Reading Time: ~ 2 min.

Potentially Unwanted Applications (PUAs) continue to visually social engineer users into installing virtually useless applications. They monetize each and every install by relying on ‘bundling’ which often comes in the form of a privacy-violating toolbar or third-party application. We recently intercepted a rogue ad that entices users into downloading the Mipony Download Accelerator that is bundled with the privacy-invading FunMoods toolbar PUA, an unnecessary bargain with the integrity and confidentiality of your PC.

Sample screenshot of the landing page:


Detection rate for the PUA: MD5: 023e625cbb1b30565d46f7533ddc03db – detected by 6 out of 47 antivirus scanners as W32/InstallCore.R4.gen!Eldorado; Install Core Click run software.

Domain name reconnaissance: –;;;

Upon execution, it phones back to: – – – –

Related MD5s part of the same network that are known to have been downloaded from the same IPs, over the last couple of days:
MD5: caa5e691d1eddef66294d1323720556e
MD5: 88ba249e0fac7ece69e8a769ec9e81dc
MD5: 748346dc2138aa4927e2ad577c0a97c8
MD5: 78b98bbec669999bd51f7f408d06d9f6
MD5: 7ee56be08401efbc443c286dce641bd6
MD5: 0a6836e3f26e4be1654b18f84191985a
MD5: 3822e38b95cde512aa5a11dc21cd2699
MD5: 2cc18f48633788894e505eaa7b11f6bf
MD5: 02f5346e1ee415de637458be66eb319e
MD5: cdddec958148633578b0574d6551facd
MD5: bc276e312294916fc748937b9e9a6423
MD5: de146519fb5ffe3c5bee07f49ebd0907
MD5: 2d28af1f6bf5115532c19010edbdd463
MD5: df2181cf0b55eebf0f281562314740b1
MD5: 0a6fdc3ecb5da97038df8b28bfaf9581
MD5: df2181cf0b55eebf0f281562314740b1
MD5: 0a6fdc3ecb5da97038df8b28bfaf9581
MD5: 1cd458a9181e1c30cb2b28efd29075cd
MD5: f5976b181cde557f620578eb92535ac7
MD5: b2a7fad9f3f892577d876c74cb221525
MD5: f1242926095907cebd741d8d540567b0
MD5: 2e60e85bfaf1175c2e7ed0390b09ee67


Detection rate for the FunMoods Toolbar: MD5: 592f35f9954a7ec4c0b4985857f81ad8 – detected by 13 out of 48 antivirus scanners as Win32/InstallCore; PUP.Optional.Funmoods

Once executed, it phones back to: ( ( (

Known to have responded to the same IPs, are also the following domains part of the same infrastructure:

Despite the fact that most modern day PUAs include uninstall instructions, our advice is to not install them in the first place, instead, seek a legitimate — often free but this time fully featured and working — alternative to their pseudo-unique value propositions.

Webroot SecureAnywhere users are proactively protected from these PUAs.

Blog Staff

About the Author

Blog Staff

Facebook Comments
Share This