1

I was tricked into downloading a .exe file in the Google Chrome browser, expecting a simple text file. I did click on the link that started the download, and I did click once on the download on the bottom left of my browser, where Chrome normally shows the downloadeds.

In these cases, I expect Chrome and/or Windows to give me a warning about not running downloaded executables from untrusted sites, but I didn't get any. Chrome simply ran the executable showing me some kind of installer for some kind of download manager. Off course I killed the process as soon as I saw I ran the executable. But I don't know if this opportunity the executable had, is enough to cause damage.

A scan by virustotal on the executable shows a lot of hits: 

AVG               Generic.7E5
AVware            InstallCore (fs)
AhnLab-V3         PUP/Win32.InstallCore
Avira (no cloud)  PUA/InstallCore.Gen4
Bkav              W32.HfsAdware.FEB6
ESET-NOD32        a variant of Win32/InstallCore.ACZ potentially unwanted
GData             Win32.Adware.InstallCore.GF
Ikarus            PUA.InstallCore
K7AntiVirus       Adware ( 004d2b271 )
K7GW              Adware ( 004d2b271 )
Malwarebytes      PUP.Optional.BundleInstaller
NANO-Antivirus    Trojan.Win32.InstallCore.ebwcin
Qihoo-360         HEUR/QVM06.1.0000.Malware.Gen
Sophos            Install Core Click run software (PUA)
Symantec          SMG.Heur!gen
VBA32             Malware-Cryptor.InstallCore.gen
VIPRE             InstallCore (fs)
Yandex            PUA.InstallCore!

My questions:

  • How can it be that Google Chrome just went ahead and ran the file without any warning?
  • This file (.exe) was a software installer, and once running I killed it with task manager. Could this technically already have harmed my pc, even though I didn't install the product the installer was offering?
  • Or could it be that Chrome and/or Windows recognized the file as an installer and therefore just let me run it, assuming I can always decline the installation later on? The installer was signed by PromptSpeedy (Fried Cookie Ltd), GlobalSign CodeSigning CA - SHA256 - G2 and GlobalSign.
  • If not, what steps should I take to prevent further damage now having already run this file once already?

More details on the file can be seen here: https://www.virustotal.com/nl/file/cdd371ffcef65b9a3fa3856ad5d4f3935319715c35bedf6cce06ae3ae9d5a4e5/analysis/1462894859/

nl-x
  • 202

2 Answers2

1

"could this technically have harmed my PC?"

YES, it was an executable which was loaded into memory and running under your user account with your permissions, possibly even elevated as an installer.

Whether it did or not, who knows? But it was delivered under shady circumstances (file name redirection; leveraging the "hide extensions default"), and is flagged as an adware installer.

Probably it was simply asking for permission to infect your computer with needless adware: a kind of gentleman's agreement to rip you off.

Yorik
  • 4,988
1

Setting for this prompt is found in "Start Menu" > "Internet Options" > "Security" > (Internet) > "Custom level..." > "Launching applications and unsafe files" > choose one of the following options;

  • Disable
  • Enable
  • Prompt (recommended)

UAC settings also plays a role in preventing files from running.

Aron Einhorn
  • 396
  • 2
  • 3