SecurityHome.eu PUA:Win32/Downer

Home / malware PDF

PUA:Win32/Downer

First posted on 07 July 2016.
Source: Microsoft
Aliases :
There are no other names known for PUA:Win32/Downer.
Explanation :
Installation

This application can be downloaded from websites that offer third-party software downloads. For example, we have seen it downloaded from:

d30.97you.net

ftp-idc.pconline.com.cn

d31.97you.net

d18.97you.net

c4.97you.net

We have seen this application use the following file names:

360safe+105720+n7c1c19219_8100000379736961492.exe

WeChatSetup_8100001718927051285.exe

å°é©¬Win10æ¿€æ´»å·¥å…·_18@181378.exe

wrar531sc_8100000001687033317.exe

360safe+105720+n6075a44d8_8200000379736961491.exe

AbodeReader11-setup_5100000013227047490.exe

360è½¯ä»¶ç®¡å®¶_18@29663.exe

WinRAR_30@62747.exe

AbodeReader11-setup_8100000013227047490.exe

It can be digitally signed by the following vendors:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Riyue peer information technology (Beijing) Co., Ltd

Wang Xin'gang

Yang Bin

LLC "SLOBODA PROYEKT"

We have seen this application using product names such as:

downer for windows

maldner for windows

æ–°æœˆæ—¥åŽ†

åŽå†›ä¸€é”®å®‰è£…å™¨

ç³»ç»Ÿä¹‹å®¶ä¸€é”®é‡è£…

This application communicates with domains such as:

api.down.72zx.com

api2.down.72zx.com

static.down.72zx.com

adm.down.72zx.com

baisqq.static.kingnet.com

For example:

adm.down.72zx.com/upload/20160603/1464952782.png

api.down.72zx.com/stat?

api2.down.72zx.com/stat?

Payload

Exhibits suspicious behaviors

We have observed this application exhibit the following potentially unwanted behavior on PCs:

Installs programs that start automatically when your PC starts

Modifies boot configuration data - This is sometimes used to allow unsigned drivers to be loaded

Injects into other processes on your system

Modifies file associations on your system

Changes your browser's default homepage settings

Changes your browser's shortcuts - often this can be used to take over your homepage by adding command-line arguments that change how the page is loaded

Installs extensions into your browsers - often this is used to inject ads, add toolbars, or change how your browser works

Registers a Layered Service Provider (LSP) to intercept network traffic - this is commonly used to inject ads into your browsers

Tampers with Windows Group Policy settings

Disables User Access Control (UAC) on your system

Installs other programs

We have seen this application install other software on your PC. Some of these applications might be bundled during the installation process and not intended to be installed. We have seen it installing programs such as:

ç™¾åº¦2.5

Funshion

QQæµè§ˆå™¨

å°æ¸”å£çº¸ç¾ŽåŒ–ç¨‹åº

360å®‰å…¨å«å£«

ä¼ å¥‡ç››ä¸–

æ¸¸çªæ¸¸æˆç›’

ç™¾åº¦è¾“å…¥æ³•

360å®‰å…¨æµè§ˆå™¨

This description was published using automated analysis.
Last update 07 July 2016

TOP

Malware :

Last 20