cnet_bf1942_mp_demo_exe.exe

CNET Download.com Installer

CBS Interactive, Inc.

The application cnet_bf1942_mp_demo_exe.exe by CBS Interactive has been detected as a potentially unwanted program by 14 anti-malware scanners. The program is a setup application that uses the DownloadCom Spot Install installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from software-files-lrl.cnet.com.
Publisher:
CBS Interactive  (signed by CBS Interactive, Inc.)

Product:
CNET Download.com Installer

Version:
1.2.3.0

MD5:
fca1fae371791a6cd7613c2b9951c356

SHA-1:
f803a149e606fc9575d558179937cb436be56437

SHA-256:
8f3a85f172a6f4c4325996fdee68469372d8fa0d68d8593ddd59d34186e40cf0

Scanner detections:
14 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 12:58:30 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Adtool.InstallCore.Gen.2
7.1.1

Clam AntiVirus
Adware.Downloader-207
0.98/19485

Dr.Web
Adware.Zugo.38
9.0.1.0129

ESET NOD32
Win32/InstallCore (variant)
9.6599

Fortinet FortiGate
Riskware/InstallCore
5/9/2015

F-Prot
W32/InstallCore.I.gen
v6.4.7.1.166

G Data
Win32.Trojan.Agent.AM83Y7
15.5.24

herdProtect (fuzzy)
2015.8.7.8

IKARUS anti.virus
Trojan.Win32.Agent
t3scan.1.6.1.0

Reason Heuristics
Bundler.PPI.Installer.CBS
15.5.9.13

Rising Antivirus
Suspicious
23.00.65.15507

SUPERAntiSpyware
PUP.CNETInstaller
9886

Trend Micro House Call
TROJ_GEN.F47V0518
7.2.129

Vba32 AntiVirus
Signed-Adware.InstallCore
3.12.26.3

File size:
443.5 KB (454,120 bytes)

Product version:
1.2.3.0

Copyright:
CBS Interactive

File type:
Executable application (Win32 EXE)

Bundler/Installer:
DownloadCom Spot Install

Common path:
C:\users\{user}\downloads\cnet_bf1942_mp_demo_exe.exe

Digital Signature
Authority:
DigiCert Inc

Valid from:
7/9/2011 2:00:00 AM

Valid to:
7/12/2013 2:00:00 PM

Subject:
CN="CBS Interactive, Inc.", O="CBS Interactive, Inc.", L=San Francisco, S=California, C=US

Issuer:
CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0203D2F5E7ABE93E2FC72BD3381C32C0

File PE Metadata
Compilation timestamp:
6/20/1992 12:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
6144:uA+SBz0oAt5c/572jwhhwVgS0YYljRKSVAQSeTrJQOcsPWWqXMsZ1RdHnW++PgqS:pBzKc/5721VghlVP1TlQEW5XvzjJqed

Entry address:
0xFE560

Entry point:
60, BE, 00, 00, 4A, 00, 8D, BE, 00, 10, F6, FF, C7, 87, 10, B7, 0B, 00, 7E, 0B, 1C, 4D, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
380 KB (389,120 bytes)

The file cnet_bf1942_mp_demo_exe.exe has been seen being distributed by the following URL.

Remove cnet_bf1942_mp_demo_exe.exe - Powered by Reason Core Security