Adware.Win32.Conduit.S

2025年5月13日

分析者: Raighen Sanchez

AdWare.Win32.Conduit.dau (KASPERSKY)

平台:

Windows

总体风险等级:

潜在破坏:

潜在分布:

感染次数:

信息暴露:

恶意软件类型:
Adware
有破坏性？:
没有
加密？:
In the Wild:
是的

概要

感染途徑: 从互联网下载、由其他恶意软件释放

技术详细信息

文件大小: 5,278,018 bytes

报告日期: EXE

初始樣本接收日期: 2025年5月12日

Payload: 连接URL/IP地址, 释放文件

Installation

This Adware drops the following files:

%User Temp%\nspC498.tmp\FindProcDLL.dll
%User Temp%\nspC498.tmp\NSISdl.dll
%User Temp%\installer.exe
%User Temp%\nspC498.tmp\nsisunz.dll
%User Temp%\Toolbar\META-INF\zigbert.rsa
%User Temp%\Toolbar\conduitengine.xpi
%User Temp%\Toolbar\install.rdf
%User Temp%\Toolbar\nova-ja_tb.xpi
%User Temp%\Toolbar\META-INF\manifest.mf
%User Temp%\Toolbar\META-INF\zigbert.sf
%User Temp%\Toolbar\META-INF\zigbert.rsa
%User Temp%\Toolbar\chrome\nova-ja.jar
%User Temp%\Toolbar\chrome.manifest
%User Temp%\Toolbar\components\ConduitAutoCompleteSearch.js
%User Temp%\Toolbar\components\ConduitAutoCompleteSearch.xpt
%User Temp%\Toolbar\components\ConduitToolbar.idl
%User Temp%\Toolbar\components\ConduitToolbar.js
%User Temp%\Toolbar\components\ConduitToolbar.xpt
%User Temp%\Toolbar\components\RadioWMPCore.dll
%User Temp%\Toolbar\components\RadioWMPCore.xpt
%User Temp%\Toolbar\components\RadioWMPCoreGecko19.dll
%User Temp%\Toolbar\defaults\alertSettingsComponent.xml
%User Temp%\Toolbar\defaults\appContextMenu.xml
%User Temp%\Toolbar\defaults\engineContextMenu.xml
%User Temp%\Toolbar\defaults\engineSettings.json
%User Temp%\Toolbar\defaults\fbAlert.js
%User Temp%\Toolbar\defaults\getAppsContextMenu.xml
%User Temp%\Toolbar\defaults\postAppsContextMenu.xml
%User Temp%\Toolbar\defaults\toolbarContextMenu.xml
%User Temp%\Toolbar\defaults\unsharedAppsContextMenu.xml
%User Temp%\Toolbar\install.rdf
%User Temp%\Toolbar\lib\xpcom.js
%User Temp%\Toolbar\searchplugin\conduit.gif
%User Temp%\Toolbar\searchplugin\conduit.ico
%User Temp%\Toolbar\searchplugin\conduit.PNG
%User Temp%\Toolbar\searchplugin\conduit.src
%User Temp%\Toolbar\searchplugin\conduit.xml
%User Temp%\Toolbar\version.txt
%User Temp%\Toolbar\META-INF\manifest.mf
%User Temp%\Toolbar\META-INF\zigbert.sf
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\META-INF\zigbert.rsa
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\chrome\conduitengine.jar
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\chrome.manifest
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.xpt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\ConduitToolbar.idl
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\ConduitToolbar.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\ConduitToolbar.xpt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\RadioWMPCore.xpt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\alertSettingsComponent.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\appContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\engineContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\engineSettings.json
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\fbAlert.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\getAppsContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\postAppsContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\toolbarContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\defaults\unsharedAppsContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\DualPackage\install.rdf
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\install.rdf
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\lib\xpcom.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\searchplugin\conduit.gif
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\searchplugin\conduit.ico
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\searchplugin\conduit.PNG
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\searchplugin\conduit.src
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\searchplugin\conduit.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\version.txt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\META-INF\manifest.mf
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\engine@conduit.com\META-INF\zigbert.sf
%User Temp%\Toolbar\setup.ini
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\chrome.manifest
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\install.rdf
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\setup.ini
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\version.txt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\chrome\nova-ja.jar
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\ConduitAutoCompleteSearch.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\ConduitAutoCompleteSearch.xpt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\ConduitToolbar.idl
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\ConduitToolbar.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\ConduitToolbar.xpt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\RadioWMPCore.dll
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\RadioWMPCore.xpt
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components\RadioWMPCoreGecko19.dll
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\alertSettingsComponent.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\appContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\engineContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\engineSettings.json
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\fbAlert.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\getAppsContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\postAppsContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\toolbarContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults\unsharedAppsContextMenu.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\lib\xpcom.js
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\META-INF\manifest.mf
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\META-INF\zigbert.rsa
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\META-INF\zigbert.sf
%AppDataLocal%\Conduit\CT2132275\~GLH0006.TMP
%Program Files%\Nova-JA\~GLH0007.TMP
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\searchplugin\conduit.gif
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\searchplugin\conduit.ico
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\searchplugin\conduit.PNG
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\searchplugin\conduit.src
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\searchplugin\conduit.xml
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\prefs.new
%User Temp%\nspC498.tmp\System.dll
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\prefs.new
%AppDataLocalLow%\ConduitEngine\ConduitEngine.dll

它会创建以下文件夹：

%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\chrome
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\components
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\defaults
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\lib
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\META-INF
%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default\extensions\{001709de-38a5-4f77-a69b-2f284030ddff}\searchplugin

(Note: %Application Data% 是当前用户的 Application Data 文件夹，通常路径为：C:\Documents and Settings\{user name}\Application Data 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Roaming 在Windows Vista、7、8、8.1、2008（64位）、2012（64位）及10（64位）系统上。）

其他信息

This Adware connects to the following possibly malicious URL:

http://{BLOCKED}s.conduit.com/iis2ebs.asp
http://{BLOCKED}gle.com/s/2/5/25623-656212-ccleaner.exe
http://{BLOCKEDration.engine.conduit-services.com/EngineRegistration.ashx
http://{BLOCKED}map.conduit-services.com/Toolbar/?ownerId=CT2132275
http://{BLOCKED}ation.engine.conduit-services.com/?browser=IE&lut=0&locale=en-us
http://{BLOCKED}tmenu.engine.conduit-services.com/apps/TranslatedApps.ashx?productId=1&name=engineContextMenu&locale=en-us
http://{BLOCKED}.ourtoolbar.com/notfound/?actid=CT2132275&octid=CT2132275&url=http://go.microsoft.com/fwlink/?LinkID=121792

解决方案

最小扫描引擎: 9.800

SSAPI样式文件: 2.835.00

SSAPI样式发布日期: 2025年5月15日