» 00000003
Overview
Analysis
File Details
Network (1)

00000003

YL production

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The file 00000003, “Installer for Application fields Software” by YL production has been detected as adware by 33 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

00000003

Publisher:

Application fields Software (signed by YL production)

Product:

Application fields Software

Description:

Installer for Application fields Software

Version:

2014.6.2.1205

MD5:

a4f4179f590eafc7863ab7e377723f0b

SHA-1:

e6c17dd763ad69f9ddea15a83bb3ef591c7a8b2f

SHA-256:

5caa818212c79609dbe80ff63d5ff4fbb00d902449bb8f727544703dda4752ca

Scanner detections:

33 / 68

Status:

Adware

Explanation:

Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:

4/19/2024 12:53:11 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.11352357

865

Agnitum Outpost

Trojan.AntiFW

7.1.1

AhnLab V3 Security

PUP/Win32.TSULoader

2014.06.16

Avira AntiVirus

TR/Visucius.20

7.11.155.10

avast!

Win32:InstalleRex-BO [PUP]

2014.9-140922

AVG

Generic

2015.0.3343

Bitdefender

Trojan.Generic.11352357

1.0.20.1325

Bkav FE

W32.FamVT.AntiFWK.Trojan

1.3.0.4959

Clam AntiVirus

Win.Trojan.Installerex-2

0.98/19414

Comodo Security

Application.Win32.InstalleRex.KG

18562

Dr.Web

Trojan.WebPick.2452

9.0.1.0265

Emsisoft Anti-Malware

Trojan.Generic.11352357

14.09.22

ESET NOD32

Win32/InstalleRex.M potentially unwanted application

8.7.0.302.0

F-Prot

W32/InstallRex.B

4.6.5.141

F-Secure

Trojan.Generic.11352357

11.2014-22-09_2

G Data

Win32.Application.InstalleRex

14.9.24

herdProtect (fuzzy)

variant of m2kmod_2.4.1.4.zip.exe (Adware)

2014.12.4.17

IKARUS anti.virus

PUA.InstallBundler

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.1712403

Kaspersky

Trojan.Win32.AntiFW

14.0.0.3212

Malwarebytes

PUP.Optional.InstalleRex

v2014.09.22.02

McAfee

PUP-FHQ!DA7F900DCA45

5600.6999

MicroWorld eScan

Trojan.Generic.11352357

15.0.0.795

NANO AntiVirus

Riskware.Win32.InfoLeak.cvgqot

0.28.0.60253

nProtect

Trojan/W32.AntiFW.322600

14.09.22.01

Panda Antivirus

PUP/TSUploader

14.09.22.02

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Quick Heal

Trojan.AntiFW.A5

9.14.14.00

Reason Heuristics

PUP.Installer.YLproduction.I

14.9.22.12

Sophos

InstallRex

4.98

Vba32 AntiVirus

Downware.TSU

3.12.26.0

VIPRE Antivirus

Threat.4753027

29708

Zillya! Antivirus

Trojan.AntiFW.Win32.250

2.0.0.1827

File size:

315 KB (322,600 bytes)

Product version:

1.0.0.3

Original file name:

TSULoader.exe

Installer:

WebPick InstalleRex (Tarma)

Common path:

C:\users\{user}\appdata\local\google\chrome\user data\default\file system\004\t\00\00000003

Digital Signature

Signed by:

YL production

Authority:

Unizeto Technologies S.A.

Valid from:

1/16/2014 8:49:26 AM

Valid to:

1/16/2015 8:49:26 AM

Subject:

E=Lebedev72@hotmail.com, CN="Open Source Developer, Yuri LEBEDEV", O=YL production, C=RU

Issuer:

CN=Certum Level III CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL

Serial number:

284B7B8274AFC7E851A73B98B619311F

File PE Metadata

Compilation timestamp:

3/12/2013 10:51:45 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

CTPH (ssdeep):

6144:3rYbUzkuvcBYC47l2xSHyxdphxUIdRyZBBMX9v9y8DBMi:3rdkuveY354dH3diBMX9v9NF

Entry address:

0x14DB

Entry point:

55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove 00000003 - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.