home

GoogleUpdate.exe

Google Update Services

Google lnc

The executable GoogleUpdate.exe has been detected as malware by 27 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Google Services’. While running, it connects to the Internet address 94.31.0.27.IPYX-076665-ZYO.above.net on port 80 using the HTTP protocol.
Publisher:
Google lnc

Product:
Google Update Services

Version:
1.05.0542

MD5:
cb48233fecaac39d72853f8b5a493be4

SHA-1:
9a9cf2fa82b3b11db90a4097755662c928864b74

SHA-256:
c01ada21be0cc448bf675520903f369ec19b30cbb4490a8345f307d355e682d1

Scanner detections:
27 / 68

Status:
Malware

Analysis date:
11/23/2024 7:56:30 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur.VP.pu0baGSD8ibi
1137

AhnLab V3 Security
Malware/Win32.Generic
2014.01.20

Avira AntiVirus
TR/Dropper.VB.4005
7.11.125.204

avast!
Win32:Dropper-gen [Drp]
2014.9-131225

AVG
Dropper.Generic8
2014.0.3615

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.131225

Bitdefender
Gen:Trojan.Heur.VP.pu0baGSD8ibi
1.0.20.1795

Bkav FE
W32.Clod403.Trojan
1.3.0.4923

Boost by Reason
Optional.Startup.Googlelnc.M
188163

Comodo Security
UnclassifiedMalware
17642

Dr.Web
Trojan.Click3.50
9.0.1.0359

Emsisoft Anti-Malware
Gen:Trojan.Heur.VP.pu0baGSD8ibi
8.14.01.21.08

Fortinet FortiGate
W32/VB.F
12/25/2013

F-Prot
W32/VBTrojan.17E
v6.4.7.1.166

F-Secure
Gen:Trojan.Heur.VP.pu0baGSD8ibi
11.2014-21-01_3

G Data
Gen:Trojan.Heur.VP.pu0baGSD8ibi
13.12.24

IKARUS anti.virus
Trojan.Win32.Spy
t3scan.2.2.29

K7 AntiVirus
Riskware
13.174.10509

McAfee
RDN/Generic Dropper!rl
5600.7271

Microsoft Security Essentials
Trojan:Win32/Dynamer!ac
1.165.247.01

MicroWorld eScan
Gen:Trojan.Heur.VP.pu0baGSD8ibi
14.0.0.1077

Norman
Troj_Generic.PMCVV
11.20131225

Panda Antivirus
Trj/CI.A
13.12.25.06

Sophos
Mal/VB-F
4.96

Trend Micro House Call
TROJ_GEN.F0C2C0KII13
7.2.359

Trend Micro
TROJ_GEN.F0C2C0KII13
10.465.25

VIPRE Antivirus
Trojan.Win32.Generic
25608

File size:
254 KB (260,096 bytes)

Product version:
1.05.0542

Copyright:
Google lnc

Trademarks:
Google lnc

Original file name:
GoogleUpdate.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\google\googleupdate.exe

File PE Metadata
Compilation timestamp:
8/31/2013 12:51:10 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:JWxxoyOVCegokQqF7UIVp9MNvj0iXplVW07m:I/oyOVCegqqpUEpmNvZS0

Entry address:
0x5D001

Entry point:
60, E8, 03, 00, 00, 00, E9, EB, 04, 5D, 45, 55, C3, E8, 01, 00, 00, 00, EB, 5D, BB, ED, FF, FF, FF, 03, DD, 81, EB, 00, D0, 05, 00, 83, BD, 88, 04, 00, 00, 00, 89, 9D, 88, 04, 00, 00, 0F, 85, CB, 03, 00, 00, 8D, 85, 94, 04, 00, 00, 50, FF, 95, A9, 0F, 00, 00, 89, 85, 8C, 04, 00, 00, 8B, F0, 8D, 7D, 51, 57, 56, FF, 95, A5, 0F, 00, 00, AB, B0, 00, AE, 75, FD, 38, 07, 75, EE, 8D, 45, 7A, FF, E0, 56, 69, 72, 74, 75, 61, 6C, 41, 6C, 6C, 6F, 63, 00, 56, 69, 72, 74, 75, 61, 6C, 46, 72, 65, 65, 00, 56, 69, 72, 74...
 
[+]

Entropy:
7.9006

Packer / compiler:
ASPack v2.12

Code size:
332 KB (339,968 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Google Services

Command:
C:\Program Files\google\googleupdate.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 94.31.0.27.IPYX-076665-ZYO.above.net  (94.31.0.27:80)

Remove GoogleUpdate.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.