Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
True
0
Effects
nCase carries out the following actions:
- It is executed in the background and it displays information, offers and products according to keywords previously entered by the user while surfing the Internet.
- It downloads and displays advertisements according to the Internet usage habits.
- It changes the browser Internet Explorer homepage and search options:
Infection strategy
nCase creates the following files:
A file with a random name and an
EXE extension in the Windows directory.
nCase creates the following entries in the Windows Registry:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
%entry% = %windir%\ %file%.exe
where %windir% is the Windows directory, and %entry% and %file% are the random names of the entry and the file created.
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
msbb = %ProgramFiles%\ 180search assistant\ msbb.exe
where %ProgramFiles% is the folder Program Files.
By creating these entries, nCase ensures that it is run whenever Windows is started.
HKEY_CLASSES_ROOT\ 180SAInstaller.180SAInstaller
HKEY_CLASSES_ROOT\ CLSID\ {B10031B2-F184-4803-9A88-D239C0641D70}
HKEY_CLASSES_ROOT\ Interface\ {DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}
HKEY_CLASSES_ROOT\ TypeLib\ {F2BF4713-E933-4B66-8694-22ED243709C7}
HKEY_CURRENT_USER\ Software\ 180solutions
HKEY_CURRENT_USER\ Software\ msbb
HKEY_LOCAL_MACHINE\ Software\ 180solutions
HKEY_LOCAL_MACHINE\ Software\ Classes\ 180SAInstaller.180SAInstaller
HKEY_LOCAL_MACHINE\ Software\ Classes\ CLSID\ {B10031B2-F184-4803-9A88-D239C0641D70}
HKEY_LOCAL_MACHINE\ Software\ Classes\ TypeLib\ {F2BF4713-E933-4B66-8694-22ED243709C7}
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Code Store Database\ Distribution Units\ {B10031B2-F184-4803-9A88-D239C0641D70}
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ ModuleUsage\ %WindowsRoot%\ Downloaded Program Files\ 180SAInstaller.dll
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ ModuleUsage\ %WindowsRoot%\ Downloaded Program Files\ 180SALib.dll
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ msbb
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ SharedDLLs %WindowsRoot%\ Downloaded Program Files\ 180SAInstaller.dll
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ SharedDLLs %WindowsRoot%\ Downloaded Program Files\ 180SALib.dll
HKEY_LOCAL_MACHINE\ Software\ msbb
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main "Search Bar" http://best-search.cc/search.php*
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main "Search Page" http://best-search.cc/search.php*
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main "Start Page" http://best-search.cc/search.php*
HKEY_USERS\.DEFAULT\ Software\ Microsoft\ Internet Explorer\ Main "Search Bar" http://best-search.cc/search.php*
HKEY_USERS\.DEFAULT\ Software\ Microsoft\ Internet Explorer\ Main "Search Page" http://best-search.cc/search.php*
HKEY_USERS\.DEFAULT\ Software\ Microsoft\ Internet Explorer\ Main "Start Page" http://best-search.cc/search.php*
Means of transmission
Adware is a license form for using programs, which offers the application at the only cost of viewing a series of advertisements. However, these programs sometimes collect data on Internet usage habits, pages viewed, inventory of the applications installed in the computer, etc.
nCase can be manually installed or be included with other applications. It displays the following image on screen when it is installed:
Further Details
nCase is written in the programming language Visual C++ v7.0. This program is 108,010 bytes in size when it is compressed and 286,720 bytes once it is decompressed.