Virus

Riskware/InstalleRex

Analysis


Riskware/InstalleRex is a generic detection for a type of grayware that arrives as an application installation package and might download and install unwanted software.

  • The installation has no notification and cannot be cancelled once it has started.

  • It creates the following files. These files are components of the InstallMate istallation package:
    • undefinedAppDataundefined\InstallMate\{Random GUID}\TsuDll.dll
    • undefinedAppDataundefined\InstallMate\{Random GUID}\_Setup.dll
    • undefinedAppDataundefined\InstallMate\{Random GUID}\_Setupx.dll
    • undefinedAppDataundefined\InstallMate\{Random GUID}\Setup.exe
    • undefinedAppDataundefined\InstallMate\{Random GUID}\Setup.exe

  • It creates the following files:
    • undefinedAppDataundefined\BetterSoft\Agent\Agent.exe
    • undefinedAppDataundefined\BetterSoft\Agent\profile.ini : This is an encrypted configuration file. It contains the software information which is used by Agent.exe to download the update.


Recommended Action

FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.