virus logo Virus

Riskware/SoftPulse

description-logoAnalysis

  • The application attempts to connect to the following sites (among others):
    • 9zqvef8333{Removed}.tyo8hbshm6.com
    • www.xgaz7{Removed}.com
    • www.congratulat{Removed}.com
    • app.tyo8hb{Removed}.com
    • revive.adsultima{Removed}.com
    • www.wordpro{Removed}.com
    • gp387a.saz{Removed}.com

  • The application downloads and installs other applications onto the user's computer. Some examples of installed applications include:
    • Word Proser
    • Cloud Guard
    • Desktop Dock
    • Shopperz
    • TV Wizard
    • Games Desktop
    • Pro PC Cleaner
    • Data Remarketer
    • Media Player

  • The application drops files related to the bundled applications. Some examples of dropped files include:
    • undefinedTempundefined\[Alphanumeric Character]tmp\games desktop.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\setspz.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\launcher_11002.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\vopackage.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\setup.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\cloudscout.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\propccleaner.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\wordproser-setup-1.10.0.2.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\savepass_20141120.exe
    • undefinedAppDataundefined\VOPackage\VOPackage.exe
    • undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe

  • Registry modifications such as the following are applied:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • shopperzXP = C:\Program Files\shopperz\custer.bat
      • shopperz = C:\Program Files\shopperz\unity.exe
      • gmsd_ca_11 = C:\Program Files\gmsd_ca_11\gmsd_ca_11.exe
      • upgmsd_ca_11 = undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe -runhelper -addpck
      This automatically executes the dropped files every time a user logs on to the computer.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-04-18 92.03482
2024-04-15 92.03397
2024-04-06 92.03142
2024-04-03 92.03042
2024-04-03 92.03041
2024-04-01 92.02981
2024-03-27 92.02831
2024-03-25 92.02774
2024-03-23 92.02704
2024-03-22 92.02687
ID 6207936
Released May 15, 2014
Description
Updated		 Dec 08, 2014
Aliases Win32/SoftPulse.R application, Adware.SoftPules.3
Platform Profile Riskware is a term for potentially unwanted or dangerous software programs that do not fall under Adware. They could be legitimate software applications that may be misused and pose possible security risks to users.