PUA.VipIP

Updated: February 01, 2019 8:00:55 AM
Type: Potentially Unwanted App
Infection Length: Varies
Name: VipIP.ru
Version: 8.7.4.385
Publisher: VipIP.ru
Risk Impact: Medium
Systems Affected: Windows

Behavior

PUA.VipIP is a potentially unwanted application that may be used for online advertising to generate revenue.

When the application is installed, it creates the following folders:

  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lang
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lib
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\sound
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\cookies
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales

The application then creates the following files:

  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\unins000.dat
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\unins000.exe
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\unins000.msg
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\VipIpClnt.exe
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\cef.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\cef_100_percent.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\cef_200_percent.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\cef_extensions.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\d3dcompiler_43.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\d3dcompiler_47.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\icudtl.dat
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\libcef.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\libEGL.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\libGLESv2.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\natives_blob.bin
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\snapshot_blob.bin
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\widevinecdmadapter.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\wow_helper.exe
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\am.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ar.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\bg.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\bn.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ca.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\cs.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\da.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\de.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\el.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\en-GB.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\en-US.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\es-419.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\es.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\et.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\fa.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\fi.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\fil.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\fr.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\gu.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\he.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\hi.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\hr.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\hu.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\id.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\it.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ja.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\kn.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ko.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\lt.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\lv.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ml.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\mr.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ms.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\nb.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\nl.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\pl.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\pt-BR.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\pt-PT.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ro.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ru.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\sk.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\sl.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\sr.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\sv.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\sw.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\ta.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\te.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\th.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\tr.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\uk.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\vi.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\zh-CN.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\cef\locales\zh-TW.pak
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lang\[7-LETTER RUSSIAN CHARACTERS].lng
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lang\[10-LETTER RUSSIAN CHARACTERS].lng
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lib\libeay32.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lib\pepflashplayer32_29_0_0_113.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lib\sqlite3.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\lib\ssleay32.dll
  • %AllUsersProfile%\test\AppData\Roaming\VipIPClnt\sound\notify.wav

Next, the application creates the following registry subkeys:

  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\{15FF8405-5623-4BDC-B608-C817BE1788EA}_is1
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\vipip

The application then creates the following registry entries:

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062}\”0xFFFF” = “[HEXADECIMAL VALUE]”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\%AllUsersProfile%\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\”VipIP.ru – [THREE WORDS IN RUSSIAN].lnk” = “1”
  • HKEY_USERS\S-1-5-21-3087506387-2454565724-164994176-1000\Software\Microsoft\Windows\CurrentVersion\Run\”VipIpCnt” = “%AllUsersProfile%\test\AppData\Roaming\VipIPClnt\VipIpClnt.exe”

The application may be used for online advertising to generate revenue.

Leave a Reply

Your email address will not be published. Required fields are marked *