ffv.exe

InstallIQ

W3i, LLC

The InstallIQ (InstallX) installation program is a co-bundle stub that devlivers software monetization offers during installation. These offers include web browser toolbars and extensions. The application ffv.exe, “InstallIQ Installation Utility” by W3i has been detected as adware by 5 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from files.downloadangels.com.
Publisher:
W3i, LLC  (signed and verified)

Product:
InstallIQ

Description:
InstallIQ Installation Utility

Version:
1.120.0.0

MD5:
0830856f4066613176e7b40b4f5d081e

SHA-1:
ff148f0122749ccdaaf04a1ac8696b28d583fdc9

SHA-256:
64ef7a64cfe6f22ca1c244db25d5cbaf1160bef8ea8a517b812e8704533fab03

Scanner detections:
5 / 68

Status:
Adware

Explanation:
InstallIQ is a bundled offer download and install manager that is designed to show sponsored offers during installation that typically includes adware type toolbars, browser extensions and plugin or other potentially unwanted software along with the promised application.

Analysis date:
11/21/2017 1:43:51 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.W3i.9
9.0.1.082

ESET NOD32
Win32/InstallIQ (variant)
8.8548

Reason Heuristics
PUP.Installer.W3i.D
14.8.7.19

Sophos
InstallQ
4.90

VIPRE Antivirus
InstallIQ Installer
19452

File size:
434.7 KB (445,120 bytes)

Product version:
1.120.0.0

Copyright:
Copyright ©2010 W3i Holdings, LLC. All rights reserved.

Original file name:
InstallIQStub.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\documents and settings\utilizador\ambiente de trabalho\anatoliy\programu\ffv.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
6/19/2011 1:00:00 AM

Valid to:
7/2/2013 12:59:59 AM

Subject:
CN="W3i, LLC", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="W3i, LLC", L=Sartell, S=Minnesota, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6A5D73F262C38BBD4578AB6AD713318D

File PE Metadata
Compilation timestamp:
12/3/2012 2:26:54 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:lq+jjoHovDxF1XyIk7HvSwJTfVuTP8Rfxjl9m:lq+wHovLs7HvSwhfVuTP8pdlI

Entry address:
0xD5FE

Entry point:
E8, C5, 85, 00, 00, E9, 78, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 00, 01, 00, 00, 72, 0E, 83, 3D, E4, 70, 46, 00, 00, 74, 05, E9, 79, 86, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2, 03, C1, E9, 02, 74, 06, F3, AB, 85, D2, 74, 0A, 88, 07, 83, C7, 01, 83, EA, 01, 75...
 
[+]

Code size:
292 KB (299,008 bytes)

The file ffv.exe has been seen being distributed by the following URL.

Remove ffv.exe - Powered by Reason Core Security