home

cvs_webssearches.exe

1832_cvs_webssearches

Ma Lin

The application cvs_webssearches.exe by Ma Lin has been detected as adware by 16 anti-malware scanners. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install. It is also typically executed from the user's temporary directory.
Publisher:
One Syn  (signed by Ma Lin)

Product:
1832_cvs_webssearches

Description:
Syn worker

Version:
6.3.7601.1094

MD5:
ed675179e5931510dec869281e23b644

SHA-1:
a975d920e406ae134be9d18674e8e91dd251d9bb

SHA-256:
027a2d2a020a7c2af04c2eadcc2d5e79cdde9e4c4aeee2dc6c3bf8c65836d4ef

Scanner detections:
16 / 68

Status:
Adware

Analysis date:
11/23/2024 10:56:29 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetize
2014.11.11

Avira AntiVirus
ADWARE/Adware.Gen
7.11.185.112

AVG
Malin
2015.0.3294

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.141110

Dr.Web
Adware.Mutabaha.83
9.0.1.05190

ESET NOD32
Win32/ELEX.AZ (variant)
8.10701

Fortinet FortiGate
Riskware/Elex
11/20/2014

IKARUS anti.virus
PUA.SafeSurf
t3scan.1.8.3.0

K7 AntiVirus
Trojan
13.185.14007

Malwarebytes
PUP.Optional.Bundle
v2014.11.10.12

McAfee
Artemis!2D79E522A869
5600.6941

NANO AntiVirus
Riskware.Win32.Mutabaha.diqyjk
0.28.6.63362

Qihoo 360 Security
Malware.QVM10.Gen
1.0.0.1015

Reason Heuristics
PUP.MaLin.Q
14.11.10.12

Sophos
Generic PUA IN
4.98

File size:
563.1 KB (576,592 bytes)

Product version:
6.3.7601.1094

Copyright:
One Syn

Original file name:
Worker.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\exe\elex-websearches-1.0-de-ch\cvs_webssearches.exe

Digital Signature
Signed by:
Ma Lin

Authority:
WoSign CA Limited

Valid from:
8/20/2014 11:22:46 AM

Valid to:
7/20/2015 11:22:46 AM

Subject:
CN=Ma Lin, E=chloezhangling@163.com, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
760E23ABF26CF75AE5C944881CCA6DA7

File PE Metadata
Compilation timestamp:
10/21/2014 11:39:32 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:eg1gOyAI8OK+Df23syHi3HeHNu/SXATpPTOZZNVGt2:X1HyUqet6SwNTiZNVG0

Entry address:
0x3FBA5

Entry point:
E8, 56, 04, 01, 00, E9, 7F, FE, FF, FF, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 98, 26, 48, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 18, 72, 47, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 98, 26, 48, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00, F7, C6, 03, 00, 00...
 
[+]

Code size:
380.5 KB (389,632 bytes)

Remove cvs_webssearches.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.