home

codec-v.exe

Setup

Roadpass Trading Ltd.

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The application codec-v.exe by Roadpass Trading has been detected as adware by 27 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. While running, it connects to the Internet address r1.stylezip.info on port 80 using the HTTP protocol.
Publisher:
Premium  (signed by Roadpass Trading Ltd.)

Product:
Setup

Description:
Installer

Version:
2012.8.9.1543

MD5:
c4343522ae8458fc9b21be8adb0f5d41

SHA-1:
56f95c00cd1a4d7d0b27b07f2030c042cff4c997

SHA-256:
1ed4e68cecb7a72c7852b7ce9c91fc289b61519962a451d4295a02d8c03e857c

Scanner detections:
27 / 68

Status:
Adware

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
4/16/2024 3:46:37 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.InstallMate
7.1.1

AhnLab V3 Security
PUP/Win32.TSULoader
2014.07.08

Avira AntiVirus
Adware/InstallMat.C
7.11.138.26

avast!
Win32:InstallMate-DK [PUP]
2014.9-160210

AVG
Potentially harmful program Toolbar.Babylon
2017.0.2838

Bkav FE
W32.FamVT.AntiFWK.Trojan
1.3.0.4959

Clam AntiVirus
Win.Adware.544096
0.98/19073

Comodo Security
Application.Win32.Bundledz.C
19420

Dr.Web
Adware.Downware.444
9.0.1.041

ESET NOD32
Win32/InstallMate potentially unwanted application
10.7.0.302.0

F-Prot
W32/InstallMate.B
v6.4.6.5.141

IKARUS anti.virus
PUP.InstallRex
t3scan.1.6.1.0

K7 AntiVirus
Unwanted-Program
13.183.13451

Kaspersky
not-a-virus:Downloader.Win32.AdLoad
14.0.0.685

Malwarebytes
PUP.Optional.InstallRex
v2016.02.10.01

NANO AntiVirus
Riskware.Win32.Downware.cvbqxd
0.28.0.58491

nProtect
Backdoor/W32.Clack.301504
14.06.24.01

Panda Antivirus
PUP/TSUploader
16.02.10.01

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
PUP.WebPick.RoadpassTrading.Installer (M)
16.2.10.1

Rising Antivirus
PE:PUF.InstallRex!1.9E4C
23.00.65.16208

Sophos
PUA 'InstallRex'
59

SUPERAntiSpyware
Trojan.Agent/Gen-IntallMate
9333

Total Defense
Win32/Tnega.aDQSBaD
37.0.10856

Trend Micro House Call
HV_INSTALLMATE_BK0843FE.TOMC
7.2.41

VIPRE Antivirus
Threat.14871
32210

Zillya! Antivirus
Downloader.Adload.Win32.16891
2.0.0.1805

File size:
289.9 KB (296,856 bytes)

Product version:
1.0

Copyright:
Copyright © 2010 Premium

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Common path:
C:\users\{user}\downloads\codec-v.exe

Digital Signature
Signed by:
Roadpass Trading Ltd.

Authority:
COMODO CA Limited

Valid from:
4/2/2012 2:00:00 AM

Valid to:
4/3/2013 1:59:59 AM

Subject:
CN=Roadpass Trading Ltd., O=Roadpass Trading Ltd., STREET=Grigori Afxentiou 8, STREET="EL.PA. Livadioti Building,", STREET="3rd floor, Office 306,", L=Larnaca, S=Cyprus, PostalCode=6023, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
7CEA38597BE5145D4B71FF0ECD5A4F37

File PE Metadata
Compilation timestamp:
7/28/2012 4:31:25 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:6W1pwwKeFqzDNQkoSt3g3+gJHI5+/dlNbtovcj48xKjdIs0oPiEjZW:6W4wxCQEtj6o5Cdll948Q+oPiE4

Entry address:
0x14A3

Entry point:
55, 8B, EC, 81, EC, 24, 06, 00, 00, 53, 56, 33, F6, 57, 66, 89, B5, E4, FB, FF, FF, 89, 75, F4, 89, 75, FC, FF, 15, 68, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 64, 30, 40, 00, 89, 45, F8, 68, 04, 01, 00, 00, 8D, 85, DC, F9, FF, FF, 50, 56, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, BC, 32, 40, 00, E8, 82, FB, FF, FF, 59, C7, 05, 0C, 44, 40, 00, FD, 00, 00, 00, E9, 13, 02, 00, 00, 50, 68, 98, 32, 40, 00, E8, 67, FB, FF, FF, 59, 59, C7, 05, 0C, 44, 40, 00, FF, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove codec-v.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.