home

messenger.exe

.NET Framework updater

(c) MICR0S0FT corporation

The executable messenger.exe, “Daily drivers updater” has been detected as malware by 18 anti-virus scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘messenger.exe’. While running, it connects to the Internet address hans-moleman.w3.org on port 80 using the HTTP protocol.
Publisher:
(c) MICR0S0FT corporation

Product:
.NET Framework updater

Description:
Daily drivers updater

Version:
2.1.3

MD5:
906abdead3cf2f1083b28df6e8a9c5ae

SHA-1:
2f47440a58b1fa3e157816219ae817ab694b2b4c

SHA-256:
44526798ec60017fdc8b5f7b6b744ea42e7a54522d1a4fb83fe4439e1c439b2e

Scanner detections:
18 / 68

Status:
Malware

Analysis date:
4/25/2024 3:25:32 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
NSIS:Downloader-HF [Trj]
2014.9-140508

AVG
Startpage
2015.0.3480

Baidu Antivirus
Trojan.Win32.Sinis
4.0.3.1458

Bkav FE
W32.Cloda0f.Trojan
1.3.0.4959

Fortinet FortiGate
W32/Dloader.B!tr.NSIS
5/8/2014

F-Secure
Trojan-Downloader:W32/Agent.DQIC
11.2014-08-05_5

K7 AntiVirus
Riskware
13.177.11965

Malwarebytes
Malware.Gen
v2014.05.08.10

McAfee
Generic.dx!906ABDEAD3CF
5600.7136

Microsoft Security Essentials
Trojan:Win32/Sinis.C
1.10502

Norman
Suspicious_Gen2.KVHGI
11.20140508

Panda Antivirus
Trj/Agent.OKR
14.05.08.10

Qihoo 360 Security
Win32/Trojan.Dropper.a4e
1.0.0.1015

Sophos
Mal/Generic-L
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Falcomp[Cont]
10617

Trend Micro House Call
TROJ_SPNR.08J311
7.2.128

Trend Micro
TROJ_SPNR.08J311
10.465.08

VIPRE Antivirus
Trojan.Win32.Generic!SB.0
28848

File size:
91.2 KB (93,417 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\Program Files\common files\microsoft shared\web components\messenger.exe

File PE Metadata
Compilation timestamp:
12/5/2009 8:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:hpgpHzb9dZVX9fHMvG0D3XJHTF0TbF47BLPkqIzjbanya/x6s+bMnh:bgXdZt9P6D3XJzF0TbFQP5Kyx3tnh

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
messenger.exe

Command:
C:\Program Files\common files\microsoft shared\web components\messenger.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hans-moleman.w3.org  (128.30.52.100:80)

Remove messenger.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.