Malware Information Initiative (MII): Top 10

Total percentage of the top 10: 14.58 %

RankNamePercentageMalware distribution by percentage within the top 10
1Script.Application.InstallCore.HL2.58 % Top10 Chart

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

PUP bundle installer which tries to trick user into installing very aggressive PUP.

Generic Trojan horse that (ab)uses folder icons to get executed. Depending on variant this may show worm like behaviour, use a backdoor or download another malware.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

Win32.Adware.OpenCandy.O is a Potentially Unwanted Program (PUP). This program is included in other legitimate applications in order to generate money for the distributor by showing advertisements. The application is developed by a company called OpenCandy.
This application modifies the browser’s behavior by changing its home page and the search engine. Ad Pop-ups are displayed to the user of the infected machine.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

BrowseFox is an adware family which disguises in many different programs, such as SwiftBrowse, MarketResearchHelper, SmarterPower, CommonShare, MegaBrowse, SpecialBox, NetCrawl, ClearThink, JumpFlip, BringStar, SmarterPower, WiseEnhance, EnterDigital, FramedDisplay, DigiHelp, RockTurner, InfiniNet, …
Those programs are usually installed without proper user consent, via third party installers. It installs add-ons to Microsoft's Internet Explorer, Mozilla Firefox and Google Chrome but also installs a local proxy, a driver and a service. BrowseFox and its variants also change the browser's start page and search engine. Advertisements are injected into websites the user visits but also on the start page as well as in pop-ups.

2Win32.Application.OpenCandy.G2.20 % Top10 Chart
3Zum.Androm.11.66 % Top10 Chart
4Gen:Variant.Application.Bundler.Softonic.11.64 % Top10 Chart
5Gen:Variant.Graftor.278201.63 % Top10 Chart
6Win32.Application.DownloadSponsor.R1.36 % Top10 Chart
7Win32.Application.OpenCandy.O0.97 % Top10 Chart
8Adware.Searchprotect.AT0.88 % Top10 Chart
9Application.SearchProtect.BS0.83 % Top10 Chart
10Gen:Adware.BrowseFox.10.83 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 15.01 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G2.45 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Generic Trojan horse that (ab)uses folder icons to get executed. Depending on variant this may show worm like behaviour, use a backdoor or download another malware.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

Win32.Adware.OpenCandy.O is a Potentially Unwanted Program (PUP). This program is included in other legitimate applications in order to generate money for the distributor by showing advertisements. The application is developed by a company called OpenCandy.
This application modifies the browser’s behavior by changing its home page and the search engine. Ad Pop-ups are displayed to the user of the infected machine.

Adware.RelevantKnowledge.A is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

This signature covers installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

2Script.Application.InstallCore.HL2.30 % Top10 Chart
3Gen:Variant.Graftor.278202.24 % Top10 Chart
4Adware.Searchprotect.AT1.44 % Top10 Chart
5Win32.Application.OpenCandy.O1.38 % Top10 Chart
6Adware.RelevantKnowledge.A1.17 % Top10 Chart
7Win32.Application.DownloadSponsor.R1.12 % Top10 Chart
8Zum.Androm.11.10 % Top10 Chart
9Script.Application.FusionCore.B0.91 % Top10 Chart
10Script.Application.InstallCore.IP0.90 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 15.25 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G2.50 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Application.BitCoinMiner.IJ is the detection for a Bitcoin miner that is installed alongside a fake Java Runtime Environment update, mostly the user does not intend to install this miner.
Miner are using, or, in case of an infection misusing, a device's CPU to perform intensive calculations to mine crypto currencies.

Win32.Adware.OpenCandy.O is a Potentially Unwanted Program (PUP). This program is included in other legitimate applications in order to generate money for the distributor by showing advertisements. The application is developed by a company called OpenCandy.
This application modifies the browser’s behavior by changing its home page and the search engine. Ad Pop-ups are displayed to the user of the infected machine.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

Generic Trojan horse that (ab)uses folder icons to get executed. Depending on variant this may show worm like behaviour, use a backdoor or download another malware.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

Win32.Application.DownloadSponsor.S is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

