home

1_offer_3.exe

The application 1_offer_3.exe has been detected as a potentially unwanted program by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. Additionally, the file is typically installed by a number of programs including VO Package by ClickMeIn Limited and Installer by ClickMeIn Limited, both potentially unwanted software. The file has been seen being downloaded from dl1.downserver4.com and multiple other hosts. While running, it connects to the Internet address 208.43.241.178-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Description:
VOPackage

Version:
1.0.0.0

MD5:
aac45b337daf3f301eae9bfcc7c3f66e

SHA-1:
44ed55cb1079d34027cb77cd62248064ff5a0a09

SHA-256:
2819c3aada3128d7f4f768ac418d5dd2e996cc4db1569f1e4d8e9f2a5df86dff

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 1:50:47 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

ESET NOD32
Win32/VOPackage
8.9480

Fortinet FortiGate
Riskware/VOPackage
4/8/2014

K7 AntiVirus
Trojan
13.176.11684

Norman
Suspicious_Gen4.FWQPN
11.20140408

Rising Antivirus
NS:PUF.SilenceInstaller!1.9DDF
23.00.65.14226

File size:
383.8 KB (392,973 bytes)

Product version:
1.0.0.0

Copyright:
Copyright 2013

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\1_offer_3.exe

File PE Metadata
Compilation timestamp:
12/6/2009 6:50:52 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:ge34eaAlfx75+ZPPfnE2Qyn2qAlShxynF6OYHJAfh1CYfTL9xBCnrX4VEtt2NB6X:TamF+ZPPfnEUnPZxyFtYHJUqjmEWfXsd

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file 1_offer_3.exe has been discovered within the following programs.

Installer  by ClickMeIn Limited
This is an adware bundler called VOPackage (includes and installs various adware offers) using a standard installer such as Nullsoft which downloads such offers remotely.
www.clickmein.com
87% remove it
VO Package  by ClickMeIn Limited
This is an adware bundle distributed through a download manager. These packages are ad-supported that include the original program as well as the included advertiser software, mostly web browser extensions for search and coupons.
clickmein.com
87% remove it
 
Powered by Should I Remove It?

The file 1_offer_3.exe has been seen being distributed by the following 4 URLs.

http://dl1.downserver4.com/Installer/.../VuuPC_0210.exe

http://cdn.download4desktop.com/Installer/.../VuuPC-Installer.exe

http://dl1.downserver4.com/Installer/.../VuuPC-Installer.exe

http://dl1.downserver4.com/Installer/.../VuuPC_510.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to dl20.clickmein.com  (50.7.184.170:80)

TCP (HTTP):
Connects to 208.43.241.178-static.reverse.softlayer.com  (208.43.241.178:80)

Remove 1_offer_3.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.