home

cnet_winrar-x64-401_exe.exe

CNET Download.com Installer

CBS Interactive, Inc.

The application cnet_winrar-x64-401_exe.exe by CBS Interactive has been detected as a potentially unwanted program by 10 anti-malware scanners. The program is a setup application that uses the DownloadCom Spot Install installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. With this installer, users are expecting to download WinRAR archiver but before that occurs they may be presented with additional offers, mostly potentially unwanted software or adware.
Publisher:
CBS Interactive  (signed by CBS Interactive, Inc.)

Product:
CNET Download.com Installer

Version:
1.2.3.0

MD5:
d6696ccbad78bcd4a6881401ebb44a74

SHA-1:
6eb94745bfc8c8f47799488c90df2a4e62187420

SHA-256:
d46bed5edbe3648cc04011f50d9e63dcd79e13b9fe3a60cb8e2db517b49784ea

Scanner detections:
10 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/16/2024 9:09:31 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adtool.InstallCore.Gen.2
7.1.1

Dr.Web
Adware.InstallCore.2
9.0.1.062

ESET NOD32
Win32/InstallCore (variant)
8.9002

F-Prot
W32/InstallCore.I.gen
v6.4.7.1.166

G Data
Win32.Trojan.Agent.AM83Y7
14.3.22

Reason Heuristics
Bundler.PPI.CBSInteractive.U
14.8.1.0

Rising Antivirus
PE:PUF.InstallCore!1.9DE1
23.00.65.14730

SUPERAntiSpyware
PUP.CNETInstaller
10749

Trend Micro House Call
TROJ_GEN.F47V0528
7.2.62

Vba32 AntiVirus
WebToolbar.InstallCore
3.12.24.3

File size:
443.5 KB (454,120 bytes)

Product version:
1.2.3.0

Copyright:
CBS Interactive

File type:
Executable application (Win32 EXE)

Bundler/Installer:
DownloadCom Spot Install

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\cnet_winrar-x64-401_exe.exe

Digital Signature
Signed by:
CBS Interactive, Inc.

Authority:
DigiCert Inc

Valid from:
7/9/2011 5:00:00 AM

Valid to:
7/12/2013 5:00:00 PM

Subject:
CN="CBS Interactive, Inc.", O="CBS Interactive, Inc.", L=San Francisco, S=California, C=US

Issuer:
CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0203D2F5E7ABE93E2FC72BD3381C32C0

File PE Metadata
Compilation timestamp:
6/20/1992 3:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:OA+SBz0oAt5c/572jwhhwVgS0YYljRKSVAQSeTrJQOcsPWWqXMsZ1RdHnW++PgqS:JBzKc/5721VghlVP1TlQEW5XvzjJqed

Entry address:
0xFE560

Entry point:
60, BE, 00, 00, 4A, 00, 8D, BE, 00, 10, F6, FF, C7, 87, 10, B7, 0B, 00, 7E, 0B, 1C, 4D, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Entropy:
7.8594

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
380 KB (389,120 bytes)

The file cnet_winrar-x64-401_exe.exe has been seen being distributed by the following 2 URLs.

http://dc107.4shared.com/download/.../WinRAR_for_Windows_7_64-bit.exe

http://software-files-l.cnet.com/s/software/11/90/43/.../cnet_winrar-x64-401_exe.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to phx1-rb-api-wax-web-lb.cnet.com  (64.30.224.89:80)

TCP (HTTP):
Connects to ec2-54-207-11-184.sa-east-1.compute.amazonaws.com  (54.207.11.184:80)

Remove cnet_winrar-x64-401_exe.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.