PUA:Win32/AskToolbar

Installation

This application can be downloaded from websites that offer third-party software downloads. For example, we have seen it downloaded from:

• ak.pipoffers.apnpartners.com
• www.avery.com

We have seen this application use the following file names:

• OffercastInstaller_AVR_U-0087-01-P_.exe
• WeatherBugSetup.exe
• SFInstaller_SFFZ_filezilla_8992693_.exe
• YTDSetup.exe
• OffercastInstaller_AVR_U-0090-01-P_.exe
• Setup-SopCast-3.5.0-2012-3-22.exe
• CuteWriter.exe
• OffercastInstaller_AVR_U-0087-01-P_ (1).exe
• OffercastInstaller_AVR_U-0112-01-P_.exe

It can be digitally signed by the following vendors:

• APN LLC
• Ask.com
• Greentree Applications SRL

We have seen this application using product names such as:

• Ask TBNotifier
• Stub Installer
• Toolbar
• Offercast - APN Install Manager
• APN Updater

This application communicates with domains such as:

• pipoffers.apnpartners.com
• offers.offercast.com
• 7500.biz
• downloads.earthnetworks.com
• files.goodgamestudios.com

For example:

• pipoffers.apnpartners.com/static/partners/generic/images/install.ico
• offers.offercast.com/PIP/Server.jhtml?
• offers.offercast.com/PIP/OfferAccept.jhtml?

Payload

Exhibits suspicious behaviors

We have observed this application exhibit the following potentially unwanted behavior on PCs:

• Installs programs that start automatically when your PC starts
• Installs extensions into your browsers - often this is used to inject ads, add toolbars, or change how your browser works

Installs other programs

We have seen this application install other software on your PC. Some of these applications might be bundled during the installation process and not intended to be installed. We have seen it installing programs such as:

• AskToolbar