Home / malwarePDF  

SoftwareBundler:Win32/InstalleRex


First posted on 02 March 2015.
Source: Microsoft

Aliases :

There are no other names known for SoftwareBundler:Win32/InstalleRex.

Explanation :

Threat behavior

Installation

This program is a software bundler that installs third-party software. We have seen it bundling other applications as it installs following software:

  • EzDownloaderPro
  • Facebook Chat Desktop






This software bundler installs copies of itself to the following locations:

  • %ALLUSERSPROFILE% \\.exe, for example C:\Users\All Users\ea9abab7-9a58-bc16-ea9a-abab79a5eade\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe
  • %ProgramData% \\.exe, for example C:\ProgramData\5ea19cda-0b1b-937d-5ea1-19cda0b17368\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe
  • %TEMP% \
  • %TEMP% \\temp\.exe, for example %TEMP%\E8aC3A04e199\temp\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe


It also creates a shortcut link file to the startup folder so it runs every time you start your PC:

  • \.lnk, for example \3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.lnk


It also creates the following component files:

  • %ALLUSERSPROFILE% \\.dat, for example %ALLUSERSPROFILE%\{ea9abab7-9a58-bc16-ea9a-abab79a5eade}\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.dat
  • %ProgramData% \\.dat, for example %ProgramData%\{5ea19cda-0b1b-937d-5ea1-19cda0b17368}\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.dat
  • %TEMP% \\images\loader.gif, for example %TEMP%\E8aC3A04e199\images\loader.gif
  • %TEMP% \\images\progressbar.gif, for example %TEMP%\E8aC3A04e199\images\loader.gif
  • %TEMP% \\steps\.ini.txt, for example %TEMP%\E8aC3A04e199\steps\3_2.ini.txt
  • %TEMP% \\steps\.ini.task, for example %TEMP%\E8aC3A04e199\steps\6_1_0.ini.task


It creates the following registry entries:

In subkey: HKCU\Software\WebApp\Styles
Sets value: "MaxScriptStatements"
With data: "dword:ffffffff"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
Sets value: "(Default) "
With data: "ITinyJSObject"

In subkey: HKEYHKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32
Sets value: "(Default)"
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: "(Default)"
With data: "{157B1AA6-3E5C-404A-9118-C1D91F537040}"
Sets value: "Version"
With data: "1.0"

In subkey: HKEYHKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0
Sets value: "(Default)"
With data: "JSIELib"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32
Sets value: "(Default)"
With data: "%TEMP%\\temp\.exe", for example: "%TEMP%\E8aC3A04e199\temp\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe"

In subkey: HKEYHKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS
Sets value: "(Default)"
With data: "0"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR
Sets value: "(Default)"
With data: "%TEMP%"

Behavior

Installs unwanted software onto your PC

We have seen this program install unwanted software on your PC without your permission, including:

  • Adware:Win32/SaverExtension
  • BrowserModifier:Win32/CouponRuc


Connects to a remote host

We have seen this program connect to the following remote sites to download configuration files:

  • c1.diriginal.org
  • i1.coolinary.info
  • r1.fasties.org



Additional information

When this program installs other software it uses a date from one year so that it won't appear as recently installed software, as shown below:





Analysis by James Dee

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
    • In subkey: HKCU\Software\WebApp\Styles
      Sets value: "MaxScriptStatements"
      With data: "dword:ffffffff"
    • In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
      Sets value: "(Default) "
      With data: "ITinyJSObject"
    • In subkey: HKEYHKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32
      Sets value: "(Default)"
      With data: "{00020424-0000-0000-C000-000000000046}"
    • In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
      Sets value: "(Default)"
      With data: "{157B1AA6-3E5C-404A-9118-C1D91F537040}"
      Sets value: "Version"
      With data: "1.0"
    • In subkey: HKEYHKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0
      Sets value: "(Default)"
      With data: "JSIELib"
    • In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32
      Sets value: "(Default)"
      With data: "%TEMP%\\temp\.exe", for example: "%TEMP%\E8aC3A04e199\temp\3b8d4f3fe76672acb659680bd3bd7a6f4dc831d2.exe"
    • In subkey: HKEYHKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS
      Sets value: "(Default)"
      With data: "0"
    • In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR
      Sets value: "(Default)"
      With data: "%TEMP%"
  • You see these installation prompts:









Last update 02 March 2015

 

TOP

Malware :