Home / malware SoftwareBundler:Win32/Dowadmin
First posted on 23 March 2016.
Source: MicrosoftAliases :
There are no other names known for SoftwareBundler:Win32/Dowadmin.
Explanation :
Installation
This unwanted software is usually installed when you try to download legitimate software from third-party websites. It can create files in %TEMP% using random file and folder names, for example:
- %TEMP%\ipcidjamebz7isbji64\1ssu2nf8g.dll
- %TEMP%\ipcidjamebz7isbji64\2ppxtw78qf.dll
- %TEMP%\ipcidjamebz7isbji64\lua51.dll
- %TEMP%\ipcidjamebz7isbji64\yzvwssxxcduuklwxnnrsdebc90vwff90ij.dll
Behavior
Installs unwanted software
This program doesn't give you an option to decline the installation of unwanted software, or exit the installer. As shown below, the "decline" option is greyed out and can't be clicked.
Connects to a remote host
We have seen this unwanted software connect to the following remote hosts using port 80:
- mirror.downloadnet
.com - service.downloadadmin.com
It connects to these remote hosts to:
- Report the successful installation of the unwanted software
- Download other unwanted software
- Download an XML file that contains information about the offered and bundled programs
- Download the contents of installer's user interface
- Download the end user license agreement -
Additional information
The contents of the installer's user interface is saved to %TEMP%\\skin, for example %TEMP%\ipcidjamebz7isbji64\skin. This folder includes the file index.html that defines the look and functionality of the program's user interface.
Analysis by Diana LoperaLast update 23 March 2016
