home

multishield.exe

Visual Tools Client Setup 1.0

Woolik technologies ltd

The application multishield.exe, “Visual Tools Client Setup” by Woolik technologies ltd has been detected as adware by 7 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. This will display context specific advertisements in the browser as well as attempt to modify the browser's search provider. The file has been seen being downloaded from s3.amazonaws.com.
Publisher:
Visual Tools Ltd.  (signed by Woolik technologies ltd)

Product:
Visual Tools Client Setup 1.0

Description:
Visual Tools Client Setup

Version:
1.0.5.0

MD5:
627e9dab020cb89d5b0681416606f412

SHA-1:
d3cba68d0e5c51f69a356546defa3a43161fd1e8

Scanner detections:
7 / 68

Status:
Adware

Explanation:
The installer may include an offer for the Babylon Toolbar (a homepage/search hijacker), which is potentially installed with minimal user consent.

Analysis date:
11/23/2024 9:28:17 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.Babylon
7.1.1

Dr.Web
Adware.Searcher.2766
9.0.1.0129

ESET NOD32
Win32/Toolbar.Babylon.AD (variant)
8.10804

IKARUS anti.virus
PUA.Toolbar.Babylon
t3scan.1.8.9.0

K7 AntiVirus
Trojan
13.202.15549

NANO AntiVirus
Riskware.Win32.Searcher.dotdbm
0.30.10.952

Reason Heuristics
PUP.Installer.Wooliktechnologiesltd.L
14.12.6.11

File size:
7.1 MB (7,424,312 bytes)

Copyright:
2011(c) Visual Tools Ltd. All rights reserved.

Original file name:
Setup.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\{random}.tmp\multishield.exe

Digital Signature
Signed by:
Woolik technologies ltd

Authority:
VeriSign, Inc.

Valid from:
9/15/2014 2:00:00 AM

Valid to:
8/22/2015 1:59:59 AM

Subject:
CN=Woolik technologies ltd, O=Woolik technologies ltd, L=Or Yeuda, S=israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
7F992DC68CD6D89798B6148730F501CD

File PE Metadata
Compilation timestamp:
10/22/2014 10:00:48 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
196608:tVT4nte/6yBvo9QPnwv0vOobmDwrc7mFB6X+jBZnZ:tKnTyBvo9EwM96DK3jBZZ

Entry address:
0x2703

Entry point:
E8, 10, 1D, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 48, 3A, 41, 00, E8, C7, 1E, 00, 00, E8, EC, 01, 00, 00, 0F, B7, F0, 6A, 02, E8, A3, 1C, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 84, 16, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
51.5 KB (52,736 bytes)

The file multishield.exe has been seen being distributed by the following URL.

http://s3.amazonaws.com/.../MultiShield.exe

Remove multishield.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.