kmpaddedcode_oppercd.exe

Ebooks Media

The application kmpaddedcode_oppercd.exe by Ebooks Media has been detected as a potentially unwanted program by 23 anti-malware scanners. This is a setup program which is used to install the application. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages. The file has been seen being downloaded from files4.downloadmanager149.com and multiple other hosts.
Publisher:
Ebooks Media  (signed and verified)

Product:
eBooks Media

Version:
81.5.6.8830

MD5:
a0cd4a49149d7a0548f2f9a9862e0b0d

SHA-1:
49653e2e45719b5ae876460c6cd054d67da1bf3a

SHA-256:
7f3c613bca4a6ef29ffdac157ff5dfce3b2be7a5fd7f3ff8e3ba21e61651be3e

Scanner detections:
23 / 68

Status:
Potentially unwanted

Explanation:
Bundles additional software, mostly toolbars and other potentially unwanted applications using the Vittalia monitization installer.

Analysis date:
11/27/2024 4:16:48 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

Arcabit
Trojan.Application.Bundler.DownloadAdmin.4
1.0.0.597

AVG
Generic
2016.0.2919

Baidu Antivirus
PUA.Win32.DownloadAdmin
4.0.3.151120

Bitdefender
Gen:Variant.Application.Bundler.DownloadAdmin.4
1.0.20.1620

Bkav FE
W32.HfsAdware
1.3.0.7383

Clam AntiVirus
Win.Trojan.Agent-954275
0.98/21511

Dr.Web
Trojan.Vittalia.963
9.0.1.0324

ESET NOD32
Win32/DownloadAdmin.P potentially unwanted (variant)
9.12578

Fortinet FortiGate
Riskware/DownloadAdmin
11/20/2015

F-Secure
Gen:Variant.Application.Bundler
11.2015-20-11_6

G Data
Gen:Variant.Application.Bundler.DownloadAdmin
15.11.25

K7 AntiVirus
Adware
13.212.17873

Kaspersky
not-a-virus:Downloader.Win32.DownloAdmin
14.0.0.1092

McAfee
Artemis!A0CD4A49149D
5600.6575

Microsoft Security Essentials
SoftwareBundler:Win32/Dowadmin
1.1.12205.0

MicroWorld eScan
Gen:Variant.Application.Bundler.DownloadAdmin.4
16.0.0.972

Panda Antivirus
Generic Suspicious
15.11.20.03

Reason Heuristics
PUP.DownloadAdmin.EbooksMedia.Installer (M)
15.11.20.15

Rising Antivirus
PE:Adware.DownloadAdmin!1.A243 [F]
23.00.65.151118

Sophos
Generic PUA EJ (PUA)
4.98

VIPRE Antivirus
Trojan.Win32.Generic
45252

Zillya! Antivirus
Adware.BrowseFox.Win32.154381
2.0.0.2513

File size:
868.8 KB (889,656 bytes)

Product version:
81.5.6.8830

Copyright:
Copyright (C) 2015

Original file name:
setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\kmpaddedcode_oppercd.exe

Digital Signature
Signed by:

Authority:
GoDaddy.com, Inc.

Valid from:
11/3/2015 1:01:38 PM

Valid to:
9/7/2016 3:41:42 AM

Subject:
CN=Ebooks Media, O=Ebooks Media, L=San Francisco, S=California, C=US

Issuer:
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
6986F899668DE1FC

File PE Metadata
Compilation timestamp:
11/18/2014 8:04:46 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:ERgljRK87UwDRaDwewZyy+R8sHMTZeJq6TbEdKrIc:pRK87UwtacewAyYMT4qsFr3

Entry address:
0x4601

Entry point:
E8, FA, 92, 00, 00, E9, FE, 8B, 00, 00, CC, CC, CC, CC, CC, 55, 8B, EC, 83, E4, C0, 83, EC, 34, 53, 56, 57, E8, 2F, 12, 00, 00, 8B, F0, A3, 10, 45, 41, 00, 85, F6, 75, 15, 68, F0, 42, 41, 00, E8, FA, DA, FF, FF, 83, C4, 04, 6A, 37, FF, 15, 58, F0, 40, 00, 68, 00, 01, 00, 00, 6A, 00, 56, E8, 02, 11, 00, 00, 56, E8, EC, 0F, 00, 00, 8B, 5D, 08, 6A, 00, 53, 56, E8, 90, 11, 00, 00, 33, FF, 83, C4, 1C, 89, 7C, 24, 3C, 85, DB, 7E, 34, 8D, 49, 00, DB, 44, 24, 3C, 83, EC, 08, DD, 1C, 24, 56, E8, 10, 11, 00, 00, 8B...
 
[+]

Entropy:
7.9690  (probably packed)

Code size:
52.5 KB (53,760 bytes)

The file kmpaddedcode_oppercd.exe has been seen being distributed by the following 4 URLs.

http://files4.downloadmanager149.com/download/.../dl?bc=1188307&pid=kmp&brand=kmplayer.com&s=noprimary&country=SA&cb=1391149649&osName=unknown&browserName=unknown&zTmp=1&executable=1197159

http://files4.downloadmanager149.com/download/.../dl?bc=1188307&pid=kmp&brand=kmplayer.com&s=noprimary&country=ID&cb=718828687&osName=unknown&browserName=unknown&zTmp=1&executable=1197159

Remove kmpaddedcode_oppercd.exe - Powered by Reason Core Security