home

true

VMN Toolbar

Visicom Media Inc.

This is part of the Visicom VMN web browser toolbar and extension that will modify the browser's default search provider, DNS, and home page functions. The file true, “VMN Toolbar Installer” by Visicom Media has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from download-1.visicommedia.com and multiple other hosts.
Publisher:
Visicom Media Inc.  (signed and verified)

Product:
VMN Toolbar

Description:
VMN Toolbar Installer

Version:
3.5

MD5:
e5cfc1368f3efb6bdc8caef4114f707e

SHA-1:
3c0cf48a4fdb37d28dd6a7ecb2e46eeb13e0ec67

SHA-256:
64afde5466326ed9598315ebf06e9c9b9b54b90aab5e17ecdc5e241287e590d9

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
The setup program may install a variant of the Visicom Toolbar, a web browser extension that may modify the browser's home and search pages.

Analysis date:
4/26/2024 12:14:56 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Toolbar.Visicom.A potentially unwanted (variant)
9.11304

Reason Heuristics
PUP.VMNToolbarInstaller.Installer.Visicom
15.3.27.7

File size:
1.7 MB (1,809,560 bytes)

Product version:
3.5.0.4

Copyright:
© Visicom Media Inc. (License)

Trademarks:
Visicom Media Inc., All Rights Reserved

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\virtualstore\Program Files\true

Digital Signature
Signed by:
Visicom Media Inc.

Authority:
Thawte Consulting (Pty) Ltd.

Valid from:
6/24/2010 2:00:00 AM

Valid to:
6/22/2012 1:59:59 AM

Subject:
CN=Visicom Media Inc., OU=SECURE APPLICATION DEVELOPMENT, O=Visicom Media Inc., L=Brossard, S=Quebec, C=CA

Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

Serial number:
73C74D9445094BFD79759F7B9CAFD730

File PE Metadata
Compilation timestamp:
12/6/2009 12:50:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
49152:YukQ5zg+D/yYGr4/ssVHo3gQa2XMS6AZo6d2q:dk5YGMV1n2XrFsq

Entry address:
0x323C

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00...
 
[+]

Entropy:
7.9886

Packer / compiler:
Nullsoft install system v2.x

Code size:
23 KB (23,552 bytes)

The file true has been seen being distributed by the following 2 URLs.

http://download-1.visicommedia.com/.../download.php

http://download-1.visicommedia.com/.../download.php?fromdt5=true

Remove true - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.