PUA:Win32/VOPackage

Installation

This application can be downloaded from websites that offer third-party software downloads. For example, we have seen it downloaded from:

• publishell.com
• www.wifihotspotcreator.com
• gsf-cf.softonic.com
• download1438.mediafire.com
• download1618.mediafire.com

We have seen this application use the following file names:

• Setup.exe
• Setup (1).exe
• Setup (2).exe
• SaveAs.exe
• UpdateMyDrivers.exe
• IZArcInstall.exe
• Setup (3).exe
• Setup (4).exe
• Setup (5).exe

It can be digitally signed by the following vendors:

• Maxiget Limited
• InstallShell (Clickshell Ltd.)
• AnySend
• Freewebapps (Clickshell Ltd.)
• SmartTweak Software Ltd

We have seen this application using product names such as:

• setup
• Filegetter
• SuperCharging
• Install Generic
• IZArc

This application communicates with domains such as:

• mobilitydata5.com
• software-repository.com
• dl.samplayeedmed.com
• b2-31d2.kxcdn.com
• www.lvqifa.com

For example:

• mobilitydata5.com/SysInfo/tem.php?
• mobilitydata5.com/SysInfo/tem.php?
• mobilitydata5.com/SysInfo/countup.php?

Payload

Exhibits suspicious behaviors

We have observed this application exhibit the following potentially unwanted behavior on PCs:

• Installs programs that start automatically when your PC starts
• Installs a driver on your PC
• Injects into other processes on your system
• Changes your browser's default homepage settings
• Changes your browser's default new tab page settings
• Changes your browser's default search provider settings
• Changes your browser's shortcuts - this can be often used to take over your homepage by adding command-line arguments that change how the page is loaded
• Installs extensions into your browsers - this is often used to inject ads, add toolbars, or change how your browser works
• Changes the Google Chrome secure preferences - this behavior is commonly associated with tampering with the default homepage or search provider in Chrome
• Changes your Internet Explorer proxy auto-configuration setting - we often see this used to inject ads in your browser as you browse the web
• Changes your browser's proxy settings - we often see this used to inject ads into your browser as you browse the web
• Modifies your browser proxy settings to local host - this is commonly used to inject ads into your browsers
• Registers a Layered Service Provider (LSP) to intercept network traffic - this is commonly used to inject ads into your browsers
• Injects code into your browsers - this suspicious behavior is often used to bypass firewall settings or to change how your browser works
• Changes the Mozilla Firefox certificate database - we see this commonly used by ad-injection applications that insert ads in your browser as you browse the web
• Installs a trusted root certificate authority on your PC - this is a dangerous behavior that can undermine the security of your PC and web browsing. Most commonly we see this being used by ad-injection applications that insert ads in your browser as you browse the web
• Changes your system hosts file - this is used to redirect or disable access to specific websites, and is often abused by suspicious applications to disable competitor websites or apps, security products, or updates
• Modifies your DNS settings - we sometimes see this used to inject ads into your browser as you browse the web
• Disables anti-virus on your system
• Tampers with Windows Group Policy settings

Installs other programs

We have seen this application install other software on your PC. Some of these applications might be bundled during the installation process and not intended to be installed. We have seen it installing programs such as:

• CleanBrowser
• Body Text Feathering
• AdSkip
• SpaceSoundPro
• Caster
• TTWiFi 1.0.0.1
• SafeFinder
• GPL
• shopperz

This description was published using automated analysis.