» update.exe
Overview
Analysis
File Details
Downloads (1)

update.exe

The executable update.exe, “Windows Messenger Service” has been detected as malware by 26 anti-virus scanners. This is a setup program which is used to install the application. This trojon will perform a number of actions that will compromise a PC including changing protected system registry values, hiding in protected operating system locations and downloading and installing additional malware. The file has been seen being downloaded from www.kiemthe99.com.

File name:

update.exe

Description:

Windows Messenger Service

Version:

5.1.2600.2281

MD5:

6c251226a83e4b6f95d80388e1b65510

SHA-1:

6179bc017b11dbdf7671ae3cdc9c38b9642d7681

SHA-256:

02e0e7aa60ce88a3dbfe85332707b49eeab9782e6a688dc63016df1552c52b57

Scanner detections:

26 / 68

Status:

Malware

Analysis date:

4/19/2024 2:38:54 PM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

Trojan/Win32.BHO

2013.09.26

Avira AntiVirus

TR/Malagent.A.5285

7.11.104.112

avast!

AutoIt:QHost-F [Trj]

2014.9-130824

AVG

Generic8_c

2014.0.3643

Baidu Antivirus

Trojan.Win32.Qhost

4.0.3.131126

Bkav FE

HW32.CDB

1.3.0.4246

Comodo Security

UnclassifiedMalware

17000

Dr.Web

Trojan.Hosts.16329

9.0.1.0330

Emsisoft Anti-Malware

Trojan.Win32.Qhost

8.13.11.26.12

ESET NOD32

Win32/Packed.Autoit

7.8844

Fortinet FortiGate

W32/Qhost.AFZO!tr

8/24/2013

G Data

Win32.Trojan.Agent.OGYC0E

13.11.22

IKARUS anti.virus

Trojan.Win32.Qhost

t3scan.2.0.127

K7 AntiVirus

Riskware

13.172.9695

Kaspersky

Trojan.Win32.Qhost

14.0.0.3773

McAfee

RDN/Qhost-Gen!y

5600.7271

Microsoft Security Essentials

Trojan:Win32/Malagent

1.163.1557.0

Norman

Troj_Generic.MRVFB

11.20130824

nProtect

Trojan/W32.Qhost_Packed.334638

13.09.26.01

Panda Antivirus

Trj/CI.A

13.08.24.01

Reason Heuristics

Unnamed.Threat.41

14.3.1.0

Sophos

Mal/Generic-S

4.93

Trend Micro House Call

TROJ_GEN.F0C2C0KGS13

7.2.236

Trend Micro

TROJ_GEN.F0C2C0KGS13

10.465.24

Vba32 AntiVirus

Trojan.Autoit.F

3.12.24.3

VIPRE Antivirus

Trojan.Win32.Generic

21834

File size:

326.8 KB (334,638 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\update.exe

File PE Metadata

Compilation timestamp:

4/9/2012 5:11:21 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:PykBiZOW+ivPIVfX80ayZ43zcaJtTDrsZS91cLIAH0TEeVa2VxEQ+7q:Pya4OjigvzaT33TvsBkAH0AcbxE5+

Entry address:

0xC3F50

Entry point:

60, BE, 00, 90, 47, 00, 8D, BE, 00, 80, F8, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Entropy:

7.9239

Packer / compiler:

UPX 2.90LZMA]

Code size:

304 KB (311,296 bytes)

The file update.exe has been seen being distributed by the following URL.

http://www.kiemthe99.com/.../update.exe

Remove update.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.