» extie_setup.exe
Overview
Analysis
File Details
Network (1)

extie_setup.exe

information

Eran Vaterfeld

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application extie_setup.exe by Eran Vaterfeld has been detected as adware by 40 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

extie_setup.exe

Publisher:

one computer data (signed by Eran Vaterfeld)

Product:

information

Version:

9.9.0.0

MD5:

0a0b56e1ef2f915856c7a4801c9d7d53

SHA-1:

8736e20c7a23bec56a671647e14d2e23b3463e27

SHA-256:

b63bfea59e4d9a949a9e61936a9cc593085dfd3a09bd76f1a0f9f84776a88612

Scanner detections:

40 / 68

Status:

Adware

Explanation:

Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/27/2024 12:51:21 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

887

Agnitum Outpost

Win32.Sality.FA.Gen

7.1.1

AhnLab V3 Security

Win32/Kashu.E

2014.06.24

Avira AntiVirus

ADWARE/Adware.Gen7

7.11.156.190

avast!

Win32:InstalleRex-Z [PUP]

140813-1

AVG

Adware Generic5.AYCB

2014.0.4015

Baidu Antivirus

Virus.Win32.Sality.$Emu

4.0.3.1491

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.1220

Bkav FE

W32.Sality.PE

1.3.0.4959

Clam AntiVirus

Win.Adware.Agent-7442

0.98/19317

Comodo Security

Application.Win32.Multiplug.R

18664

Dr.Web

Trojan.Crossrider.24479

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

9.0.0.4324

ESET NOD32

Win32/AdWare.MultiPlug.AP application

7.0.302.0

F-Prot

W32/Sality.gen2

v6.4.6.5.141

F-Secure

Gen:Variant.Adware.Dropper.103

11.2014-01-09_2

G Data

Gen:Variant.Adware.Dropper.103

14.9.24

IKARUS anti.virus

PUP.InstallRex

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.180.12498

Kaspersky

not-a-virus:HEUR:AdWare.Win32.Agent

14.0.0.3320

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.09.01.02

McAfee

PUP-FIC

5600.7021

Microsoft Security Essentials

Threat.Undefined

1.177.578.0

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

15.0.0.732

NANO AntiVirus

Virus.Win32.Sality.bzkem

0.28.0.60475

Norman

Sality.ZHB

11.20140901

nProtect

Win32.Sality.3

14.06.23.01

Panda Antivirus

Trj/Genetic.gen

14.09.01.02

Qihoo 360 Security

Malware.QVM19.Gen

1.0.0.1015

Quick Heal

W32.Sality.U

9.14.14.00

Reason Heuristics

PUP.Installer.EranVaterfeld.L

14.9.1.2

Rising Antivirus

PE:PUF.Graftor!1.9C49

23.00.65.14830

Sophos

MultiPlug

4.98

Total Defense

Win32/Sality.AA

37.0.11018

Trend Micro House Call

PE_SALITY.ER

7.2.244

Trend Micro

PE_SALITY.ER

10.465.01

Vba32 AntiVirus

Virus.Win32.Sality.bakb

3.12.26.3

VIPRE Antivirus

Threat.4786450

29708

ViRobot

Win32.Sality.N

2011.4.7.4223

Zillya! Antivirus

Virus.Sality.Win32.20

2.0.0.1835

File size:

1.7 MB (1,741,672 bytes)

Product version:

9.9.0.0

Original file name:

modifying a built-in

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United Kingdom)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\addons\extie_setup.exe

Digital Signature

Signed by:

Eran Vaterfeld

Authority:

COMODO CA Limited

Valid from:

7/10/2013 3:00:00 AM

Valid to:

7/11/2014 2:59:59 AM

Subject:

CN=Eran Vaterfeld, O=Eran Vaterfeld, STREET=Shtruk 15, L=Tel Aviv, S=Tel Aviv, PostalCode=64042, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00CF0201F072612C73F4F11FE23420B802

File PE Metadata

Compilation timestamp:

6/25/2014 10:07:24 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:oefd4ADGBle/qYNXLifRps3ot438lV4fY42yvuKiKHQyoxd:oCG3+VX93o4sb4A4XDvU/

Entry address:

0x15FAB

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 10, C2, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 53, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.9031 (probably packed)

Code size:

130 KB (133,120 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove extie_setup.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.