2Script.Application.InstallCore.HL2.26 % Top10 Chart
3Application.BitCoinMiner.IJ1.93 % Top10 Chart
4Win32.Application.OpenCandy.O1.52 % Top10 Chart
5Zum.Androm.11.48 % Top10 Chart
6Gen:Variant.Graftor.278201.23 % Top10 Chart
7Adware.Searchprotect.AT1.15 % Top10 Chart
8Win32.Application.DownloadSponsor.R1.13 % Top10 Chart
9Win32.Application.DownloadSponsor.S1.05 % Top10 Chart
10Script.Application.FusionCore.B1.00 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 14.11 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G2.84 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Application.BitCoinMiner.IJ is the detection for a Bitcoin miner that is installed alongside a fake Java Runtime Environment update, mostly the user does not intend to install this miner.
Miner are using, or, in case of an infection misusing, a device's CPU to perform intensive calculations to mine crypto currencies.

PUP bundle installer which tries to trick user into installing very aggressive PUP.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

Adware.RelevantKnowledge.A is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

This signature covers installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

Win32.Adware.OpenCandy.O is a Potentially Unwanted Program (PUP). This program is included in other legitimate applications in order to generate money for the distributor by showing advertisements. The application is developed by a company called OpenCandy.
This application modifies the browser’s behavior by changing its home page and the search engine. Ad Pop-ups are displayed to the user of the infected machine.

2Script.Application.InstallCore.HL2.76 % Top10 Chart
3Application.BitCoinMiner.IJ1.63 % Top10 Chart
4Gen:Variant.Application.Bundler.Softonic.11.09 % Top10 Chart
5Script.Application.FusionCore.B1.05 % Top10 Chart
6Zum.Androm.11.03 % Top10 Chart
7Adware.RelevantKnowledge.A0.99 % Top10 Chart
8Script.Application.InstallCore.IP0.97 % Top10 Chart
9Adware.Searchprotect.AT0.88 % Top10 Chart
10Win32.Application.OpenCandy.O0.87 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 14.23 %

RankNamePercentageMalware distribution by percentage within the top 10
1Script.Application.InstallCore.HL2.69 % Top10 Chart

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Application.BitCoinMiner.IJ is the detection for a Bitcoin miner that is installed alongside a fake Java Runtime Environment update, mostly the user does not intend to install this miner.
Miner are using, or, in case of an infection misusing, a device's CPU to perform intensive calculations to mine crypto currencies.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

This signature covers installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

PUP bundle installer which tries to trick user into installing very aggressive PUP.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

Adware.RelevantKnowledge.A is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

2Win32.Application.OpenCandy.G2.53 % Top10 Chart
3Application.BitCoinMiner.IJ1.57 % Top10 Chart
4Zum.Androm.11.33 % Top10 Chart
5Script.Application.FusionCore.B1.25 % Top10 Chart
6Script.Application.InstallCore.IP1.11 % Top10 Chart
7Gen:Variant.Application.Bundler.Softonic.11.07 % Top10 Chart
8Win32.Application.DownloadSponsor.R0.96 % Top10 Chart
9Adware.Searchprotect.AT0.88 % Top10 Chart
10Adware.RelevantKnowledge.A0.84 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 12.25 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G2.61 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Application.BitCoinMiner.IJ is the detection for a Bitcoin miner that is installed alongside a fake Java Runtime Environment update, mostly the user does not intend to install this miner.
Miner are using, or, in case of an infection misusing, a device's CPU to perform intensive calculations to mine crypto currencies.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

This signature covers installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

Adware.RelevantKnowledge.A is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

BrowseFox is an adware family which disguises in many different programs, such as SwiftBrowse, MarketResearchHelper, SmarterPower, CommonShare, MegaBrowse, SpecialBox, NetCrawl, ClearThink, JumpFlip, BringStar, SmarterPower, WiseEnhance, EnterDigital, FramedDisplay, DigiHelp, RockTurner, InfiniNet, …
Those programs are usually installed without proper user consent, via third party installers. It installs add-ons to Microsoft's Internet Explorer, Mozilla Firefox and Google Chrome but also installs a local proxy, a driver and a service. BrowseFox and its variants also change the browser's start page and search engine. Advertisements are injected into websites the user visits but also on the start page as well as in pop-ups.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

Gen:Variant.Adware.RelevantKnowledge.2 is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

