You can witness a PUA:Win32/DNDownloader detection while installing a certain software. This detection refers to a potentially unwanted software that attempts to run unwanted apps along with the “main” installation. In this article, I explain how to remove it and show the dangers related to that threat.
Detection Overview
PUA:Win32/DNDownloader is a heuristic detection of potentially unwanted software associated with the LDPlayer app. This program is a free Windows-based Android emulator developed by the Chinese company XuanZhi. In general, the emulator itself is not harmful, while programs that are installed along with it are.
Although LDPlayer has an official website, VirusTotal search results indicate that PUA:Win32/DNDownloader is distributed through malicious websites, often disguised as popular programs, mobile game clients, or cracked mobile apps. Common disguises include popular games and software for some specific tasks.
- Terraria
- Roblox.client
- Brawlstars
- Pokemongo
- Mobile.legends
- Standoff2
- Pixlink.camera
- Instagram.followers.unfollowers
- Minivideos.videodownloader
This is only a small sample of the software under which users have encountered Win32/DNDownloader under the guise of. Additionally, the installation process typically includes prompts to install extra software.
PUA:Win32/DNDownloader Analysis
Let’s take a closer look at this unwanted software. The first red flag is that Defender detects it as soon as the installation file is downloaded. This detection is warranted, and here’s why. During installation, PUA:Win32/DNDownloader persistently attempts to install additional bundled software.
The programs included in this bundle are typical for unwanted software of this kind—namely, Opera and 360 Total Security. I’ve encountered other unwanted software that also tries to install these two programs.
Technical Details
Although PUA:Win32/DNDownloader may seem harmless at first glance, its behavior on the system indicates otherwise. The first red flag is that it reads mutexes on the system. The program looks for the Local\__DDDrawCheckExclMode__ mutex and if it does not find it, it creates it and several others:
{EE8B94A3-D811-458B-A446-AF28FA10E845}
MUTEX_LDPLAYER
\Sessions\1\BaseNamedObjects\MUTEX_LDPLAYER
\Sessions\1\BaseNamedObjects\{EE8B94A3-D811-458B-A446-AF28FA10E845}
This behavior is typical of a malicious program, or at least something phony, but not legitimate software. During installation, PUA:Win32/DNDownloader employs techniques like obfuscation to avoid static and dynamic analysis, and it checks for a virtual environment by verifying the following values:
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer
While a hardware check may be justifiable for optimizing emulator performance, checking for anti-malware software is unusual for standard programs. It checks the following registry keys:
\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast
\REGISTRY\MACHINE\SOFTWARE\AVG\AV
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV
\REGISTRY\MACHINE\SOFTWARE\Avira\Browser
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\McAfee
It also modifies certain registry values related to system protection and OneDrive. Otherwise, despite these red flags, LDPlayer performs its intended function.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\LastUpdate
Is PUA:Win32/DNDownloader False Positive?
Yes, PUA:Win32/DNDownloader can be a false positive detection. Since this is a heuristic detection, it relies on behavior analysis rather than exact signatures. This means that machine learning may occasionally misinterpret certain behaviors. This is also true for the program files it extracts during installation.
For example, on 06/14/2024, some VirusTotal analyses and comments indicated that the files Roboto-Regular.otf and NotoSans-Regular.otf contained DcRat (DarkCrystal RAT). However, upon re-analysis on 10/29/2024, no malware was detected in these files.
Conversely, this detection is associated with the LDPlayer program specifically, which Microsoft Defender flags in most cases upon download. Although the latest version from the official website does not currently trigger a detection, this could potentially change in the future.
How To Stay Safe?
As mentioned earlier, LDPlayer itself is not malicious; however, the additional software it attempts to install can pose security risks. If you’re uncertain about the safety of the software, consider running a scan with a reliable anti-malware tool. I recommend GridinSoft Anti-Malware. Follow these steps to perform a scan:
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.