NicTech.BM2 and Adware-Qoologic Found Jan 20, 2006

A Microsoft AntiSpyware (Beta 1) scan of a user's system found "NicTech.BM2 (Trojan Downloader)" in c:\windows\system32\guard.tmp. No registry keys are other files were listed for this malware, though registry keys, but no files, were listed with "Adware-Qoologic (Trojan Downloader)", which was also found. The registy keys associated with the latter infection are listed below. The full report is available here.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6} CLSID {6EC11407-5B2E-4E25-8BDF-77445B52AB37}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6} MenuText Java

I submitted the file to Jotti's Online Malware Scan, which scans submitted files with 14 different malware detection programs. One half of the programs reported the file as infected. It was associcated with the following malware by the programs that did report it as malware.

BitDefenderAdware.Look2me
Dr. WebAdware.Look2me
FortinetAdware/Look2me
Kaspersky Anti-Virusnot-a-virus:Adware.Win32.Look2Me.u
NOD32Win32/Adware.Look2Me application
Norman Virus ControlLook2Me.U
VBA32AdWareLook2Me.u

The full report is available here.

guard.tmp Properties
Location:C:\WINDOWS\SYSTEM32
Size:217 KB (222,787 bytes)
Created:Sunday, October 16, 2005, 6:38:23 PM
MD5 Sum:bb3420b1a976e9d5bd5b24ca593475c4

Microsoft AntiSpyware attributed authorship of guard.tmp to NicTech Neworks, Inc.

Download guard.tmp for analysis

References:

  1. Guard.tmp - Dangerous
    Greatis Software
    April 8, 2005