» googleupdate.exe
Overview
Analysis
File Details
Programs (1)
Network (1)

googleupdate.exe

AutoPlay Media Studio Launcher

The executable googleupdate.exe, “AutoPlay Application” has been detected as malware by 33 anti-virus scanners. This file is typically installed with the program Cloob Messenger by cloob.com. While running, it connects to the Internet address hosted-by.hostdl.com.asiatech.ir on port 80 using the HTTP protocol.

File name:

googleupdate.exe

Product:

AutoPlay Media Studio Launcher

Description:

AutoPlay Application

Version:

7.5.1004.0

MD5:

49330abe417ac1caa8b27527171a36ef

SHA-1:

72c7aeacc25acd934842b36754d192df6a04684a

SHA-256:

c8ba506b2e5c95ee588e68b9cb4655eb196b464d09fd05a0b760f1eb2da8cb2e

Scanner detections:

33 / 68

Status:

Malware

Analysis date:

11/5/2024 2:31:29 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.1792659

557

Agnitum Outpost

Trojan.Agent

7.1.1

AhnLab V3 Security

Trojan/Win32.HDC

2015.06.07

Avira AntiVirus

TR/Artemis.aprb

8.3.1.6

Arcabit

Trojan.Generic.D1B5A93

1.0.0.425

avast!

Win32:Malware-gen

2014.9-150728

Baidu Antivirus

Worm.Win32.AutoPlayStudio

4.0.3.15728

Bitdefender

Trojan.GenericKD.1792659

1.0.20.1045

Comodo Security

UnclassifiedMalware

22449

Dr.Web

Trojan.AutoPlay.1

9.0.1.0209

ESET NOD32

Win32/AutoPlayStudio

9.10092

Fortinet FortiGate

W32/AutoPlayStudio.A!worm

8/31/2015

F-Secure

Trojan.GenericKD.1792659

11.2015-28-07_3

G Data

Trojan.GenericKD.1792659

15.7.25

herdProtect (fuzzy)

variant of skype.exe

2015.8.31.3

IKARUS anti.virus

Trojan.Artemis

t3scan.1.9.5.0

K7 AntiVirus

Hacktool

13.204.16176

Kaspersky

Trojan.Win32.Agent

14.0.0.1668

McAfee

Artemis!686C7DD57C03

5600.6691

MicroWorld eScan

Trojan.GenericKD.1792659

16.0.0.627

NANO AntiVirus

Trojan.Win32.Agent.drpqce

0.30.24.2086

nProtect

Trojan.GenericKD.1792659

15.06.12.01

Panda Antivirus

Trj/CI.A

15.07.28.10

Qihoo 360 Security

Win32/Trojan.fdb

1.0.0.1015

Quick Heal

Trojan.Agen.g4

7.15.14.00

Rising Antivirus

PE:Trojan.Agent!6.566

23.00.65.15829

Sophos

Mal/Generic-S

4.98

Total Defense

Heur/TrojanHorse.ZCFZ!suspicious

37.1.62.1

Trend Micro House Call

TROJ_GEN.R08OC0EDD15

7.2.209

Trend Micro

TROJ_GEN.R08OC0EDD15

10.465.28

Vba32 AntiVirus

Trojan.Agent.ahadg

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic!SB.0

41122

ViRobot

Trojan.Win32.A.Agent.1764278.B[h]

2014.3.20.0

File size:

1.7 MB (1,764,278 bytes)

Product version:

7.5.1004.0

Trademarks:

AutoPlay Media Studio is a Trademark of Indigo Rose Corporation

Original file name:

ams_launch.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\google\update\googleupdate.exe

File PE Metadata

Compilation timestamp:

10/28/2008 4:39:46 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

49152:Nh+IK8vGga2oxMR9PoVz7lj4CQntq8MXmqDtfPIh96:NEIi2oxMGlE5tamIPIL6

Entry address:

0x173A6

Entry point:

55, 8B, EC, 6A, FF, 68, 90, 2C, 43, 00, 68, C4, BE, 41, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, AC, 01, 43, 00, 33, D2, 8A, D4, 89, 15, A0, 0A, 44, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 9C, 0A, 44, 00, C1, E1, 08, 03, CA, 89, 0D, 98, 0A, 44, 00, C1, E8, 10, A3, 94, 0A, 44, 00, 6A, 01, E8, 45, 38, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, 86, 1A, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75... 
[+]

Entropy:

7.8620

Developed / compiled with:

Microsoft Visual C++ v6.0

Code size:

188 KB (192,512 bytes)

The file googleupdate.exe has been discovered within the following program.

Cloob Messenger by cloob.com

Cloob Messenger bundles a branded version of the Conduit Toolbar, which delivers search based advertising and results. During installation the user is presented in some cases with the option to install the toolbar. Once accepted, the packaged executable, ConduitInstaller.

www.cloob.com/etc/messenger

About 10% of users remove it

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to hosted-by.hostdl.com.asiatech.ir (185.49.85.3:80)

Remove googleupdate.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.