In a website that uses exploits to infect I have come across a malware that installs a program with the EULA agreement without user’s consent.
Here you have a video in the following link or via YouTube:
The process is shown:
1 – Eula agreement – How a user would install the program with the EULA agreement.
2 – Without Eula agreement – How the malware installs the program with the EULA agreement without user’s awareness.
3 – Debugging – The process followed by the malware to be installed:
a) First, it drops a copy of the program with the EULA agreement, which is included in its code.
b) Then, it runs it.
c) It looks for some texts with the API function "FindWindow" in order to obtain the handlers of certain windows.
d) Once it obtains the handlers, it hides the window using "ShowWindow", so that the infected user is hardly aware of what it’s being carried out.
e) It sends the necessary messages using "SendMessage" to the previous handlers, faking the users acceptance of the agreement.