dlm.exe

OpenCandy recommendation downloader

OpenCandy Inc.

The application dlm.exe, “OpenCandy recommendation downloader p46” by OpenCandy has been detected as a potentially unwanted program by 40 anti-malware scanners. This is a setup program which is used to install the application. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from cdn.opencandy.com. While running, it connects to the Internet address cdn-87-248-221-254.par.llnw.net on port 80 using the HTTP protocol.
Publisher:
OpenCandy  (signed by OpenCandy Inc.)

Product:
OpenCandy recommendation downloader

Description:
OpenCandy recommendation downloader p46

Version:
3.2.5.275

MD5:
1cb3a1365543e07611a90ef9f1c9a3f3

SHA-1:
374ca69e67a1abc42a8d39cad7337f3bd3351926

SHA-256:
ecfa0c427cd8ba3fa68f1307607d7c4425af02af488f295974ea52fc251e271f

Scanner detections:
40 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/26/2024 12:28:58 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Sality.N
876

Agnitum Outpost
Win32.Sality.AA
7.1.1

AhnLab V3 Security
Win-Trojan/Malpacked5.Gen
2014.07.31

Avira AntiVirus
W32/Sality.S
7.11.30.172

avast!
Win32:Sality-AM
2014.9-140911

AVG
Win32/Sality
2015.0.3354

Baidu Antivirus
Virus.Win32.Sality.$s
4.0.3.14911

Bitdefender
Win32.Sality.N
1.0.20.1270

Bkav FE
W32.SalityF.PE
1.3.0.4959

Clam AntiVirus
W32.Sality
0.98/19168

Comodo Security
Packed.Win32.MUPX.Gen
19028

Dr.Web
Win32.Sector.28682
9.0.1.0254

Emsisoft Anti-Malware
Win32.Sality.N
8.14.09.11.01

ESET NOD32
Win32/OpenCandy (variant)
8.9329

Fortinet FortiGate
W32/Sality.AL
9/11/2014

F-Prot
W32/Sality.AI
v6.4.6.5.141

F-Secure
Win32.Sality.N
11.2014-11-09_5

G Data
Win32.Sality
14.9.24

IKARUS anti.virus
P2P-Worm.Win32.Bacteraloh
t3scan.1.6.1.0

K7 AntiVirus
Virus
13.181.12898

Kaspersky
Virus.Win32.Sality
14.0.0.3267

Malwarebytes
PUP.Optional.OpenCandy.A
v2014.01.24.07

McAfee
W32/Sality.ac
5600.7010

Microsoft Security Essentials
Threat.Undefined
1.179.1619.0

MicroWorld eScan
Win32.Sality.N
15.0.0.762

NANO AntiVirus
Virus.Win32.Sality.eqco
0.28.2.61148

nProtect
Win32.Sality.N
14.07.30.01

Panda Antivirus
W32/Sality.Y
14.09.11.01

Qihoo 360 Security
Virus.Win32.Sality.F
1.0.0.1015

Quick Heal
W32.Sality.K
9.14.14.00

Reason Heuristics
PUP.OpenCandy.D
14.8.7.20

Rising Antivirus
PE:Win32.Sality.m!471630
23.00.65.14909

Sophos
W32/Sality-AD
4.98

Total Defense
Win32/Sality.S
37.0.11089

Trend Micro House Call
PE_SALITY.AL
7.2.254

Trend Micro
PE_SALITY.AL
10.465.11

Vba32 AntiVirus
Virus.Sality.309
3.12.26.3

VIPRE Antivirus
Threat.204212
31208

ViRobot
Win32.Sality.F
2011.4.7.4223

XVirus List
Win32.Detected
2.8.7

File size:
295.8 KB (302,888 bytes)

Product version:
3.2.5.275

Copyright:
Copyright (c) 2008 - 2014 OpenCandy, Inc.

Original file name:
OpenCandyU1Dlm.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\opencandy\b500ef173e904e23b7795395cae1fa52\dlm.exe

Digital Signature
Signed by:

Authority:
VeriSign, Inc.

Valid from:
1/25/2011 3:00:00 AM

Valid to:
3/15/2014 2:59:59 AM

Subject:
CN=OpenCandy Inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=OpenCandy Inc., L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6FFC263A351134194CF16E1E6D0E0806

File PE Metadata
Compilation timestamp:
1/18/2014 4:44:58 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:3KRSkMubhISlCHgqZX1DeTUKMMqDOBJ9CihkqkoSih6:3KRSFA0HJBeTUG7/UoSb

Entry address:
0xB7FA0

Entry point:
60, BE, 00, C0, 47, 00, 8D, BE, 00, 50, F8, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, EA, 5D, 0B, 00, 57, 83, C3, 04, 53, 68, 9C, BF, 03, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 00, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.8397  (probably packed)

Code size:
244 KB (249,856 bytes)

The file dlm.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cdn-87-248-217-254.frf.llnw.net  (87.248.217.254:80)

TCP (HTTP):
Connects to cdn-87-248-210-254.lon.llnw.net  (87.248.210.254:80)

TCP (HTTP):
Connects to cdn-87-248-221-254.par.llnw.net  (87.248.221.254:80)

TCP (HTTP):
Connects to cdn-87-248-210-253.lon.llnw.net  (87.248.210.253:80)

TCP (HTTP):
Connects to cdn-87-248-221-253.par.llnw.net  (87.248.221.253:80)

TCP (HTTP):
Connects to cdn-87-248-217-253.frf.llnw.net  (87.248.217.253:80)

TCP (HTTP):
Connects to cdn-178-79-196-253.pmo.llnw.net  (178.79.196.253:80)

TCP (HTTP):
Connects to cdn-87-248-203-253.ams.llnw.net  (87.248.203.253:80)

TCP (HTTP):
Connects to cdn-203-77-188-254.hkg.llnw.net  (203.77.188.254:80)

Remove dlm.exe - Powered by Reason Core Security