Need help? Ask the community or hire an expert.
Go to Avira Answers
病毒:ADWARE/InstallMat.D
发现日期:13/12/2012
类型:广告软件
广泛传播:
病毒传播个案呈报:低程度
感染/传播能力:低程度
破坏 / 损害程度:低程度
静态文件:
文件大小:~ 280 000 字节
VDF 版本:7.11.53.216 - donderdag 13 december 2012
IVDF 版本:7.11.53.216 - donderdag 13 december 2012

 况概描述 ADWARE/ - 广告软件

n此项检测用来标识: 通过修改显示的页面,或打开包含广告的附加页面来显示广告 (通常在互联网浏览器中显示) , 并/或监视以及发送有关用户活动的信息软件。这些广告软件程序通常由用户自己安装,或附带了由用户自己安装的其他软件 (通常以免费使用为诱饵或以默认形式的安装选项)。

用户可能未意识到此软件已被安装,或未意识到它的行为。 此检测旨在将文件和行为标记为合法广告显示/用户活动监视软件的一部分。

此检测可以被关闭 ,此建议适用于对软件被载入知情的用户,或是不希望检测此类软件的用户。
传播方法:
   • 无内置传播例程


别名:
   •  Symantec: Downloader
   •  Mcafee: Generic PUP.x!bxk
   •  Avast: Skodna.Generic.AFC
   •  PCTools: Downloader.Generic
   •  Eset: Win32/InstallMate
   •  DrWeb: Adware.Downware.448
   •  Norman: W32/Suspicious_Gen4.BGZMA


平台/操作系统:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


副作用:
   • 植入文件
   • 注册表修改

 文件 创建以下文件:

– 非恶意文件:
   • C:\Documents and Settings\Administrator\Local
      Settings\Temp\Tsu%八位数的随机字符串%.dll; C:\Documents and
      Settings\Administrator\Local
      Settings\Temp\%八位数的随机字符串%.dat; C:\Documents and
      Settings\Administrator\Local
      Settings\Temp\%八位数的随机字符串%\_Setup.dll; C:\Documents
      and Settings\Administrator\Local
      Settings\Temp\%八位数的随机字符串%\Setup.ico; C:\Documents
      and Settings\Administrator\Local
      Settings\Temp\%八位数的随机字符串%\_Setupx.dll;
      C:\Documents and Settings\Administrator\Local
      Settings\Temp\%八位数的随机字符串%\Setup.exe;
      %ALLUSERSPROFILE%\TSR8.tmp; %ALLUSERSPROFILE%\Application Data\TSR9.tmp;
      %ALLUSERSPROFILE%\Application Data\TSRA.tmp; %ALLUSERSPROFILE%\Application
      Data\TSRB.tmp; %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\_Setup.dll;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\Setup.ico;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\_Setupx.dll;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\Setup.exe;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\TsuDll.dll;
      C:\Documents and Settings\Administrator\Local
      Settings\Temp\%八位数的随机字符串%\x86\regsvr32.exe;
      C:\Documents and Settings\Administrator\Local
      Settings\Temp\%八位数的随机字符串%\x64\regsvr32.exe;
      %ALLUSERSPROFILE%\Application
      Data\InstallMate\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\Setup.dat;
      C:\Documents and Settings\Administrator\Local Settings\Temp\sample.log




它会尝试执行以下文件:

– 文件名:
   • %ALLUSERSPROFILE%\Application Data\Premium\Agent\Agent.exe

 注册表 会添加以下注册表项目注册值:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {F46AD279-DAAF-44D1-9E83-6D44907CAA50}]
   • "UninstallString"="C:\DOCUME~1\\ALLUSE~1\\APPLIC~1\\INSTAL~1\\{F46AD~1\\Setup.exe /remove /q0"
   • "QuietUninstallString"="C:\DOCUME~1\\ALLUSE~1\\APPLIC~1\\INSTAL~1\\{F46AD~1\\Setup.exe /remove /q"
   • "ModifyPath"="C:\DOCUME~1\\ALLUSE~1\\APPLIC~1\\INSTAL~1\\{F46AD~1\\Setup.exe /q0"
   • "Version"=dword:01000000
   • "VersionMajor"=dword:00000001
   • "VersionMinor"=dword:00000000
   • "EstimatedSize"=dword:000000e4
   • "Language"=dword:00000409
   • "TSAware"=dword:00000001
   • "TinFolder"="C:\Documents and Settings\\All Users\\Application Data\\InstallMate\\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}"
   • "TinVersion"="7022"
   • "InstallDate"="20121204"
   • "InstallLocation"=" %ALLUSERSPROFILE%\\Application Data\\Premium\\Agent"
   • "InstallSource"="C:\%恶意软件执行目录%"
   • "DisplayIcon"=" %ALLUSERSPROFILE%\\Application Data\\InstallMate\\{F46AD279-DAAF-44D1-9E83-6D44907CAA50}\\Setup.ico"
   • "DisplayName"="Agent"
   • "DisplayVersion"="1.0"
   • "Publisher"="Premium"
   • "TizPath"="C:\%恶意软件执行目录% \\%恶意软件文件%"
   • "CategoryName"="Bflix"

Beschrijving ingevoegd door Elias Lan op donderdag 6 december 2012
Beschrijving bijgewerkt door Elias Lan op donderdag 6 december 2012

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.