home

dlm.exe

OpenCandy recommendation downloader

OpenCandy Inc.

The application dlm.exe, “OpenCandy recommendation downloader p46” by OpenCandy has been detected as a potentially unwanted program by 40 anti-malware scanners. This is a setup program which is used to install the application. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from cdn.opencandy.com. While running, it connects to the Internet address cdn-87-248-221-254.par.llnw.net on port 80 using the HTTP protocol.
Publisher:
OpenCandy  (signed by OpenCandy Inc.)

Product:
OpenCandy recommendation downloader

Description:
OpenCandy recommendation downloader p46

Version:
3.2.5.275

MD5:
1cb3a1365543e07611a90ef9f1c9a3f3

SHA-1:
374ca69e67a1abc42a8d39cad7337f3bd3351926

SHA-256:
ecfa0c427cd8ba3fa68f1307607d7c4425af02af488f295974ea52fc251e271f

Scanner detections:
40 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/23/2024 2:41:08 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Sality.N
876

Agnitum Outpost
Win32.Sality.AA
7.1.1

AhnLab V3 Security
Win-Trojan/Malpacked5.Gen
2014.07.31

Avira AntiVirus
W32/Sality.S
7.11.30.172

avast!
Win32:Sality-AM
2014.9-140911

AVG
Win32/Sality
2015.0.3354

Baidu Antivirus
Virus.Win32.Sality.$s
4.0.3.14911

Bitdefender
Win32.Sality.N
1.0.20.1270

Bkav FE
W32.SalityF.PE
1.3.0.4959

Clam AntiVirus
W32.Sality
0.98/19168

Comodo Security
Packed.Win32.MUPX.Gen
19028

Dr.Web
Win32.Sector.28682
9.0.1.0254

Emsisoft Anti-Malware
Win32.Sality.N
8.14.09.11.01

ESET NOD32
Win32/OpenCandy (variant)
8.9329

Fortinet FortiGate
W32/Sality.AL
9/11/2014

F-Prot
W32/Sality.AI
v6.4.6.5.141

F-Secure
Win32.Sality.N
11.2014-11-09_5

G Data
Win32.Sality
14.9.24

IKARUS anti.virus
P2P-Worm.Win32.Bacteraloh
t3scan.1.6.1.0

K7 AntiVirus
Virus
13.181.12898

Kaspersky
Virus.Win32.Sality
14.0.0.3267

Malwarebytes
PUP.Optional.OpenCandy.A
v2014.01.24.07

McAfee
W32/Sality.ac
5600.7010

Microsoft Security Essentials
Threat.Undefined
1.179.1619.0

MicroWorld eScan
Win32.Sality.N
15.0.0.762

NANO AntiVirus
Virus.Win32.Sality.eqco
0.28.2.61148

nProtect
Win32.Sality.N
14.07.30.01

Panda Antivirus
W32/Sality.Y
14.09.11.01

Qihoo 360 Security
Virus.Win32.Sality.F
1.0.0.1015

Quick Heal
W32.Sality.K
9.14.14.00

Reason Heuristics
PUP.OpenCandy.D
14.8.7.20

Rising Antivirus
PE:Win32.Sality.m!471630
23.00.65.14909

Sophos
W32/Sality-AD
4.98

Total Defense
Win32/Sality.S
37.0.11089

Trend Micro House Call
PE_SALITY.AL
7.2.254

Trend Micro
PE_SALITY.AL
10.465.11

Vba32 AntiVirus
Virus.Sality.309
3.12.26.3

VIPRE Antivirus
Threat.204212
31208

ViRobot
Win32.Sality.F
2011.4.7.4223

XVirus List
Win32.Detected
2.8.7

File size:
295.8 KB (302,888 bytes)

Product version:
3.2.5.275

Copyright:
Copyright (c) 2008 - 2014 OpenCandy, Inc.

Original file name:
OpenCandyU1Dlm.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\opencandy\b500ef173e904e23b7795395cae1fa52\dlm.exe

Digital Signature
Signed by:
OpenCandy Inc.

Authority:
VeriSign, Inc.

Valid from:
1/25/2011 3:00:00 AM

Valid to:
3/15/2014 2:59:59 AM

Subject:
CN=OpenCandy Inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=OpenCandy Inc., L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6FFC263A351134194CF16E1E6D0E0806

File PE Metadata
Compilation timestamp:
1/18/2014 4:44:58 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
6144:3KRSkMubhISlCHgqZX1DeTUKMMqDOBJ9CihkqkoSih6:3KRSFA0HJBeTUG7/UoSb

Entry address:
0xB7FA0

Entry point:
60, BE, 00, C0, 47, 00, 8D, BE, 00, 50, F8, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, EA, 5D, 0B, 00, 57, 83, C3, 04, 53, 68, 9C, BF, 03, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 00, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A...
 
[+]

Entropy:
7.8397  (probably packed)

Code size:
244 KB (249,856 bytes)

The file dlm.exe has been seen being distributed by the following URL.

http://cdn.opencandy.com/p/1082/.../CoCIntegrationDLMgrB.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cdn-87-248-217-254.frf.llnw.net  (87.248.217.254:80)

TCP (HTTP):
Connects to cdn-87-248-210-254.lon.llnw.net  (87.248.210.254:80)

TCP (HTTP):
Connects to cdn-87-248-221-254.par.llnw.net  (87.248.221.254:80)

TCP (HTTP):
Connects to cdn-87-248-210-253.lon.llnw.net  (87.248.210.253:80)

TCP (HTTP):
Connects to cdn-87-248-221-253.par.llnw.net  (87.248.221.253:80)

TCP (HTTP):
Connects to cdn-87-248-217-253.frf.llnw.net  (87.248.217.253:80)

TCP (HTTP):
Connects to cdn-178-79-196-253.pmo.llnw.net  (178.79.196.253:80)

TCP (HTTP):
Connects to cdn-87-248-203-253.ams.llnw.net  (87.248.203.253:80)

TCP (HTTP):
Connects to cdn-203-77-188-254.hkg.llnw.net  (203.77.188.254:80)

Remove dlm.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.