PUA:Win32/Elex

Installation

This application can be downloaded from websites that offer third-party software downloads. For example, we have seen it downloaded from:

• gsf-cf.softonic.com
• www.yac.mx
• dl.yac-tech.com
• d110.cdn.m6web.fr
• dl.element5.com

We have seen this application use the following file names:

• yet_another_cleaner_mat.exe
• yet_another_cleaner_reh.exe
• yet_another_cleaner_mar.exe
• yet_another_cleaner_mmacn.exe
• yet_another_cleaner_brof.exe
• yet_another_cleaner_mat (1).exe
• yet_another_cleaner_vel.exe
• yet_another_cleaner_sk.exe
• yet_another_cleaner_nvba.exe

It can be digitally signed by the following vendors:

• Elex do Brasil Participações Ltda
• Jinnan Wu
• Yanling Sun
• Taiwan Shui Mu Chih Ching Technology Limited

We have seen this application using product names such as:

• qksee
• YAC Security Protection
• Picexa Viewer
• yacdl
• YAC Security Protection

This application communicates with domains such as:

• adblock.qihuweb.com
• up.yac.mx
• xa.qihuweb.com
• dl.yac.mx
• p.filseclab.com

For example:

• adblock.qihuweb.com/getJs?
• up.yac.mx/Malware/update?
• up.yac.mx/Malware/update?

Payload

Exhibits suspicious behaviors

We have observed this application exhibit the following potentially unwanted behavior on PCs:

• Installs programs that start automatically when your PC starts
• Installs a driver on your PC
• Injects into other processes on your system
• Changes your browser's shortcuts - often this can be used to take over your homepage by adding command-line arguments that change how the page is loaded
• Installs extensions into your browsers - often this is used to inject ads, add toolbars, or change how your browser works
• Changes the Google Chrome secure preferences - this behavior is commonly associated with tampering with the default homepage or search provider in Chrome
• Uses Group Policy to control your browser settings - this should only be used by network administrators
• Injects code into your browsers - this suspicious behavior is often used to bypass firewall settings or to change how your browser works
• Modifies your DNS settings - we sometimes see this used to inject ads into your browser as you browse the web

Installs other programs

We have seen this application install other software on your PC. Some of these applications might be bundled during the installation process and not intended to be installed. We have seen it installing programs such as:

• YAC(Yet Another Cleaner!)
• WinZip
• qksee
• Internet Download Manager
• Adobe Flash Player 22 PPAPI
• CCleaner
• Mozilla Firefox 47.0 (x86 en-US)
• SMADAV version 10.8.2
• KOPLAYER Pro version: 1.3.1040

This description was published using automated analysis.