google-chrome.exe

tuguu sl

The Tuguu download and install manager uses the DomalIQ installer to bundle additional adware offers such as toolbars and browser extensions during the setup process. This software distributes modified installers which are not the same as the original distributed by the author. The application google-chrome.exe by tuguu sl has been detected as adware by 21 anti-malware scanners. The program is a setup application that uses the TUGUU DomaIQ Setup installer. During install, it bundles potentially unwanted software on a user's computer at the same time without adequate consent. The installer is marketed through download protals and search ads as Google's Chrome web browser but will also install additional software offers which include adware, PUPs and browser toolbars.
Publisher:
tuguu sl  (signed and verified)

MD5:
801956ed02dbcac800b8405e7b7ba3c1

SHA-1:
cf01acbb82dd5edc1ea950c5b8609ea2a6f715ff

SHA-256:
6d80a97c56a8f9957fa056a7d2a95ca05188d7c406eef6fce0338cee6f42a69d

Scanner detections:
21 / 68

Status:
Adware

Explanation:
Uses the DomainIQ download manager to bundle additional potentially unwanted software without adequate consent.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
8/7/2014 10:46:24 PM UTC  (two months ago)

Scan engine
Detection
Engine version

Avira AntiVirus
APPL/DomaIQ.AV
7.11.125.192

Antiy Labs AVL
AdWare/MSIL.DomaIQ
2.0.3.7

avast!
Win32:PUP-gen [PUP]
2014.9-140126

AVG
Skodna.Generic_r
2015.0.3582

Commtouch SDK
W32/Backdoor.ZZRW-1179
5.4.1.7

Comodo Security
Application.Win32.DomaIQ.D
17640

Dr.Web
Trojan.PayInt.27
9.0.1.026

ESET NOD32
Win32/DomaIQ.AV (variant)
8.9310

F-Prot
W32/Backdoor2.HTIW
v6.4.7.1.166

herdProtect (fuzzy)
2014.1.26.19

Jiangmin
AdWare/DomaIQ.if
KV140126

Kaspersky
not-a-virus:AdWare.Win32.DomaIQ
14.0.0.4406

Malwarebytes
PUP.Optional.BundleInstaller.A
v2014.01.26.06

McAfee
RDN/Generic.bfr!fq
5600.7238

McAfee Web Gateway
RDN/Generic.bfr!fq
7.7238

NANO AntiVirus
Riskware.Win32.DomaIQ.csmcgi
0.28.0.57029

Reason Heuristics
PUP.tuguusl.N
14.8.7.18

Rising Antivirus
PE:PUF.DomaIQ!1.9DE0
23.00.65.14124

Sophos
DomainIQ pay-per install
4.96

Vba32 AntiVirus
BScope.Downware.DomaIQ
3.12.24.3

VIPRE Antivirus
Win32.Malware!Drop
25584

File size:
448.4 KB (459,168 bytes)

File type:
Executable application (Win32 EXE)

Installer:
TUGUU DomaIQ Setup

Common path:
C:\users\user\downloads\google-chrome.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
6/13/2013 4:06:55 PM

Valid to:
6/13/2014 4:06:55 PM

Subject:
CN=tuguu sl, O=tuguu sl, L=Adeje, S=Santa Cruz de Tenerife, C=ES

Issuer:
SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
2B632A0CF95E4D

File PE Metadata
Compilation timestamp:
1/9/2014 5:46:35 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:8OeTIfnjAEkxJPNeaL9uRqQb3fgnFwFGLgJ2k0SyCKF1pYax6uYj+LJYX:zAEOJPNeapQrgjLgJoSyCuDYax6hjp

Entry address:
0xCCE2

Entry point:
E8, 94, 5E, 00, 00, E9, 78, FE, FF, FF, 6A, 0C, 68, 88, 22, 42, 00, E8, C4, 04, 00, 00, 83, 65, E4, 00, 8B, 75, 08, 3B, 35, 58, 88, 42, 00, 77, 22, 6A, 04, E8, 7F, 60, 00, 00, 59, 83, 65, FC, 00, 56, E8, 86, 68, 00, 00, 59, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 09, 00, 00, 00, 8B, 45, E4, E8, D0, 04, 00, 00, C3, 6A, 04, E8, 7A, 5F, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, FE, E0, 0F, 87, A1, 00, 00, 00, 53, 57, 8B, 3D, 70, D0, 41, 00, 83, 3D, 1C, 85, 42, 00, 00, 75, 18, E8, 3A, 57, 00...
 
[+]

Code size:
110.5 KB (113,152 bytes)

The file google-chrome.exe has been seen being distributed by the following URL.

The following file closely match google-chrome.exe based on a fuzzy CTPH.

21 / 68    (Adware)
setup.exe  [99% match]  (fba758ef9c5e0c84bd18467d31537bc9fe32b7bf)

27 / 68    (Adware)
google-earth.exe  (5932c3956ff161822e86614f03c1bba03c559629)

2 / 68      (Adware)
v.exe  (c885a8c998dc91c80e8789161c59b6c0f6d58e76)

1 / 68      (Adware)
setup.exe  (41046612a4ea9037c62150aa2890124fcefa06f5)

1 / 68      (Adware)
installer.exe  (1bc8b481cbade1116598f329c83e003af1025850)

9 / 68      (Adware)
browser_update.exe  (4c38cc35b8d50d9aaf17f4e15c4105245a7ee166)

1 / 68      (Adware)
vso-convertxtodvd.exe  (fc01d899fb966811bcdf8068d5a1ec59819925cd)

1 / 68      (Adware)
player_setup.exe  (508efa61de1d278b1f4d3af54f41417c85b5de72)

1 / 68      (Adware)
java-runtime-environment-jre.exe  (f40234049722ec29b8b04c0a3cbb9d0eb3e958b2)

5 / 68      (Adware)
flashplayer.exe  (d82eb58fff6fdc5803068ef44e1b841bb41c31f1)

1 / 68      (Adware)
allmyvideos.exe  (5f1b9b603621792700608256c45dddbc6b2eaeb5)

17 / 68    (Adware)
DomaIQ10.exe  (7d508e9a087885d7aa26985b349f7663cb2af517)

1 / 68      (Adware)
windows-live-messenger.exe  (15aa81f8cf5111cafee55469f578502129137249)

1 / 68      (Adware)
driver-detective-6-6-fr.exe  (270f8f7dc7aa09592dfecbdc13f2965324c95645)

1 / 68      (Adware)
player_plugin.exe  (b6b315b8d465d8332d6abc3f79488e3561239809)

22 / 68    (Adware)
nero 8.1.0.exe  (3f8a93d530951711e4636db5900b6c6c9de57a39)

1 / 68      (Adware)
player setup.exe  (54070f2b8d16efec4ab139f1e67d27d711d5aad1)

Detection Incidence by Country