» m.exe
Overview
Analysis
File Details
Network (1)

m.exe

if maintaining

Eran Vaterfeld

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application m.exe by Eran Vaterfeld has been detected as adware by 29 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.

File name:

m.exe

Publisher:

arrays database needed the (signed by Eran Vaterfeld)

Product:

if maintaining

Version:

3.7.0.0

MD5:

fdc8099d7430cf14be036390757004d5

SHA-1:

d6478c196df9750f29ed9c3d5eeed6b728e748a3

SHA-256:

48fef2aa89e75625a388fc4d22cd3af0fd07bb8eadf1c871329d4cdf1a33c70c

Scanner detections:

29 / 68

Status:

Adware

Explanation:

Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Description:

This is an installer which may bundle legitimate applications with offers for additional 3rd-party applications that may be unwanted by the user. While the installer contains an 'opt-out' feature this is not set be defult and is usually overlooked.

Analysis date:

4/26/2024 8:40:56 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Dropper.103

896

Agnitum Outpost

PUA.MultiPlug

7.1.1

AhnLab V3 Security

Adware/Win32.Agent

2014.08.23

Avira AntiVirus

Adware/MultiPlug.htf

7.11.168.230

avast!

Win32:InstalleRex-Z [PUP]

140813-1

AVG

Adware Generic5.AXXJ

2014.0.3986

Bitdefender

Gen:Variant.Adware.Dropper.103

1.0.20.1170

Clam AntiVirus

Win.Adware.Agent-7363

0.98/19296

Comodo Security

Application.Win32.Multiplug.R

19279

Dr.Web

Trojan.Crossrider.24108

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.Dropper.103

8.14.08.22.06

ESET NOD32

Win32/AdWare.MultiPlug.AP application

7.0.302.0

F-Prot

W32/A-6075dea0

v6.4.7.1.166

F-Secure

Gen:Variant.Adware.Dropper.103

11.2014-22-08_6

G Data

Gen:Variant.Adware.Dropper.103

14.8.24

IKARUS anti.virus

PUA.InstallRex

t3scan.1.7.5.0

K7 AntiVirus

Riskware

13.183.13139

Kaspersky

not-a-virus:HEUR:WebToolbar.Win32.Cossder

14.0.0.3366

Malwarebytes

PUP.Optional.MultiPlug.A

v2014.08.22.06

McAfee

PUP-FLT

5600.7030

MicroWorld eScan

Gen:Variant.Adware.Dropper.103

15.0.0.702

NANO AntiVirus

Riskware.Win32.Agent.dbmkdo

0.28.2.61721

Panda Antivirus

Generic Malware

14.08.22.06

Quick Heal

AdWare.MultiPlag.ace

8.14.14.00

Reason Heuristics

PUP.EranVaterfeld.B

14.8.20.17

Sophos

MultiPlug

4.98

Vba32 AntiVirus

AdWare.Agent

3.12.26.3

VIPRE Antivirus

Threat.4786450

32210

Zillya! Antivirus

Adware.Agent.Win32.9596

2.0.0.1899

File size:

1.7 MB (1,759,016 bytes)

Product version:

3.7.0.0

Original file name:

resilience

File type:

Executable application (Win32 EXE)

Bundler/Installer:

WebPick InstalleRex

Language:

English (United Kingdom)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\m.exe

Digital Signature

Signed by:

Eran Vaterfeld

Authority:

COMODO CA Limited

Valid from:

7/10/2013 2:00:00 AM

Valid to:

7/11/2014 1:59:59 AM

Subject:

CN=Eran Vaterfeld, O=Eran Vaterfeld, STREET=Shtruk 15, L=Tel Aviv, S=Tel Aviv, PostalCode=64042, C=IL

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00CF0201F072612C73F4F11FE23420B802

File PE Metadata

Compilation timestamp:

6/22/2014 4:02:29 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

49152:7dBy/BG5eGhPaCWnadiMILbsyzxzELIA4+9nZtb:JCiCCWnasM64yBELIA/nx

Entry address:

0x15E6B

Entry point:

E8, 87, 7C, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 48, C1, 42, 00, E8, 6F, 0D, 00, 00, E8, A2, 03, 00, 00, 0F, B7, F0, 6A, 02, E8, 1A, 7C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 53, 45, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Code size:

129.5 KB (132,608 bytes)

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to r1.stylezip.info (54.186.255.26:80)

Remove m.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.