home

saveas.exe

Cloud Software

Moshe Karaso

This is a WebPick installer that bundles (with very minimal user consent) a number of adware browser extensions which inject ads in the browser. The application saveas.exe by Moshe Karaso has been detected as adware by 36 anti-malware scanners. The program is a setup application that uses the WebPick InstalleRex (Tarma) installer. The setup program uses Web-Pick's InstalleRex download manager and installer to bundle potentially unwanted ad-supported software which includes toolbars and browser extensions through a pay-per-install monetization scheme.
Publisher:
Cloud Software LTD  (signed by Moshe Karaso)

Product:
Cloud Software

Description:
Installer

Version:
2013.1.9.1734

MD5:
c46302d538bd8c2e6f22184c89a719a0

SHA-1:
48f403aebb00c790f4c90f002bfc3ca20f56b74d

SHA-256:
a755cfd882b269b5fecdfa4b2369bec99367d7f8b02c7001c9222ed3de758df3

Scanner detections:
36 / 68

Status:
Adware

Explanation:
Uses the InstalleRex from WebPick Internet Holdings to install bundled add-ons including toolbars and other web browser extensions.

Analysis date:
4/26/2024 9:53:36 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.KDZ.12279
387

Agnitum Outpost
PUA.TDownloader.A
7.1.1

AhnLab V3 Security
PUP/Win32.DownloadManager
16.01.13

Avira AntiVirus
ADWARE/InstallRex.Gen
7.11.143.18

avast!
Win32:Downloader-TRK [Adw]
2014.9-160113

AVG
MalSign.Skodna.Bundle
2017.0.2865

Bitdefender
Trojan.Generic.10010816
1.0.20.65

Bkav FE
HW32.CDB
1.3.0.4959

Clam AntiVirus
Win.Adware.373093
0.98/19337

Comodo Security
Application.Win32.InstalleRex.KG
18094

Dr.Web
Adware.Downware.836, Adware.Downware.831
9.0.1.013

Emsisoft Anti-Malware
Trojan.Generic.KDZ.12279
8.16.01.13.09

ESET NOD32
Win32/InstalleRex.E potentially unwanted application
10.7.0.302.0

Fortinet FortiGate
Riskware/InstalleRex
1/13/2016

F-Prot
W32/InstallRex.B
v6.4.6.5.141

F-Secure
Trojan.Generic.10010816
11.2016-13-01_4

G Data
Trojan.Generic.10010816
16.1.24

IKARUS anti.virus
PUP.InstallRex
t3scan.1.6.1.0

K7 AntiVirus
Adware
13.183.13286

Kaspersky
not-a-virus:HEUR:Downloader.Win32.AdLoad
14.0.0.820

Malwarebytes
PUP.Optional.InstallRex
v2016.01.13.09

McAfee
Trojan.Artemis!A0135EC33380
5600.6521

MicroWorld eScan
Trojan.Generic.10010816
17.0.0.39

NANO AntiVirus
Riskware.Win32.Downware.cscrgc
0.28.0.59048

Norman
Trojan.Generic.KDZ.12279
11.20160113

nProtect
Backdoor/W32.Clack.315464
14.04.11.01

Panda Antivirus
PUP/TSUploader
16.01.13.09

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
PUP.WebPick.MosheKaraso.Installer (M)
16.1.13.21

Rising Antivirus
PE:PUF.InstallRex!1.9E4C
23.00.65.16111

Sophos
PUA 'InstallRex'
59

SUPERAntiSpyware
Trojan.Agent/Gen-Startpage
9387

Trend Micro House Call
HV_STARTPAGE_CG092884.RDXN
7.2.13

Vba32 AntiVirus
Downloader.AdLoad
3.12.26.0

VIPRE Antivirus
Installerex/WebPick
28202

Zillya! Antivirus
Trojan.StartPage.Win32.17433
2.0.0.1779

File size:
308 KB (315,416 bytes)

Product version:
1.0

Copyright:
Copyright © 2012 Cloud Software LTD

Original file name:
TSULoader.exe

File type:
Executable application (Win32 EXE)

Installer:
WebPick InstalleRex (Tarma)

Common path:
C:\users\{user}\downloads\saveas.exe

Digital Signature
Signed by:
Moshe Karaso

Authority:
COMODO CA Limited

Valid from:
11/15/2012 1:00:00 AM

Valid to:
11/16/2013 12:59:59 AM

Subject:
CN=Moshe Karaso, O=Moshe Karaso, STREET=Nahum 19, L=Ramat Gan, S=center, PostalCode=52233, C=IL

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
55036D3C9B5C690240A409061736347F

File PE Metadata
Compilation timestamp:
11/30/2012 2:03:49 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:DrnV9UarEuMEvjr24HtrxTUGFVENoeLEa4c+FamYae99GODt4C15tsJVnDQww:DrnV9jEsX2utrxAG7EN0IH//J4wWvQ

Entry address:
0x14DB

Entry point:
55, 8B, EC, 81, EC, 2C, 06, 00, 00, 53, 56, 33, DB, 57, 66, 89, 9D, DC, FB, FF, FF, 89, 5D, F4, 89, 5D, FC, FF, 15, 74, 30, 40, 00, A3, 08, 44, 40, 00, FF, 15, 70, 30, 40, 00, 8B, F8, 8D, 45, EC, 50, FF, 15, 6C, 30, 40, 00, FF, 15, 68, 30, 40, 00, 8B, F0, F7, D6, 33, F7, FF, 15, 64, 30, 40, 00, 33, F0, 8B, 45, F0, 33, 45, EC, 68, 04, 01, 00, 00, 33, F0, 8D, 85, D4, F9, FF, FF, 50, 53, FF, 15, 60, 30, 40, 00, 85, C0, 75, 41, FF, 15, 5C, 30, 40, 00, 83, F8, 78, 75, 1A, 68, A8, 32, 40, 00, E8, 43, FB, FF, FF...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
7.5 KB (7,680 bytes)

The file saveas.exe has been seen being distributed by the following URL.

http://storebox1.info/.../

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to r1.stylezip.info  (54.186.255.26:80)

Remove saveas.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.