home

ytd_installer.exe

YTD Video Downloader

Greentree Applications SRL

The application ytd_installer.exe by Greentree Applications SRL has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The file has been seen being downloaded from software.thaiware.com and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 80 using the HTTP protocol.
Publisher:
Greentree Applications SRL  (signed and verified)

Product:
YTD Video Downloader

Version:
4.2

MD5:
d89a8a4b53cc3536a025ac4d6c6a9a3e

SHA-1:
94850e1d50ef74f7f42bf4b5d3b4e6c3a38e011c

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
4/24/2024 3:10:45 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clod5b0.Trojan
1.3.0.4923

Dr.Web
Adware.Downware.1417
9.0.1.084

ESET NOD32
Win32/Toolbar.Widgi (variant)
8.9421

Malwarebytes
PUP.Optional.Spigot.A
v2014.03.25.10

Reason Heuristics
PUP.Optional.GreentreeApplicationsSRL.N
14.3.25.22

Trend Micro House Call
TROJ_GEN.F47V0118
7.2.84

File size:
10.6 MB (11,109,408 bytes)

Product version:
4.2.0.5

Copyright:
Copyright © 2007-2013 GreenTree Applications SRL

Original file name:
Uninstall.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Application data\youtube downloader\ytd_installer.exe

Digital Signature
Signed by:
Greentree Applications SRL

Authority:
VeriSign, Inc.

Valid from:
5/21/2013 2:00:00 AM

Valid to:
7/21/2015 1:59:59 AM

Subject:
CN=Greentree Applications SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Greentree Applications SRL, L=Bucharest, S=Bucharest, C=RO

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
78DC92DC061211DFE51480E9347F91C8

File PE Metadata
Compilation timestamp:
4/10/2010 2:19:31 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
196608:cGvMn/xvTYmvFHMCgmNXUsaJcjwLJSKLSQGUg/UrdUev8TGC0CXxP7hyMstoKzXI:cGa9rHgCETpSKLSz5Urd9kCCbBDhyMCI

Entry address:
0x354B

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file ytd_installer.exe has been seen being distributed by the following 3 URLs.

http://software.thaiware.com/download_url.php?id=10634

http://www.youtubedownloadersite.com/.../YTDSetup.exe

http://software-files-a.cnet.com/s/software/13/18/12/.../YTDSetup.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (95.211.187.107:80)

Remove ytd_installer.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.