2Script.Application.InstallCore.HL2.20 % Top10 Chart
3Application.BitCoinMiner.IJ1.63 % Top10 Chart
4Script.Application.FusionCore.B1.10 % Top10 Chart
5Script.Application.InstallCore.IP0.93 % Top10 Chart
6Zum.Androm.10.93 % Top10 Chart
7Adware.RelevantKnowledge.A0.82 % Top10 Chart
8Gen:Adware.BrowseFox.10.71 % Top10 Chart
9Win32.Application.DownloadSponsor.R0.66 % Top10 Chart
10Gen:Variant.Adware.RelevantKnowledge.20.66 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 12.37 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G2.94 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

This signature covers installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

This signature covers installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks. This one is a Polish bundle from Axel Springer. It tries to hide its payload by encoding the contents.

Application.BitCoinMiner.IJ is the detection for a Bitcoin miner that is installed alongside a fake Java Runtime Environment update, mostly the user does not intend to install this miner.
Miner are using, or, in case of an infection misusing, a device's CPU to perform intensive calculations to mine crypto currencies.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

BrowseFox is an adware family which disguises in many different programs, such as SwiftBrowse, MarketResearchHelper, SmarterPower, CommonShare, MegaBrowse, SpecialBox, NetCrawl, ClearThink, JumpFlip, BringStar, SmarterPower, WiseEnhance, EnterDigital, FramedDisplay, DigiHelp, RockTurner, InfiniNet, …
Those programs are usually installed without proper user consent, via third party installers. It installs add-ons to Microsoft's Internet Explorer, Mozilla Firefox and Google Chrome but also installs a local proxy, a driver and a service. BrowseFox and its variants also change the browser's start page and search engine. Advertisements are injected into websites the user visits but also on the start page as well as in pop-ups.

Win32.Adware.OpenCandy.O is a Potentially Unwanted Program (PUP). This program is included in other legitimate applications in order to generate money for the distributor by showing advertisements. The application is developed by a company called OpenCandy.
This application modifies the browser’s behavior by changing its home page and the search engine. Ad Pop-ups are displayed to the user of the infected machine.

2Script.Application.InstallCore.HL2.08 % Top10 Chart
3Script.Application.FusionCore.B1.39 % Top10 Chart
4Zum.Androm.11.11 % Top10 Chart
5Script.Application.InstallCore.IP1.06 % Top10 Chart
6Win32.Adware.InstallCore.GO0.96 % Top10 Chart
7Application.BitCoinMiner.IJ0.85 % Top10 Chart
8Win32.Application.DownloadSponsor.R0.78 % Top10 Chart
9Gen:Adware.BrowseFox.10.60 % Top10 Chart
10Win32.Application.OpenCandy.O0.60 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 11.74 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G3.15 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

Adware.RelevantKnowledge.A is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

This signature covers installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Generic detection of NSIS based installers/uninstallers for PUP bundlers. This includes many PUP which are installed without user consent.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

PUP bundle installer which tries to trick user into installing very aggressive PUP.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

Gen:Variant.Adware.RelevantKnowledge.2 is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

2Script.Application.InstallCore.HL2.00 % Top10 Chart
3Script.Application.FusionCore.B1.64 % Top10 Chart
4Adware.RelevantKnowledge.A0.85 % Top10 Chart
5Script.Application.InstallCore.IP0.82 % Top10 Chart
6Zum.Androm.10.77 % Top10 Chart
7Win32.Application.DownloadSponsor.R0.74 % Top10 Chart
8Gen:Variant.Application.Bundler.Softonic.10.63 % Top10 Chart
9Adware.Searchprotect.AT0.62 % Top10 Chart
10Gen:Variant.Adware.RelevantKnowledge.20.52 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 12.64 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G3.29 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program = PUP). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

Win32.Adware.OpenCandy.O is a Potentially Unwanted Program (PUP). This program is included in other legitimate applications in order to generate money for the distributor by showing advertisements. The application is developed by a company called OpenCandy.
This application modifies the browser’s behavior by changing its home page and the search engine. Ad Pop-ups are displayed to the user of the infected machine.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

Adware.RelevantKnowledge.A is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

Script.Application.FusionCore.B is the detection of an Adware/PUP bundle installer. It is used to bundle with free versions of applications such as Freemake Video Converter. The paid version of such programs does not have this kind of bundle installer.
The offers during installation range from alleged security toolbars to scareware. The installer is VM aware, which means it can detect whether it is executed on a real machine or a virtual machine. Depending on the platform, it will change the layout and type of the offers.
Started in a VM, the offers are opt-in and the type of software offered is not fraudulent or aggressive. On a physical machine, the offers however are opt-out and often appear to be mandatory.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. In case the user tries to change these settings, a warning is displayed. Many of the PUPs detected by variant .AO are installed alongside a manipulated version of PowerISO.

