PUA.Win32.Installcore.MANHOCFD

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It connects to certain websites to send and receive information.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Potentially Unwanted Application adds the following processes:

• {Malware File Path}\{Malware File Name}.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg==

It creates the following folders:

• %User Temp%\inH{Random}
• %User Temp%\inH{Random}\css
• %User Temp%\inH{Random}\css\sdk-ui
• %User Temp%\inH{Random}\css\sdk-ui\images
• %User Temp%\inH{Random}\images
• %User Temp%\inH{Random}\locale
• %User Temp%\inH{Random}\locale\DLM
• %User Temp%\in{Random}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Propagation

This Potentially Unwanted Application does not have any propagation routine.

Backdoor Routine

This Potentially Unwanted Application does not have any backdoor routine.

Rootkit Capabilities

This Potentially Unwanted Application does not have rootkit capabilities.

Dropping Routine

This Potentially Unwanted Application drops the following files:

• %User Temp%\{Random}.log
• %User Temp%\inH{Random}\css\ie6_Dlm_main.css
• %User Temp%\inH{Random}\css\mainDlm.css
• %User Temp%\inH{Random}\css\sdk-ui\browse.css
• %User Temp%\inH{Random}\css\sdk-ui\button.css
• %User Temp%\inH{Random}\css\sdk-ui\checkbox.css
• %User Temp%\inH{Random}\css\sdk-ui\images\button-bg.png
• %User Temp%\inH{Random}\css\sdk-ui\images\progress-bg-corner.png
• %User Temp%\inH{Random}\css\sdk-ui\images\progress-bg.png
• %User Temp%\inH{Random}\css\sdk-ui\images\progress-bg2.png
• %User Temp%\inH{Random}\css\sdk-ui\progress-bar.css
• %User Temp%\inH{Random}\csshover3.htc
• %User Temp%\inH{Random}\images\BGD.png
• %User Temp%\inH{Random}\images\Close.png
• %User Temp%\inH{Random}\images\Close_Hover.png
• %User Temp%\inH{Random}\images\Color_Button.png
• %User Temp%\inH{Random}\images\Color_Button_Hover.png
• %User Temp%\inH{Random}\images\default_tb.png
• %User Temp%\inH{Random}\images\default_wi.png
• %User Temp%\inH{Random}\images\Grey_Button.png
• %User Temp%\inH{Random}\images\Grey_Button_Hover.png
• %User Temp%\inH{Random}\images\Icon_Generic.png
• %User Temp%\inH{Random}\images\Loader.gif
• %User Temp%\inH{Random}\images\Pause_Button.png
• %User Temp%\inH{Random}\images\ProgressBarD.png
• %User Temp%\inH{Random}\images\ProgressD.png
• %User Temp%\inH{Random}\images\Quick_Specs.png
• %User Temp%\inH{Random}\images\Resume_Button.png
• %User Temp%\inH{Random}\images\sponsored.png
• %User Temp%\inH{Random}\locale\DLM\EN.locale
• %User Temp%\{Random}.log
• %User Temp%\in{Random}\{Random}.tmp
• %User Temp%\{Random}.log
• %User Temp%\inH{Random}\bootstrap_{Random}.html
• %User Temp%\{Random}.log

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Potentially Unwanted Application connects to the following website to send and receive information:

• http://rp.{BLOCKED}tute1.com/?v=2.0&subver=6.21&pcrc={Random}
• http://info.{BLOCKED}tute1.com/?v=1.03&c=90d9712f&at=1128754588&cntr={counter}

It does the following:

• It displays the following during installation:
  
• It displays the following message boxes:
  

It does not exploit any vulnerability.