PUP Friday: Let’s talk generic

The detection name of PUP.Optional.Downloader is probably as non-specific as you can get when it comes to identifying what particular unwanted program that is. Generally, Malwarebytes uses this name to detect Crossrider uninstallers, installers from the CHIP Online download portal, and other bundlers offered as downloaders.

For this blog post, we’re going to look at a bundled program called Internet Download Manager (IDM) for Windows, which we retrieved from a third-party website, as an example of how Malwarebytes uses the PUP.Optional.Downloader detection name. This sample falls under the “other bundlers offered as downloaders” category.

During installation, it displays the following user interfaces—

Click to view slideshow.

—and creates the following URL shortcut files for BestOffer Everyday and iStripper, as per the latest sample we have retrieved and tested.

bestoffer-istripper-shortcut-icons

IDM also integrates itself into Chrome and Firefox as browser extensions:

Click to view slideshow.

After following installation, IDM then visits two consecutive websites via the Opera browser, the first one triggering Malwarebytes to block a URL it has deemed malicious—

—and the second one prompting us to “update our Adobe Flash Player”:

Click to view slideshow.

Malwarebytes detects the IDM installer as PUP.Optional.Downloader. We also detect all dropped shortcut files as PUP.Optional.BestOffer.

To read more on the technical details of the sample we just discussed, you can visit our removal instruction page on the forum here.

Jovi Umawing (Thanks to Pieter for additional info)

Click here for best antivirus and antispyware software

Powered by WPeMatico

This entry was posted in Antivirus and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.