home

updater.exe

Desktop.Updater

Super Web LLC

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application updater.exe by Super Web has been detected as adware by 3 anti-malware scanners.
Publisher:
Microsoft Corporation  (signed by Super Web LLC)

Product:
Desktop.Updater

Version:
1.0.0.0

MD5:
7d38ccbfac137065d9155346c7639cd4

SHA-1:
78cde0519bb87d653f4fe3492e60bd64f4c92d9a

SHA-256:
45a7690ef0d4cde833db2bd128e91694cc28c5364d8acfca0795f54f7e9c87b5

Scanner detections:
3 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/24/2024 9:24:03 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.SuperWeb.H
14.8.8.15

Sophos
SuperWeb
4.98

VIPRE Antivirus
Yontoo
29878

File size:
32.3 KB (33,064 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Microsoft 2013

Original file name:
updater.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\web layers\updater.exe

Digital Signature
Signed by:
Super Web LLC

Authority:
VeriSign, Inc.

Valid from:
12/14/2012 12:00:00 AM

Valid to:
12/14/2013 11:59:59 PM

Subject:
CN=Super Web LLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Super Web LLC, L=Los Angeles, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
4119CF85506B9920A6B0FFA138C96637

File PE Metadata
Compilation timestamp:
7/19/2013 2:02:13 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:PW2rjIYeBIj+Xyzlq+yIBg3E+pz3iUVWfqHoXGq:PTrMjd+NBg3E+pzy4HmGq

Entry address:
0x7DDE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 68, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.1307

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
23.5 KB (24,064 bytes)

Remove updater.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.