Nowadays, when people want to download software, they usually search for it using a search engine that leads them to a download site. But some software on these sites may be harmful. In China, more and more software package authors are using these download sites in a malicious way in order to make money. They add other unwanted software into the normal software package – this is called a "repack".

Some time ago, one of our customers intended to download a web browser but instead downloaded a malicious installation package that we now detect as TrojanDownloader:Win32/Startpage.NZ (SHA1: FAFA0BD6AA6A59439DF01E82750D72D7E13E5637).
Installer package

It appears to be a normal install package, but after installation with default options, it adds many shortcuts to an affected user's desktop and pops up advertisements. It also modifies the Internet Explorer home page, and adds some fake Internet Explorer shortcuts in the quick start area (which are also advertisements).
Short cuts added to desktop


We can see that this is a repacked package, and the following installer script was been added, complete with download links:
Installer script containing download links

All of these URLs are related to advertising. The author of the package will make money from them. Many users download and install software from various websites, but not all of these websites provide official or legitimate installation software packages. Some may even be harmful.
If you want some software, as always, we recommend that you download it from a legitimate and verified source. We also recommend that you take advantage of the SmartScreen filter feature in Internet Explorer 9. Smartscreen Filter works with Download Manager to help protect you from malicious downloads. Potentially risky downloads are immediately blocked. Download Manager then clearly identifies higher risk programs so that you can make an informed decision to delete, run, or save the download.
by Haoran Yu