BrowseFox is an adware family which disguises in many different programs, such as SwiftBrowse, MarketResearchHelper, SmarterPower, CommonShare, MegaBrowse, SpecialBox, NetCrawl, ClearThink, JumpFlip, BringStar, SmarterPower, WiseEnhance, EnterDigital, FramedDisplay, DigiHelp, RockTurner, InfiniNet, …
Those programs are usually installed without proper user consent, via third party installers. It installs add-ons to Microsoft's Internet Explorer, Mozilla Firefox and Google Chrome but also installs a local proxy, a driver and a service. BrowseFox and its variants also change the browser's start page and search engine. Advertisements are injected into websites the user visits but also on the start page as well as in pop-ups.

2Script.Application.InstallCore.HL1.74 % Top10 Chart
3Win32.Application.DownloadSponsor.R1.43 % Top10 Chart
4Script.Adware.DealPly.G1.41 % Top10 Chart
5Win32.Application.OpenCandy.O0.92 % Top10 Chart
6Adware.Searchprotect.AT0.91 % Top10 Chart
7Adware.RelevantKnowledge.A0.86 % Top10 Chart
8Script.Application.FusionCore.B0.84 % Top10 Chart
9Win32.Application.SearchProtect.AO0.66 % Top10 Chart
10Gen:Adware.BrowseFox.10.58 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 18.33 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G4.47 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program = PUP). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. In case the user tries to change these settings, a warning is displayed. Many of the PUPs detected by variant .AO are installed alongside a manipulated version of PowerISO.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Adware.Searchprotect.AT is the detection of a pre-installed version of Conduit Search Protect on Lenovo computers. Conduit Search Protect belongs to the category of potentially unwanted programs (PUP).
The user is allowed to change this variant's settings, but he is initially made to use the pre-settings the distributor wishes him to use.

BrowseFox is an adware family which disguises in many different programs, such as SwiftBrowse, MarketResearchHelper, SmarterPower, CommonShare, MegaBrowse, SpecialBox, NetCrawl, ClearThink, JumpFlip, BringStar, SmarterPower, WiseEnhance, EnterDigital, FramedDisplay, DigiHelp, RockTurner, InfiniNet, …
Those programs are usually installed without proper user consent, via third party installers. It installs add-ons to Microsoft's Internet Explorer, Mozilla Firefox and Google Chrome but also installs a local proxy, a driver and a service. BrowseFox and its variants also change the browser's start page and search engine. Advertisements are injected into websites the user visits but also on the start page as well as in pop-ups.

Adware.RelevantKnowledge.A is a potentially unwanted program (PUP). The purpose of this application is to analyse the user's browser activity and send data to the persons behind this PUP. Then, these persons are able to sell the data to third parties. Usually, RelevantKnowledge comes packed with legitimate programs, which are often downloaded from third party sites instead of the original publisher’s site. This program adds an icon to the infected computer’s task bar.

This detections stands for a part of a backdoor which is supposed to ensure attackers' long-term access to an infected system. The malware disables the Microsoft-Windows-LUA function. This means that it can download further components and execute them with elevated privileges without any notification to the user. Furthermore, it adds itself as a service to the system and creates a respective auto start entry to remain persistent in the system, e.g. to survive a reboot. The malware disguises as popular program, e.g. using an iTunes icon, or as Windows system file.

2Script.Application.InstallCore.HL2.50 % Top10 Chart
3Script.Adware.DealPly.G2.48 % Top10 Chart
4Win32.Application.SearchProtect.AO1.66 % Top10 Chart
5Win32.Application.DownloadSponsor.R1.53 % Top10 Chart
6Application.SearchProtect.BS1.33 % Top10 Chart
7Adware.Searchprotect.AT1.21 % Top10 Chart
8Gen:Adware.BrowseFox.11.18 % Top10 Chart
9Adware.RelevantKnowledge.A1.04 % Top10 Chart
10Gen:Variant.Graftor.97180.93 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.

