Home / malwarePDF  

PUA:Win32/CandyOpen


First posted on 22 June 2016.
Source: Microsoft

Aliases :

There are no other names known for PUA:Win32/CandyOpen.

Explanation :

Installation

This application can be downloaded from websites that offer third-party software downloads. For example, we have seen it downloaded from:

  • download.freemake.net
  • www.magicaljellybean.com
  • www.cdisplayex.com
  • cdn.loadto.net
  • files.downloadnow.com


We have seen this application use the following file names:
  • FreemakeVideoConverterSetup.exe
  • uTorrent.exe
  • FreemakeVideoDownloaderSetup.exe
  • KeyFinderInstaller.exe
  • BitTorrent.exe
  • FreemakeAudioConverterSetup.exe
  • CDisplayExWin64v1.10.29.exe
  • FreemakeYouTubeToMP3BoomSetup.exe
  • CDex-1.79-win32.exe
  • FreeYouTubeToMP3Converter.exe


It can be digitally signed by the following vendors:
  • Ellora Assets Corporation
  • BitTorrent Inc
  • Digital Wave Ltd
  • ONE UP LTD.
  • Sevas-S LLC


We have seen this application using product names such as:
  • Freemake Video Converter
  • µTorrent
  • Freemake Video Downloader
  • OpenCandy recommendation engine
  • CDex


This application communicates with domains such as:
  • apps.bittorrent.com
  • cdn.ap.bittorrent.com
  • utclient.utorrent.com
  • www.mininova.org


For example:
  • www.mininova.org/favicon.ico
  • update.bittorrent.com/time.php
  • cdn.ap.bittorrent.com/control/feature/tags/ut.json


Payload

Exhibits suspicious behaviors

We have observed this application exhibit the following potentially unwanted behavior on PCs:
  • Installs programs that start automatically when your PC starts
  • Modifies boot configuration data - This is sometimes used to allow unsigned drivers to be loaded
  • Injects into other processes on your system
  • Modifies file associations on your system
  • Changes your browser's default homepage settings
  • Changes your browser's default new tab page settings
  • Changes your browser's shortcuts - often this can be used to take over your homepage by adding command-line arguments that change how the page is loaded
  • Installs extensions into your browsers - this is often used to inject ads, add toolbars, or change how your browser works
  • Abuses Group Policy settings to install extensions into your browser without your consent
  • Changes your Internet Explorer proxy auto-configuration setting - we often see this used to inject ads in your browser as you browse the web
  • Changes your browser's proxy settings - we often see this used to inject ads into your browser as you browse the web
  • Modifies your browser proxy settings to local host - this is commonly used to inject ads into your browsers
  • Registers a Layered Service Provider (LSP) to intercept network traffic - this is commonly used to inject ads into your browsers
  • Installs a trusted root certificate authority on your PC - this is a dangerous behavior that can undermine the security of your PC and web browsing. Most commonly we see this being used by ad-injection applications that insert ads in your browser as you browse the web
  • Changes your system hosts file - this is used to redirect or disable access to specific websites, and is often abused by suspicious applications to disable competitor websites or apps, security products, or updates


Installs other programs

We have seen this application install other software on your PC. Some of these applications might be bundled during the installation process and not intended to be installed. We have seen it installing programs such as:
  • µTorrent
  • Freemake Video Converter version 4.1.9
  • Cheat Engine 6.5.1
  • Freemake Video Downloader
  • The Desktop Weather 2.0
  • BitTorrent
  • DAEMON Tools Lite
  • Freemake Audio Converter version 1.1.8
  • Pluto TV version 0.2.0
  • Magical Jelly Bean KeyFinder


This description was published using automated analysis.

Last update 22 June 2016

 

TOP