home

WebShieldInstall.exe

Web Shield

Irrational Number Applications

This is the installer/setup program for a Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The application WebShieldInstall.exe, “WebShield Install” by Irrational Number Applications has been detected as adware by 30 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory.
Publisher:
Irrational Number Applications  (signed and verified)

Product:
Web Shield

Description:
WebShield Install

Version:
1.0.0.0

MD5:
be32569edcb81b18b9da9d7fb98035c6

SHA-1:
49e2e9ecb570428abad32889a2bd0a4ad72e9063

SHA-256:
ae1eaba4a26114d7fb05b633703aed8bf525cb30565475d84a4cbe79e60b01d6

Scanner detections:
30 / 68

Status:
Adware

Explanation:
Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:
4/16/2024 6:59:36 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Generic.1276318
431

Agnitum Outpost
PUA.PullUpdate
7.1.1

Avira AntiVirus
ADWARE/PullUpdate.Gen7
8.3.2.2

AVG
Downloader
2016.0.2909

Baidu Antivirus
Adware.Win32.PullUpdate
4.0.3.15121

Bitdefender
Application.Generic.1276318
1.0.20.1675

Bkav FE
W32.HfsAdware
1.3.0.7237

Comodo Security
ApplicUnwnt
23336

Dr.Web
Adware.Yontoo.79
9.0.1.0335

ESET NOD32
MSIL/Adware.PullUpdate.G.gen (variant)
9.12409

Fortinet FortiGate
Adware/PullUpdate
12/1/2015

F-Prot
W32/PullUpdate.B.gen
v6.4.7.1.166

F-Secure
Application.Generic.1276318
11.2015-01-12_3

G Data
Win32.Application.Agent.H69CM8
15.12.25

IKARUS anti.virus
PUA.Downloader
t3scan.1.9.5.0

K7 AntiVirus
Adware
13.2016984

Kaspersky
not-a-virus:AdWare.MSIL.PullUpdate
14.0.0.1039

Malwarebytes
PUP.Optional.WebShield
v2015.12.01.06

McAfee
Artemis!9A2D90D8A672
5600.6565

MicroWorld eScan
Application.Generic.1276318
16.0.0.1005

NANO AntiVirus
Riskware.Win32.Yontoo.dvtopp
0.30.24.3283

Panda Antivirus
PUP/WebShield
15.12.01.06

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Yontoo.IrrationalNumberApplications.Installer (M)
15.12.1.6

Rising Antivirus
PE:Malware.RDM.32!5.26[F1]
23.00.65.151129

Sophos
Generic PUA PB (PUA)
4.98

Trend Micro House Call
Suspicious_GEN.F47V0615
7.2.335

Trend Micro
TROJ_GEN.R021C0OKH15
10.465.01

VIPRE Antivirus
Trojan.Win32.Generic
43158

ViRobot
Adware.Pullupdate.3115512.I[h]
2014.3.20.0

File size:
3 MB (3,115,512 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © Irrational Number Applications 2015

Original file name:
WebShieldInstall.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\webshieldinstall.exe

Digital Signature
Signed by:
Irrational Number Applications

Authority:
Symantec Corporation

Valid from:
1/19/2015 4:00:00 PM

Valid to:
3/20/2016 4:59:59 PM

Subject:
CN=Irrational Number Applications, O=Irrational Number Applications, L=St. James, S=St. James, C=BB

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
637F0A74512CF65B05B3A5A0241D6624

File PE Metadata
Compilation timestamp:
10/12/2015 6:43:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
49152:p1gUID/JvhZX8QfkL4wedxO5axooYE73+c6BQdZl+TX+tN9nir60D6VxmroJUL:gUIdv74L1edxOMnYfc6CPl+a1ni+0D6o

Entry address:
0x2F844E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.9996

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
3 MB (3,106,304 bytes)

Remove WebShieldInstall.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.