20062014
  • HKCU\Software\1ClickDownload
    LastInstall0
    30379064
HTTP Requests
  • http://torntvz.com/ping.php
DNS Requests
  • torntvz.com

Example 2

File Information

Size
296K
SHA-1
015b3133b7d717c448d8480e7b619f8e5c658188
MD5
f75d93457071f1a0655a2080fd913a81
CRC-32
f95c05c1
File type
Windows executable
First seen
2013-09-06

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\v_sign.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\load_0.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\inetc3.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\1clogo.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\x.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\box.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\skip.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\accept3.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\close.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\accept2.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\box2.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\lyfdt.txt
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\accept.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\complist.txt
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\accept1.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\dAg
    Size
    142
    SHA-1
    36c5c356e1176515c2d80dbf83a7d26633e03700
    MD5
    f856939b4ed699137479d0b82e93604a
    CRC-32
    3a0c4bab
    File type
    ASCII text / 8-bit Unicode Transformation Format
    First seen
    2014-11-18
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\decline.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\back_dis.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\noc
    Size
    6
    SHA-1
    05e5b8e15286fba308cd123699cd788d75a95fa7
    MD5
    9c8bc0b2cc2120cf134f1edf77a1dd7c
    CRC-32
    a924c4a2
    File type
    A small file (too small to be malicious)
    First seen
    2014-11-18
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\accept_disabled.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\box3.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\System.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\back.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsk4.tmp\nsDialogs.dll
Registry Keys Created
  • HKCU\Software\1ClickDownload
    LastInstall0
    30409414
  • HKCR\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
    id0
    18112014
HTTP Requests
  • http://data.torntv.net/country.asp
  • http://torntvz.com/ping.php
DNS Requests
  • data.torntv.net
  • torntvz.com

Example 3

File Information

Size
296K
SHA-1
0292271bbb707e1b3a3487d9518be369284e876a
MD5
a86905a42a0e7e409113986c7eec4cdf
CRC-32
6705b22a
File type
Windows executable
First seen
2007-08-19

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\inetc3.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\1clogo.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\load_0.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\decline.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\close.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\nsDialogs.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\box3.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\complist.txt
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\back.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\dAg
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\x.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\System.dll
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\skip.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\accept_disabled.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\accept.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\accept2.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\accept3.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\accept1.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\box.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\back_dis.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\lyfdt.txt
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\noc
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\v_sign.bmp
  • c:\Documents and Settings\test user\Local Settings\Temp\nsa4.tmp\box2.bmp
Registry Keys Created
  • HKCU\Software\1ClickDownload
    LastInstall0
    30347027
  • HKCR\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
    id0
    11012014
HTTP Requests
  • http://data.torntv.net/country.asp
  • http://torntvz.com/ping.php
DNS Requests
  • data.torntv.net
  • torntvz.com

download Try Sophos products for free
Download now