eGdpSvc.exe

Wsys Control

Skytouch Technology Co., Limited

The application eGdpSvc.exe, “Wsys Control 13.3.2.2610” by Skytouch Technology Co., Limited has been detected as adware by 27 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Wsys Service”. While running, it connects to the Internet address 174.36.200.164-static.reverse.softlayer.com on port 80 using the HTTP protocol.
Publisher:
Wsys Co., Ltd.  (signed by Skytouch Technology Co., Limited)

Product:
Wsys Control

Description:
Wsys Control 13.3.2.2610

Version:
13.3.2.2610

MD5:
d0a07092b61451556297eb9fe5cd51bd

SHA-1:
14c8298c669c96fdfa93fc4e81d152654491e9fa

SHA-256:
febb62695c2bc83342598727e4dde9647ec72d9029d050f1d96b3257c30d52e4

Scanner detections:
27 / 68

Status:
Adware

Analysis date:
12/25/2024 12:24:28 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.Staser
2013.11.26

Avira AntiVirus
TR/Wysotot.Gen
7.11.115.116

AVG
Startpage.A
2014.0.3617

Bitdefender
Application.ExqPage.E
1.0.20.1780

Boost by Reason
Optional.Service.SkytouchTechnologyCoLimited.H
188861

Comodo Security
Heur.Suspicious
17333

Dr.Web
Adware.Mutabaha.20
9.0.1.0356

ESET NOD32
Win32/ELEX (variant)
7.9092

Fortinet FortiGate
W32/Staser.QAF!tr
12/22/2013

G Data
Application.ExqPage
13.12.22

IKARUS anti.virus
Trojan.Win32.Staser
t3scan.2.2.29

K7 AntiVirus
Unwanted-Program
13.174.10306

Kaspersky
Trojan.Win32.Staser
14.0.0.4582

Malwarebytes
PUP.Optional.Wsys.A
v2013.12.22.04

McAfee
RDN/Generic PUP.x!bf3
5600.7273

Microsoft Security Essentials
Trojan:Win32/Wysotot.A
1.163.1557.0

MicroWorld eScan
Application.ExqPage.E
14.0.0.1068

Norman
Suspicious_Gen4.ESBBY
11.20131222

Panda Antivirus
Trj/CI.A
13.12.22.04

Quick Heal
Trojan.Wysotot
12.13.12.00

Reason Heuristics
PUP.Service.SkytouchTechnologyCoLimited.H
14.3.20.14

Sophos
Elex
4.95

Trend Micro House Call
ADW_STASER
7.2.356

Trend Micro
ADW_STASER
10.465.22

Vba32 AntiVirus
Trojan.Staser
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
23714

ViRobot
Trojan.Win32.A.Staser.305784
2011.4.7.4223

File size:
298.6 KB (305,784 bytes)

Product version:
13.3.2.2610

Copyright:
Copyright (C) 2013

Original file name:
eGdpSvc.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\ProgramData\esafe\egdpsvc.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
7/8/2013 9:29:59 AM

Valid to:
7/9/2014 9:29:59 AM

Subject:
CN="Skytouch Technology Co., Limited", O="Skytouch Technology Co., Limited", L=HongKong, S=HongKong, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11216078022FA91C0EB61326E0E8FDBE9C30

File PE Metadata
Compilation timestamp:
8/16/2013 10:44:06 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:237VTeaoPV+aaXoKQJ+BFoqjHH6oHI4C+QdVxZKrUI:epCaoPV+aMAYFnHAdNe

Entry address:
0x1000

Entry point:
68, 01, 40, 46, 00, E8, 01, 00, 00, 00, C3, C3, 37, 0B, 16, AF, B6, C8, 10, 5C, E7, A8, 22, BF, 59, 4A, 63, EC, 14, 24, CC, 1E, D2, CF, AD, 67, 03, 82, 99, 77, 7D, 30, 61, 04, B0, 31, 80, C1, F1, 89, 4F, A3, 68, 8B, 9E, 9B, 58, E2, 51, A8, 7D, 5C, EB, 29, D0, 84, EE, D1, DC, E4, E7, EE, 63, 43, 73, 75, 21, 6B, 77, FB, 8A, A6, 69, 4E, 45, 46, 82, C9, D7, 87, 17, BD, EE, FB, F2, EC, D5, FA, 17, 03, FF, 5A, 4D, 22, 3C, 4A, 3C, 04, 46, 2E, E7, 0A, A0, 9D, 72, D8, 50, 8E, 98, A5, F0, 75, 59, D8, 66, 88, 02, 50...
 
[+]

Entropy:
7.9098

Packer / compiler:
ASProtect v1.2x (New Strain)

Code size:
243 KB (248,832 bytes)

Service
Display name:
Wsys Service

Service name:
WsysSvc

Description:
Wsys update service

Type:
Win32OwnProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 174.36.200.164-static.reverse.softlayer.com  (174.36.200.164:80)

Remove eGdpSvc.exe - Powered by Reason Core Security