PDFArchitect try to download adware?

Pure88 · March 13, 2012, 7:45am

I download and install PDFArchitect but my Trend Micro antivirus block a download by setup program

the url is http://www.bestdlzone.com/nsi/nsis-2.46/PDFArchitect_5460.exe

I go to this website it report

When accessing data from the URL, "http://www.bestdlzone.com/nsi/nsis-2.46/PDFArchitect_5460.exe"

a virus or unwanted program 'ADWARE/Agent.cwnru' [adware] was found.

Action taken: Blocked file

Is PDFArchitect adware?

philip · March 13, 2012, 9:39am

Hello,

where did you download PDFArchitect from? I have no clue what the URL is that has been called there...

kind regards,
Philip

ryanlrussell · March 16, 2012, 9:14pm

I can confirm this behavior. I downloaded PDFCreator-1_3_0_setup.exe from the Sourceforge download server. It looks like you are using at least two different ad networks. I can see reference to them in your installer code. One, opencandy.com, does not produce the attempted download described. The second, www.mickyfastdl.com, is the one causing the problem. This is what the request looks like:

GET /download.php?lH2CeQ== HTTP/1.0
Host: www.mickyfastdl.com
User-Agent: InnoTools_Downloader

HTTP/1.1 302 Found
Date: Fri, 16 Mar 2012 03:02:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3
Cache-Control: no-cache, must-revalidate
Content-Disposition: attachment; filename="InstallMonetizer.exe"
Location: http://www.bestdlzone.com/nsi/nsis-2.46/PDFCreator_5459.exe
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Connection: close

And of course the InnoTools_Downloader follows the 302 and tries to download the file:

GET /nsi/nsis-2.46/PDFCreator_5459.exe HTTP/1.0
Host: www.bestdlzone.com
User-Agent: InnoTools_Downloader

HTTP/1.1 401 Access Denied
Content-Type: text/html
Content-Length: 250

Potential Threat Detected

Access Denied

The page you are trying to access, http://www.bestdlzone.com/nsi/nsis-2.46/PDFCreator_5459.exe, has a potential threat detected.

(Note that it only got a 401 and the warning text because of my security appliance blocking the download. The file can be downloaded just fine from an unprotected Internet connection.)

The .exe it tries to download is identified by a couple of the engines on VirusTotal as adware.

Enkidu · March 23, 2012, 11:27am

I just tried to install PDFCreator 1.3.1 on a XP-vmware image that has no Internet access. It fails telling me

---------------------------
Sorry, the files could not be downloaded. Click 'Retry' to try downloading the files again, or click 'Next' to continue installing anyway.
---------------------------

It is VERY BAD that I need Internet access due to adware! >:-(

Can you please disable that it is neccessary to have Internet access for installation? Tnx!

Enkidu

virus · March 23, 2012, 12:02pm

I have installed PDFCreator on several machines and i found that this download Ad-ware is aleatory, sometimes try to download this and others sometimes don’t.

Capture screen
http://bayimg.com/FAnBnaadi

https://www.virustotal.com/file/5cd6145f7877ead29f7cccee062d47661dfa4062f34bf7ccfd3de9292568fd3f/analysis/

philip · March 23, 2012, 1:45pm

Hello,

there is no internet access required. As you have quoted in the message, you can simple press "Next" to continue with the installation.

kind regards,
Philip

philip · March 19, 2012, 4:19pm

Thank you for the detailed information. I got confused by the redirection. The downloaded file contains the advertisement offer, so the downloaded package in deed could be called AdWare (based on the definition), but it is not harmful or a potential threat.

It displays the software offer during our setup and if the user agrees, the offered software will be installed.

At the moment, virtustotal has two engines classifying it as adware, without saying that it would be harmful.

kind regards,
Philip