» SWUpdaterSvc.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (5)

SWUpdaterSvc.exe

SWUpdaterSvc

Weather Protector LLC

Part of an adware web browser extension that delivers advertisements such as coupons, price-comparisons, display media, affiliate links, banners, popups/popunders and other links. The application SWUpdaterSvc.exe, “SW Updater Service” by Weather Protector has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “SWUpdaterSvc”. This file is typically installed with the program StormWatch by Local Weather LLC which is a potentially unwanted software program.

File name:

SWUpdaterSvc.exe

Publisher:

Weather Protector LLC (signed and verified)

Product:

SWUpdaterSvc

Description:

SW Updater Service

Version:

2.0.0.0

MD5:

6ce2c1334a7e0423f4f14b69020940e3

SHA-1:

b558552573269e7d317a3cdea10497916c11c919

SHA-256:

6ef3cd6f3150a6fbe8f8950c824d4b291766d539a348167b0afe0e329143bb88

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

11/23/2024 10:35:37 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Service.WeatherProtector.M

14.12.16.12

File size:

17.2 KB (17,584 bytes)

Product version:

2.0.0.0

Original file name:

SWUpdaterSvc.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\Program Files\stormwatch\swupdatersvc.exe

Digital Signature

Signed by:

Weather Protector LLC

Authority:

COMODO CA Limited

Valid from:

6/12/2014 8:00:00 PM

Valid to:

6/13/2015 7:59:59 PM

Subject:

CN=Weather Protector LLC, O=Weather Protector LLC, STREET="101 Colorado St #2309", L=Austin, S=TX, PostalCode=78701, C=US

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

0F678993FB0EAFD79536EEA5A8B5A02E

File PE Metadata

Compilation timestamp:

11/22/2014 12:19:24 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

192:tcSWRIXIHfq4Zfs889eHInoJeqVMTmvBeYfHix8iyMrj6938LWM1/4Ig2tpyde:4f5NH89yIoHVMCvBTCxMMC18Vqde

Entry address:

0x41BE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 01, 00, 00, 00, 50, 00, 00, 80, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.1553

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

8.5 KB (8,704 bytes)

Service

Display name:

SWUpdaterSvc

Service name:

SWUpdater

Type:

Win32OwnProcess

The file SWUpdaterSvc.exe has been discovered within the following programs.

StormWatch by Local Weather LLC

StormWatch is a potentially unwanted adware program that injects ads into the user's browser. This includes inserting into web pages or displaying ads over parts of existing web page advertisements, banners, coupons or text links that would not otherwise appear.

84% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to a23-34-63-144.deploy.static.akamaitechnologies.com (23.34.63.144:80)

TCP (HTTP):

Connects to ocsp.comodoca.com (178.255.83.1:80)

TCP (HTTP):

Connects to crl.comodoca.com.cdn.cloudflare.net (178.255.83.2:80)

TCP (HTTP):

Connects to ec2-54-204-254-52.compute-1.amazonaws.com (54.204.254.52:80)

TCP (HTTP):

Connects to a2-16-117-32.deploy.akamaitechnologies.com (2.16.117.32:80)

Remove SWUpdaterSvc.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.