Adware.Win32.Instacore.AC

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Adware drops the following files:

• {Install Directory}\ImgBurn
• {Install Directory}\ImgBurn\ImgBurn.exe
• {Install Directory}\ImgBurn\ImgBurnPreview.exe
• {Install Directory}\ImgBurn\ReadMe.txt
• {Install Directory}\ImgBurn\Sounds\Success.wav
• {Install Directory}\ImgBurn\Sounds\Error.wav
• {Install Directory}\ImgBurn\uninstall.exe
• %Common Programs%\ImgBurn.lnk
• %Common Programs%\ImgBurn\Uninstall.lnk
• %Common Programs%\ImgBurn\ImgBurn.lnk
• %Common Programs%\ImgBurn\ImgBurn Read Me.lnk
• %Desktop%\ImgBurn.lnk

(Note: %Common Programs% is the folder that contains common program groups for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Adware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\DefaultIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open\
command

It adds the following registry entries:

HKEY_CURRENT_USER\Software\ImgBurn
EVENTS_CheckForProgramUpdate = 2

HKEY_CURRENT_USER\Software\ImgBurn
InstallDirectory = {Install Directory}\ImgBurn

HKEY_CURRENT_USER\Software\ImgBurn
VersionMajor = 2

HKEY_CURRENT_USER\Software\ImgBurn
VersionMinor = 5

HKEY_CURRENT_USER\Software\ImgBurn
VersionRevision = 8

HKEY_CURRENT_USER\Software\ImgBurn
VersionBuild = 0

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_StartMenuShortcuts = 1

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_DesktopIcon = 1

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_QuickLaunchIcon = 1

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_InstallAllUsers = 1

HKEY_LOCAL_MACHINE\SOFTWARE\ImgBurn
EVENTS_CheckForProgramUpdate = 2

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_EnableSPTIAccessAllUsers = 0

HKEY_CURRENT_USER\Software\ImgBurn
INSTALLER_EnableSPTIAccessRemoteSessions = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}
FriendlyTypeName = Disc Image File

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\DefaultIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
ImgBurn.AssocFile.{file extension}\shell\open\
command

Other Details

This Adware connects to the following possibly malicious URL:

• http://rp.{BLOCKED}g.com/
• http://www.{BLOCKED}n.com/css/default.css