Weirdest malware, like, ever?

Yesterday my dad ran into something rather unusual...

He was looking for CD burning software, and found InfraRecorder. Unfortunately the latest version didn't work. However, there was a Google ad on the InfraRecorder home page that linked to a page on Uberdownloads (apparently a known bad site) with what was supposed to be an older version of IR.

For some reason he clicked on the link, downloaded the "older version", and right-clicked on the installer to scan it with Avira... But on being right-clicked, it immediately gave a popup message saying that some BMP image needed a password to open. Clicking cancel just netted another popup with the same message (though a different name for the BMP image); I tried killing it in the task manager, and that killed the whole Windows Explorer shell. Trying to select the file (via click-and-drag) produced the same endless series of popups.

I got rid of the file using HJT's deletion tool, which seemed to do the job. This was followed by full system scans with Avira and MBAM, which found nothing; and HJT scan, which looked fine; and a scan with F-Secure Blacklight, which didn't find any rootkits.

Later I found the link, downloaded the file on a Linux live session, and uploaded to VirusTotal; that gave only one result, "Mal.nair_4" or something like that, which appeared on searching to be a false positive.

So my questions are...

1. Is this actually malware? My assumption was that it was some sort of simple password stealer, designed to fool users into entering their passwords so that it could send them home and let someone log in remotely.

2. Has anyone here observed this or similar behavior in the wild before? If so, does anyone know what it's called?

 

Can u upload it and PM the file link. Don,t post here. I will try it.

Thanks

 

Right clicked, scanned with comodo AV. Nothing happens. I have XP.

 

Congratulations, he already knew that from uploading it to VirusTotal, is this your expert analysis?

PM me the file, I'll try it out in a VM.

 

FWIW I tried running it in a Linux session under Wine. That revealed an adware-filled but otherwise unremarkable installer, which did in fact do its job and install InfraRecorder (after asking me if I wanted half a dozen different varieties of adware).