Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Adware/InstallCor.A
Date discovered:06/06/2012
Type:Adware/Spyware
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
File size:1064720 Bytes
MD5 checksum:2cbcbac3ea2cf6e1b46caf3595d6f22f
VDF version:7.11.32.36 - Wednesday, June 6, 2012
IVDF version:7.11.32.36 - Wednesday, June 6, 2012

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: not-a-virus:WebToolbar.Win32.InstallCore.bpv
   •  Bitdefender: Gen:Variant.Application.InstallCore.13
   •  Eset: a variant of Win32/InstallCore.AG application
     GData: Gen:Variant.Application.InstallCore.13


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %temp%\ICReinstall_sample.exe



It deletes the following files:
   • %temp%\ish419000\bootstrap_54461.html
   • %PROGRAM FILES%\is420421.log
   • %temp%\00066A74.log
   • %temp%\000664B8.log
   • %temp%\00067EE7.log
   • %temp%\00068D6D.log
   • %temp%\00069B29.log
   • %temp%00077656.log



The following files are created:

– Temporary files that might be deleted afterwards:
   • %temp%\ish419000\blank.gif
   • %temp%\ish419000\css\buttons.css
   • %temp%\ish419000\css\ie6_main.css
   • %temp%\ish419000\css\main.css
   • %temp%\ish419000\css\sdk-ui\browse.css
   • %temp%\ish419000\css\sdk-ui\button.css
   • %temp%\ish419000\css\sdk-ui\checkbox.css
   • %temp%\ish419000\css\sdk-ui\images\button-bg.png
   • %temp%\ish419000\css\sdk-ui\images\progress-bg.png
   • %temp%\ish419000\css\sdk-ui\progress-bar.css
   • %temp%\ish419000\images\Bg.gif
   • %temp%\ish419000\images\close_button.png
   • %temp%\ish419000\images\finish-button.png
   • %temp%\ish419000\images\icon.png
   • %temp%\ish419000\images\loader.gif
   • %temp%\ish419000\images\next-button-over.png
   • %temp%\ish419000\images\next-button.png
   • %temp%\ish419000\images\progress-bg.png
   • %temp%\ish419000\images\Progress.png
   • %temp%\ish419000\images\ProgressBar.png
   • %temp%\isf_419819.flat

 Registry The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
   Old value:
   • "Name"="iexplore.exe"
   • "ID"=dword:41107b81
   New value:
   • "Name"="sample.exe"
   • "ID"=dword:2a425e19

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • rp.**********downloadmanager.com
   • d.**********pd.com
   • download0.**********loader.org
   • os.**********downloadmanager.com
   • cdnus.**********downloadmanager.com
   • cdneu.**********downloadmanager.com

Description inserted by Wensin Lee on Thursday, August 9, 2012
Description updated by Wensin Lee on Thursday, August 9, 2012

Back . . . .