Virus:ADWARE/InstallMat.D
Date discovered:06/11/2012
Type:Adware
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:~ 280 000 Bytes
VDF version:7.11.49.22 - Tuesday, November 6, 2012
IVDF version:7.11.49.22 - Tuesday, November 6, 2012

 General ADWARE/ - Adware

This class of detection flags software that display ads, usually in the internet browser by modifying displayed pages or opening aditional pages with ads. These adware programs are usually installed by the users themselves or come with other software that the users install themselves (usually in exchange for using the software for free or as a default install option).

Users might be unaware that this software was installed or of its behaviour. This detection is meant to flag the file and the behaviour as part of legitimate ad displaying software.

This detection can be disabled and is recommended if the user is aware of the software installed on his/her system and doesn't want this type of software to be detected.
Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Downloader
   •  Mcafee: Generic PUP.x!bxk
   •  Avast: Skodna.Generic.AFC
   •  PCTools: Downloader.Generic
   •  Eset: Win32/InstallMate
   •  DrWeb: Adware.Downware.448
   •  Norman: W32/Suspicious_Gen4.BGZMA


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files The following files are created:

– Non malicious files:
   • C:\Documents and Settings\Administrator\Local
      Settings\Temp\Tsu%eight-digit random character string%.dll;
      C:\Documents and Settings\Administrator\Local Settings\Temp\%eight-digit
      random character string%.dat; C:\Documents and
      Settings\Administrator\Local Settings\Temp\%eight-digit random character
      string%\_Setup.dll; C:\Documents and Settings\Administrator\Local
      Settings\Temp\%eight-digit random character string%\Setup.ico;
      C:\Documents and Settings\Administrator\Local Settings\Temp\%eight-digit
      random character string%\_Setupx.dll; C:\Documents and
      Settings\Administrator\Local Settings\Temp\%eight-digit random character
      string%\Setup.exe; %ALLUSERSPROFILE%\TSR8.tmp;
      %ALLUSERSPROFILE%\Application Data\TSR9.tmp; %ALLUSERSPROFILE%\Application
      Data\TSRA.tmp; %ALLUSERSPROFILE%\Application Data\TSRB.tmp;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\_Setup.dll;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\Setup.ico;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\_Setupx.dll;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\Setup.exe;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\TsuDll.dll;
      C:\Documents and Settings\Administrator\Local Settings\Temp\%eight-digit
      random character string%\x86\regsvr32.exe; C:\Documents and
      Settings\Administrator\Local Settings\Temp\%eight-digit random character
      string%\x64\regsvr32.exe; %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\Setup.dat;
      C:\Documents and Settings\Administrator\Local Settings\Temp\sample.log




It tries to execute the following file:

– Filename:
   • %ALLUSERSPROFILE%\Application Data\Premium\Agent\Agent.exe

 Registry The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {F46AD279-DAAF-44D1-9E83-6D44907CAA50}]
   • "UninstallString"="C:\DOCUME~1\\ALLUSE~1\\APPLIC~1\\INSTAL~1\\{F46AD~1\\Setup.exe /remove /q0"
   • "QuietUninstallString"="C:\DOCUME~1\\ALLUSE~1\\APPLIC~1\\INSTAL~1\\{F46AD~1\\Setup.exe /remove /q"
   • "ModifyPath"="C:\DOCUME~1\\ALLUSE~1\\APPLIC~1\\INSTAL~1\\{F46AD~1\\Setup.exe /q0"
   • "Version"=dword:01000000
   • "VersionMajor"=dword:00000001
   • "VersionMinor"=dword:00000000
   • "EstimatedSize"=dword:000000e4
   • "Language"=dword:00000409
   • "TSAware"=dword:00000001
   • "TinFolder"="C:\Documents and Settings\\All Users\\Application Data\\InstallMate\\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}"
   • "TinVersion"="7022"
   • "InstallDate"="20121204"
   • "InstallLocation"=" %ALLUSERSPROFILE%\\Application Data\\Premium\\Agent"
   • "InstallSource"="C:\%malware execution directory%"
   • "DisplayIcon"=" %ALLUSERSPROFILE%\\Application Data\\InstallMate\\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\\Setup.ico"
   • "DisplayName"="Agent"
   • "DisplayVersion"="1.0"
   • "Publisher"="Premium"
   • "TizPath"="C:\%malware execution directory% \\%malware file%"
   • "CategoryName"="Bflix"

Description inserted by Elias Lan on Thursday, December 6, 2012
Description updated by Elias Lan on Thursday, December 6, 2012

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.