home

WHelp.EXE

WHelp

WooJung ITS

The application WHelp.EXE by WooJung ITS has been detected as a potentially unwanted program by 12 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WHelp’.
Publisher:
WooJung ITS Corp.  (signed by WooJung ITS)

Product:
WHelp

Version:
1, 0, 0, 4

MD5:
c840ee4f928b83e464eac1badeca255d

SHA-1:
07f8db03ecc0d510db0bc5903fcb9e063e746e2c

Scanner detections:
12 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 8:53:42 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Kraddare
7.1.1

AhnLab V3 Security
PUP/Win32.WHelp
16.03.25

Avira AntiVirus
Adware/Kraddare.GN.26
7.11.146.82

AVG
Generic5
2017.0.2793

Bkav FE
W32.Cloddc3.Trojan
1.3.0.4959

Comodo Security
UnclassifiedMalware
18192

ESET NOD32
Win32/Adware.Kraddare.GN (variant)
10.9740

IKARUS anti.virus
AdWare.Kraddare
t3scan.1.6.1.0

Malwarebytes
Adware.Korad
v2016.03.25.06

McAfee
Artemis!C840EE4F928B
5600.6449

SUPERAntiSpyware
Trojan.Agent/Gen-FraudScan
9243

VIPRE Antivirus
Trojan.Win32.Generic
28710

File size:
50.5 KB (51,760 bytes)

Product version:
1, 0, 0, 4

Copyright:
(c) WooJung ITS. All rights reserved.

Original file name:
WHelp.EXE

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\whelp\whelp.exe

Digital Signature
Signed by:
WooJung ITS

Authority:
Thawte, Inc.

Valid from:
4/11/2012 2:00:00 AM

Valid to:
5/12/2013 1:59:59 AM

Subject:
CN=WooJung ITS, O=WooJung ITS, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
7F9271CF4DE60DE37A832FF7C03AA9DE

File PE Metadata
Compilation timestamp:
2/26/2013 10:47:18 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
384:wPiBE9co3Q3ZB061uw+Myj37K4XA18WZuqHnubrm/nnPsWzn5fuSPLcNF:wqUcoA3Zvfua4KHZuAnErMnnPXz5EF

Entry address:
0x3BBC

Entry point:
55, 8B, EC, 6A, FF, 68, D0, 55, 40, 00, 68, B0, 3B, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 68, 53, 56, 57, 89, 65, E8, 33, DB, 89, 5D, FC, 6A, 02, FF, 15, 64, 52, 40, 00, 59, 83, 0D, 14, 94, 40, 00, FF, 83, 0D, 18, 94, 40, 00, FF, FF, 15, 68, 52, 40, 00, 8B, 0D, 08, 94, 40, 00, 89, 08, FF, 15, 6C, 52, 40, 00, 8B, 0D, 04, 94, 40, 00, 89, 08, A1, 70, 52, 40, 00, 8B, 00, A3, 10, 94, 40, 00, E8, 16, 01, 00, 00, 39, 1D, 10, 93, 40, 00, 75, 0C, 68, 3E, 3D, 40, 00, FF, 15, 74, 52...
 
[+]

Entropy:
4.8544

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
16 KB (16,384 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WHelp

Command:
C:\Program Files\whelp\whelp.exe


Remove WHelp.EXE - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.