The Latest in IT Security

Win32/DomaIQ – An annoying bundled adware.

19
Jun
2013

The Win32/DomaIQ is an adware bundled with legitimate software.
Recently discovered one was bundled with Flash Player and .NET Framework.
When installing, the bundle allows to uncheck unwanted components, but this actually has no effect. Uninstalling the DomaIQ using Windows uninstall is difficult and not always successful.
The file is Nullsoft installer that installs following files:

            %TempDir%\D??\FLASHPLAYER_???\CONFIG.DLL
            %TempDir%\D??\FLASHPLAYER_???\ROUTES.DLL
            %TempDir%\D??\FLASHPLAYER_???\DOMAIQ.EXE
            %TempDir%\D??\FLASHPLAYER_???\DOMAIQ10.EXE

The CONFIG.DLL and ROUTES.DLL are actually not DLLs but data files used by the adware, DOMAIQ.EXE and DOMAIQ10.EXE are components of the adware, combined with random characters that are different from bundle to bundle.
When installed, the adware searches for the default browser and using it to display advertisements.
To avoid infection by the bundled adware, make sure the sites from which the updates are downloaded are legitimate and not pretend to be. If you visit a site that asks for software update, it is better to avoid downloading directly from that site, but update using the software itself or manually from the software vendor site or using ‘update plugins’ menu in the browser. A site that proposes to install bundled software is potentially unsafe and could contain other adware or malware. It is advised to avoid browsing such sites or browse them with precautions, such as using virtual machine.

Leave a reply


Categories

THURSDAY, DECEMBER 14, 2017

Featured

Archives

Latest Comments

Social Networks