PUA.Win32.InstallCore.WFEJLN

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This Potentially Unwanted Application drops the following files:

• %User Temp%\ish{random numbers}\css\ie6_main.css
• %User Temp%\ish{random numbers}\css\main.css
• %User Temp%\ish{random numbers}\css\sdk-ui\browse.css
• %User Temp%\ish{random numbers}\css\sdk-ui\button.css
• %User Temp%\ish{random numbers}\css\sdk-ui\checkbox.css
• %User Temp%\ish{random numbers}\css\sdk-ui\images\button-bg.png
• %User Temp%\ish{random numbers}\css\sdk-ui\images\progress-bg-corner.png
• %User Temp%\ish{random numbers}\css\sdk-ui\images\progress-bg.png
• %User Temp%\ish{random numbers}\css\sdk-ui\images\progress-bg2.png
• %User Temp%\ish{random numbers}\css\sdk-ui\progress-bar.css
• %User Temp%\ish{random numbers}\csshover3.htc
• %User Temp%\ish{random numbers}\dat\upd.DAT
• %User Temp%\ish{random numbers}\form.bmp.Mask
• %User Temp%\ish{random numbers}\images\Close.png
• %User Temp%\ish{random numbers}\images\Close_Hover.png
• %User Temp%\ish{random numbers}\images\Color_Button.png
• %User Temp%\ish{random numbers}\images\Color_Button_Hover.png
• %User Temp%\ish{random numbers}\images\Grey_Button.png
• %User Temp%\ish{random numbers}\images\Grey_Button_Hover.png
• %User Temp%\ish{random numbers}\images\Loader.gif
• %User Temp%\ish{random numbers}\images\Logo.png
• %User Temp%\ish{random numbers}\images\Progress.png
• %User Temp%\ish{random numbers}\images\ProgressBar.png
• %User Temp%\ish{random numbers}\images\text-bg.png
• %User Temp%\ish{random numbers}\locale\DE.locale
• %User Temp%\ish{random numbers}\locale\EN.locale
• %User Temp%\ish{random numbers}\locale\ES.locale
• %User Temp%\ish{random numbers}\locale\FR.locale
• %User Temp%\ish{random numbers}\locale\IT.locale
• %User Temp%\ish{random numbers}\locale\PL.locale
• %User Temp%\ish{random numbers}\locale\PT.locale
• %User Temp%\ish{random numbers}\locale\RU.locale
• %User Temp%\ish{random numbers}\locale\UA.locale
• %User Temp%\ish{random numbers}\bootstrap_61704.html
• %Program Files%\Image Resizer\imageresizer.exe
• %Program Files%\Image Resizer\QtCore4.dll
• %Program Files%\Image Resizer\QtGui4.dll
• %Program Files%\Image Resizer\libgcc_s_dw2-1.dll
• %Program Files%\Image Resizer\mingwm10.dll
• %Program Files%\Image Resizer\qjson0.dll
• %Program Files%\Image Resizer\plugins\imageformats\qgif4.dll
• %Program Files%\Image Resizer\plugins\imageformats\qjpeg4.dll
• %Program Files%\Image Resizer\plugins\imageformats\qtiff4.dll
• %Program Files%\Image Resizer\uninstall.exe
• %Desktop%\Image Resizer.lnk
• %Programs%\Image Resizer\Image Resizer.lnk
• %Programs%\Image Resizer\uninstall.lnk

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista, 7, and 8.. %Programs% is the folder that contains the user’s program groups, which is usually C:\Windows\Start Menu\Programs or C:\Documents and Settings\{User name}\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.)

Autostart Technique

This Potentially Unwanted Application adds the following lines or registry entries as part of its routine:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  DisplayName = "Image Resizer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  UninstallString = ""%Program Files%\Image Resizer\uninstall.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  QuietUninstallString = ""%Program Files%\Image Resizer\uninstall.exe" /S
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  InstallLocation = ""%Program Files%\Image Resizer"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  DisplayIcon = ""%Program Files%\Image Resizer\imageresizer.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  Publisher = "Image Resizer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  HelpLink = "http://{BLOCKED}xtractor.com/uninstall.html
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  URLUpdateInfo = "http://{BLOCKED}xtractor.com/
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  URLInfoAbout = "http://{BLOCKED}xtractor.com/
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  DisplayVersion = "1.0.0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  VersionMajor = "1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  VersionMinor = "0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  NoModify = "1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  NoRepair = "1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer
  EstimatedSize = "5233"

Other Details

This Potentially Unwanted Application connects to the following possibly malicious URL:

• http://rp.{BLOCKED}geresizer-app.com/?pcrc=1582727131
• http://os2.{BLOCKED}geresizer-app.com/CM_DS/?v=3.0&c=1620473934
• http://rp.{BLOCKED}geresizer-app.com/?pcrc=1582727131
• http://{BLOCKED}geresizer-app.com/image-resizer/welcome/oc/?iv=0
• http://ww1.{BLOCKED}geresizer-app.com/?fp=K%2BrOomVp0tSxHRzvW3jLa4DwKBeaX1%2Fszy%2BQifYIibuaG%2F5YjRPSsN9hfkhHTe4%2BHaYUzeJHJVlR8fxnDM3tJTwdnrWISmoTbx%2FV3ZZ09t%2F19jUzjlu2afSYkyeNzvdeB8bRDHGtDY%2B2WrvuVQu90EbK%2FM1dmbrQtUD%2Belg6%2FuCP2TRP%2Bj0HhSvmZJqV%2Btdn&prvtof=QI2I4zAw4n4UTNSmWU90dshbWngI36hdfawptkQ3HzE%3D&poru=cKqCscP7G9NEveothIpZXDMGo4jaTtIFRm2NW3rHtKojOwnLpFYZ1YdleG63Ls7QBnbohYB4Bp%2FDKDU8BipJ4w%3D%3D&
• http://ww1.{BLOCKED}geresizer-app.com/sk-logabpstatus.php?a=alFZdmd5c095ajBVM0FDUUxaRGY5cFFRQ2hDMkExUWhnZ1RZZ1RwcXR0K2dXdHg0RVkyOVpjZ2EzYTJVT3RzTDVnNXJwaFdjbXBLRGd1SjRoZ0Jwa3NrUTZ0MTdydUhqYXJjNkFML0dyd0k9&b=false