Total percentage of the top 10: 12.16 %

RankNamePercentageMalware distribution by percentage within the top 10
1Win32.Application.OpenCandy.G2.72 % Top10 Chart

Win32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside various legitimate freeware like DVD player, PDF reader, archiver and more, which have been bundled with the unwanted extra. The software detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a company based in San Diego, USA. This PUP modifies the browser’s behavior, by changing its home page and search engine settings, it redirects the user to potentially unwanted websites and also displays pop-ups. The purpose of the modification: generate revenue by displaying advertisements.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program = PUP). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

Script.Application.InstallCore.HL is the signature name of a installCore bundle adware installer that uses "Inno Setup". They are distributed by various third parties. They usually pretend to offer a legitimate installer for popular software, media or cracks.
But, the primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Win32.Application.DownloadSponsor.R is a detection of a potentially unwanted software (PUP) that comes as a bundled installer. The distributors take legitimate free software, bundle it with their PUP installer and distribute these bundles online for the sake of monetization. Offers and offer dialogues are downloaded dynamically from the DownloadSponsor servers. Each and every ad impression results in earnings for the distributors of the manipulated software.

BrowseFox is an adware family which disguises in many different programs, such as SwiftBrowse, MarketResearchHelper, SmarterPower, CommonShare, MegaBrowse, SpecialBox, NetCrawl, ClearThink, JumpFlip, BringStar, SmarterPower, WiseEnhance, EnterDigital, FramedDisplay, DigiHelp, RockTurner, InfiniNet, …
Those programs are usually installed without proper user consent, via third party installers. It installs add-ons to Microsoft's Internet Explorer, Mozilla Firefox and Google Chrome but also installs a local proxy, a driver and a service. BrowseFox and its variants also change the browser's start page and search engine. Advertisements are injected into websites the user visits but also on the start page as well as in pop-ups.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detections stands for a part of a backdoor which is supposed to ensure attackers' long-term access to an infected system. The malware disables the Microsoft-Windows-LUA function. This means that it can download further components and execute them with elevated privileges without any notification to the user. Furthermore, it adds itself as a service to the system and creates a respective auto start entry to remain persistent in the system, e.g. to survive a reboot. The malware disguises as popular program, e.g. using an iTunes icon, or as Windows system file.

Win32.Adware.InstallCore.GF is the signature name for installCore bundle installer that are distributed by various third parties.
They usually pretend to offer a legitimate installer for popular software, media or cracks but they come with potentially unwanted extras.
The primary objective is to deliver bundled adware/PUP without proper user consent. The bundled software depends on the current campaigns and can range from real security software to fake security software.

Gen:Application.Imonetize.2 is a detection of fraudulent installers which try to lure users with any desirable software or content, just to install potentially unwanted programs (PUP). They frequently have filenames like "__<4-digits>_il<4-digits>.exe"
Depending on the campaign or expiry the desired content might not even available but the PUP may still be installed without proper or without any user consent.

Win32.Adware.IObit.A is a rogue spyware removal tool. The author of the tool tries to persuade the user to buy the full version of the tool. To scare the user, the application displays popups which suggest that the machine is infected with several malware families, even if the machine is perfectly clean. The user must pay for the full version in order to clean the unreal malware.

2Script.Adware.DealPly.G1.90 % Top10 Chart
3Script.Application.InstallCore.HL1.58 % Top10 Chart
4Win32.Application.DownloadSponsor.R1.47 % Top10 Chart
5Gen:Adware.BrowseFox.10.86 % Top10 Chart
6Application.SearchProtect.BS0.81 % Top10 Chart
7Gen:Variant.Graftor.97180.80 % Top10 Chart
8Win32.Adware.InstallCore.GF0.71 % Top10 Chart
9Gen:Application.Imonetize.20.68 % Top10 Chart
10Win32.Adware.IObit.A0.63 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G DATA security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G DATA program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G DATA SecurityLabs. The data about the malware is collected and statistically assessed by G DATA SecurityLabs.