Follow:

 

SoftwareBundler:Win32/Besofter


Microsoft security software detects and removes this unwanted software.

This program installs web browser add-ons that download other software, which may include malware.

It can be bundled and installed with other software.



What to do now

SoftwareBundler:Win32/Besofter  creates an uninstaller that can be accessed from the Control Panel: 

  • For Windows 8, swipe in from the right and go to Start, type Uninstall and then go to Settings. In the search results, go to Uninstall a program.
  • For Windows 7 and Vista, open the Start menu and navigate to Control Panel then Programs anf then click Uninstall a Program
  • For XP, open the Start menu and navigate to Control Panel and then Add or Remove Programs

The entry name may be called "Agent".

If an uninstaller is not available or if you do not want to use the uninstaller that is provided, you can use the following scanning and removal tools to detect and remove SoftwareBundler:Win32/Besofter and other unwanted software from your computer:

Threat behavior

Installation

SoftwareBundler:Win32/Besofter can be bundled and installed with other software. We have seen it bundled with BetterSoftAgent.

When run, SoftwareBundler:Win32/Besofter installs the following files:

The software modfies the following registry entries to make sure the file 577855134.dll is run as a browser helper object in Internet Explorer: 

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}
Sets value: "(default)"
With data: "runtime class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\InprocServer32
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent\577855134.dll"

In subkey:HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\Version
Sets value: "(default)"
With data: "1.0"

In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}
Sets value: "Compatibility Flags"
With data: "1024"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0
Sets value: "(default)"
With data: "runtimelib"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\0\win32
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent\577855134.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\HELPDIR
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}
Sets value: "(default)"
With data: "idownloadjob"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}
Sets value: "(default)"
With data: "iruntime"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}
Sets value: "(default)"
With data: "irunningprocess"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}
Sets value: "(default)"
With data: "iwaitabletask"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}
Sets value: "(default)"
With data: "idownloaderror"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

It also modifies the following registry entry to change Internet Explorer security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sets value: "ProxyBypass"
With data: "1"

Execution 
The software may try to download files, including possible malware from virtuallyreality.info.
 
Analysis by Hyun Choi

Symptoms

The following system changes may indicate the installation of SoftwareBundler:Win32/Besofter:

The presence of the following files:

The presence of the following registry modifications:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}
Sets value: "(default)"
With data: "runtime class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\InprocServer32
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent\577855134.dll"

In subkey:HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}\Version
Sets value: "(default)"
With data: "1.0"

In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}
Sets value: "Compatibility Flags"
With data: "1024"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0
Sets value: "(default)"
With data: "runtimelib"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\0\win32
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent\577855134.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}\1.0\HELPDIR
Sets value: "(default)"
With data: "%ALLUSERPROFILE%\application data\bettersoft\agent"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\TypeLib
Sets value: "(default)"
With data: "{ac329328-7ec4-4c34-b672-0a2b90cb9b00}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}
Sets value: "(default)"
With data: "idownloadjob"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{19DF2320-6A8A-4942-AC4C-C449949DFC27}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}
Sets value: "(default)"
With data: "iruntime"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4325}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}
Sets value: "(default)"
With data: "irunningprocess"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{5B113BE7-98FF-4DA7-8441-D3AAE3836AE4}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}
Sets value: "(default)"
With data: "iwaitabletask"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{662CA6E1-37D8-4C12-8586-3AC64DF96187}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}
Sets value: "(default)"
With data: "idownloaderror"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{8A2DAA70-D6C9-4BAA-B9CA-DE8A9F49CA12}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sets value: "ProxyBypass"
With data: "1"


Prevention


Alert level: Medium
This entry was first published on: May 17, 2013
This entry was updated on: Aug 15, 2013

This threat is also detected as:
  • Backdoor.Win32.Clack.pkn (Kaspersky)
  • winpe/InstalleRex.H (Norman)
  • Trojan.DownLoader8.16612 (Dr.Web)
  • Riskware/BetterSoftAgent (other)