PUA.Win32.InstallCore.MANHOBYP

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

No obstante, de este modo no se podrá acceder a los sitios mencionados.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %User Temp%\{Random characters}.log
• %User Temp%\{Random characters}\css\ie6_main.css
• %User Temp%\{Random characters}\css\main.css
• %User Temp%\{Random characters}\css\sdk-ui\browse.css
• %User Temp%\{Random characters}\css\sdk-ui\button.css
• %User Temp%\{Random characters}\css\sdk-ui\checkbox.css
• %User Temp%\{Random characters}\css\sdk-ui\images\button-bg.png
• %User Temp%\{Random characters}\css\sdk-ui\images\progress-bg-corner.png
• %User Temp%\{Random characters}\css\sdk-ui\images\progress-bg.png
• %User Temp%\{Random characters}\css\sdk-ui\images\progress-bg2.png
• %User Temp%\{Random characters}\css\sdk-ui\progress-bar.css
• %User Temp%\{Random characters}\csshover3.htc
• %User Temp%\{Random characters}\dat\upd.DAT
• %User Temp%\{Random characters}\form.bmp.Mask
• %User Temp%\{Random characters}\images\Close.png
• %User Temp%\{Random characters}\images\Close_Hover.png
• %User Temp%\{Random characters}\images\Color_Button.png
• %User Temp%\{Random characters}\images\Color_Button_Hover.png
• %User Temp%\{Random characters}\images\Grey_Button.png
• %User Temp%\{Random characters}\images\Grey_Button_Hover.png
• %User Temp%\{Random characters}\images\Loader.gif
• %User Temp%\{Random characters}\images\Logo.png
• %User Temp%\{Random characters}\images\Progress.png
• %User Temp%\{Random characters}\images\ProgressBar.png
• %User Temp%\{Random characters}\images\text-bg.png
• %User Temp%\{Random characters}\locale\{Country code}.locale
• %User Temp%\{Random characters}\bootstrap_{Random number}.html
• %Program Files%\{Random characters}.log
• %User Temp%\ICReinstall_{Random characters}.exe
• %User Temp%\{Random characters}\{Random number}_stp.EXE
• %Desktop%\Continue File Opener Installation.lnk
• %User Temp%\{Random characters}\{Random number}_stp.EXE.part

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Rutina de descarga

Accede a los siguientes sitios Web para descargar archivos:

• http://s3.{BLOCKED}aws.com/Tweaks/distros/FileOpenerSetupG.exe

No obstante, de este modo no se podrá acceder a los sitios mencionados.

Otros detalles

Hace lo siguiente:

• It connects to the following URL to send and receive information about its installation:
  • http://rp.{BLOCKED}it.com/?pcrc={Random generated ID}
  • http://os2.{BLOCKED}it.com/Aff-AD/?v={Version of file to be installed}&c={Random generated ID}
  • http://os.{BLOCKED}it.com/CM_DS/?v={Version of file to be installed}&c={Random generated ID}
• It visits the following websites after installation. As of this writing, the said sites are inaccessible:
  • http://www.{BLOCKED}zip-it.com/file-opener/welcome/ee/?{Parameters}
• It sends the following installation information:
  • Generated ID
  • Version of file to be installed
  • System language