update.exe

The executable update.exe, “Windows Messenger Service” has been detected as malware by 26 anti-virus scanners. This is a setup program which is used to install the application. This trojon will perform a number of actions that will compromise a PC including changing protected system registry values, hiding in protected operating system locations and downloading and installing additional malware. The file has been seen being downloaded from www.kiemthe99.com.
Description:
Windows Messenger Service

Version:
5.1.2600.2281

MD5:
6c251226a83e4b6f95d80388e1b65510

SHA-1:
6179bc017b11dbdf7671ae3cdc9c38b9642d7681

SHA-256:
02e0e7aa60ce88a3dbfe85332707b49eeab9782e6a688dc63016df1552c52b57

Scanner detections:
26 / 68

Status:
Malware

Analysis date:
11/16/2024 6:57:38 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Trojan/Win32.BHO
2013.09.26

Avira AntiVirus
TR/Malagent.A.5285
7.11.104.112

avast!
AutoIt:QHost-F [Trj]
2014.9-130824

AVG
Generic8_c
2014.0.3643

Baidu Antivirus
Trojan.Win32.Qhost
4.0.3.131126

Bkav FE
HW32.CDB
1.3.0.4246

Comodo Security
UnclassifiedMalware
17000

Dr.Web
Trojan.Hosts.16329
9.0.1.0330

Emsisoft Anti-Malware
Trojan.Win32.Qhost
8.13.11.26.12

ESET NOD32
Win32/Packed.Autoit
7.8844

Fortinet FortiGate
W32/Qhost.AFZO!tr
8/24/2013

G Data
Win32.Trojan.Agent.OGYC0E
13.11.22

IKARUS anti.virus
Trojan.Win32.Qhost
t3scan.2.0.127

K7 AntiVirus
Riskware
13.172.9695

Kaspersky
Trojan.Win32.Qhost
14.0.0.3773

McAfee
RDN/Qhost-Gen!y
5600.7271

Microsoft Security Essentials
Trojan:Win32/Malagent
1.163.1557.0

Norman
Troj_Generic.MRVFB
11.20130824

nProtect
Trojan/W32.Qhost_Packed.334638
13.09.26.01

Panda Antivirus
Trj/CI.A
13.08.24.01

Reason Heuristics
Unnamed.Threat.41
14.3.1.0

Sophos
Mal/Generic-S
4.93

Trend Micro House Call
TROJ_GEN.F0C2C0KGS13
7.2.236

Trend Micro
TROJ_GEN.F0C2C0KGS13
10.465.24

Vba32 AntiVirus
Trojan.Autoit.F
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
21834

File size:
326.8 KB (334,638 bytes)

Copyright:
© Microsoft Corporation. All rights reserved.

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\downloads\update.exe

File PE Metadata
Compilation timestamp:
4/9/2012 5:11:21 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
6144:PykBiZOW+ivPIVfX80ayZ43zcaJtTDrsZS91cLIAH0TEeVa2VxEQ+7q:Pya4OjigvzaT33TvsBkAH0AcbxE5+

Entry address:
0xC3F50

Entry point:
60, BE, 00, 90, 47, 00, 8D, BE, 00, 80, F8, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
7.9239

Packer / compiler:
UPX 2.90LZMA]

Code size:
304 KB (311,296 bytes)

The file update.exe has been seen being distributed by the following URL.

Remove update.exe - Powered by Reason Core Security