When digitally signed by USM Software or distributed via legitimate channels (e.g., MajorGeeks, CNET), usm.exe is the main binary for Universal Share Manager – a tool used to manage file hosting accounts (RapidShare, Mega, etc.).
Legitimate Characteristics:
Note: Even the legitimate version is considered a PUP in many corporate environments due to its association with unauthorized file sharing and potential copyright infringement.
Threat actors use the usm.exe filename in two primary ways:
To ensure the process running on your computer is the legitimate Logitech file and not a fake, follow these steps:
If the file is safe:
The folder that opens should be located somewhere within your Program Files, typically:
C:\Program Files\Logitech\User Session Manager\
or
C:\Program Files (x86)\Logitech\...
If the file is suspicious:
If the file is located in a temporary folder (like AppData\Local\Temp) or a random folder with a nonsensical name, it could be malware.
The best cure is prevention. To avoid rogue usm.exe files in the future:
If you experience issues with usm.exe, try the following:
Despite legitimate uses, cybersecurity forums and antivirus engines frequently flag usm.exe as a potential threat. Why is that?
The simple reason is hijacking. Malware authors frequently use common-sounding file names to blend in. Because usm.exe is not a protected Windows file, it is an easy target for masquerading.
Malicious usm.exe commonly uses:
Registry Run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value: "USM Update" = "C:\Users\[user]\AppData\Local\usm.exe"
Scheduled Task (XML example):
<Task>
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
</LogonTrigger>
</Triggers>
<Actions>
<Exec>
<Command>C:\Users\Public\usm.exe</Command>
<Arguments>/quiet</Arguments>
</Exec>
</Actions>
</Task>
WMI Event Subscription (advanced persistent threat):
SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'