home

installer_microsoft_powerpoint_french.exe

Vittalia Internet S.L.

This is the Vittalia Filewon Installer which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed with minimal consent. The application installer_microsoft_powerpoint_french.exe by Vittalia Internet S.L has been detected as adware by 13 anti-malware scanners. The program is a setup application that uses the Vittalia DM installer. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. While running, it connects to the Internet address services.upd4ter.com on port 80 using the HTTP protocol.
Publisher:
Vittalia Internet S.L.  (signed and verified)

MD5:
de833682ac3d92a864536f183fdc4120

SHA-1:
feef610ac8e3c7692df2ae2419efac0f3974f3ab

SHA-256:
41cfc3e22309227c9e2c0a487f9e5c48422d435554293981e5333f79d20c1238

Scanner detections:
13 / 68

Status:
Adware

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
4/25/2024 9:28:33 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
Adware/Vittalia.AB
7.11.182.128

AVG
Skodna.Bundle.d71
2015.0.3305

Dr.Web
Adware.Downware.1051
9.0.1.05190

ESET NOD32
Win32/Toolbar.Babylon potentially unwanted application
7.0.302.0

K7 AntiVirus
Unwanted-Program
13.185.13853

Malwarebytes
PUP.Optional.VIT.A
v2014.10.31.05

Microsoft Security Essentials
Threat.Undefined
1.187.957.0

NANO AntiVirus
Trojan.Win32.Downware.zexrm
0.28.6.62995

Qihoo 360 Security
HEUR/Malware.QVM06.Gen
1.0.0.1015

Reason Heuristics
PUP.VittaliaInternetSL.f
14.10.31.4

Rising Antivirus
PE:Trojan.Win32.Generic.14879428!344429608
23.00.65.141029

SUPERAntiSpyware
Adware.Lollipop/Variant
10267

VIPRE Antivirus
Threat.4782551
34232

File size:
371.6 KB (380,520 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Vittalia DM (using Nullsoft Install System)

Common path:
C:\users\{user}\downloads\installer_microsoft_powerpoint_french.exe

Digital Signature
Signed by:
Vittalia Internet S.L.

Authority:
VeriSign, Inc.

Valid from:
6/5/2012 2:00:00 AM

Valid to:
5/9/2013 1:59:59 AM

Subject:
CN=Vittalia Internet S.L., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Vittalia Internet S.L., L=Mostoles, S=Madrid, C=ES

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
7952CFD9EF040B59F3C140BA1DA97A60

File PE Metadata
Compilation timestamp:
12/5/2009 11:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:Ye34BB8k8W+4EI+M8fZmgoZfjwS2GyJCytjzcs23Gb4r/zqvUA6OmEgXkOiQJf:WNTEI+MoxoFj8Ntjzcs23GbMLA9SQQJf

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to www.uplstatsone.com  (93.189.33.84:80)

TCP (HTTP):
Connects to services.upd4ter.com  (93.189.33.101:80)

TCP (HTTP):
Connects to media.vitavita.com.es  (109.70.128.135:80)

TCP (HTTP):
Connects to download.upd4ter.com  (93.189.33.101:80)

 
http://download.upd4ter.com/installers/down.php

Remove installer_microsoft_powerpoint_french.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.