Tag Archives: iBryte

Software Association LLC – 16% Detection Rate – Sevas-S / iBryte / OpenCandy

Hi there! Just wanted to give you the heads up on a file called skypesetupfull.exe that’s digitally signed by Software Association LLC. This is how it looks when double-clicking on the file and Software Association LLC appears as the publisher.

Software Association LLC uac

Software Association LLC is located in Ukraine. The certificate is issued by DigiCert SHA2 Assured ID Code Signing CA.

Software Association LLC certificate

The issue is that skypesetupfull.exe is not an official Skype download. If it was, it would have been digitally signed by Skype Software Sarl. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.
Skype Software Sarl publisher

The reason I’m writing this blog post is that the Software Association LLC file is detected by some of the anti-malware scanners at VirusTotal. AVG detects skypesetupfull.exe as OpenCandy.F33, AVware names it Sevas-S Installer (fs), Jiangmin detects it as Adware/iBryte.hhhm, K7GW names it DoS-Trojan ( 200b63e51 ) and Malwarebytes reports PUP.Optional.OpenCandy.

Software Association LLC virustotal

Did you also find a file digitally signed by Software Association LLC? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Tiger Download – 33% Detection Rate – Kazy / IBryte

Hi there! Did you just find a file that’s digitally signed by Tiger Download and came to this blog to find more about it? I ran into this one while I was looking at the steady stream of files submitted to the FreeFixer library.

The reason for posting about Tiger Download is that the file is detected by many of the anti-virus programs. F-Secure classifies flashplayerpro_Setup.exe as Gen:Variant.Adware.Kazy.491026, Kaspersky detects it as not-a-virus:AdWare.Win32.iBryte.jig, Malwarebytes detects it as PUP.Optional.Fusion.A and VIPRE names it Optimum Installer (fs). Big thanks to VirusTotal for the scan report.

Tiger Download

Another problem with the Tiger Download file is how it is named: “flashplayerpro”. Users might think that it is an official Flash Player setup file, but it’s not. The official Flash Player download should be signed by Adobe Systems Incorporated, not by Tiger Download. Here’s how the official Flash Player installer should look like when you run it:

Adobe Systems Incorporated - Adobe Flashplayer Installer

Did you also find a Tiger Download file? Do you remember where you downloaded it?

Thanks for reading.

Fileadventure – Fake Java Update – 38% Detection Rate

Hello! Just a short note on a publisher called Fileadventure.

Fileadventure publisher

If you have a Fileadventure file on your machine you may have noticed that Fileadventure is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also look at the Fileadventure certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Fileadventure is located in Kansas City, USA.

Fileadventure certificate

The problem here is that if setup.exe really was an installer file for Java, it would be digitally signed by Oracle America Inc. and not by some unknown company.

The Fileadventure file was promoted by adware that showed a pop-up in the browser saying “Your Java Version is Outdated“. The pop-up opened up a faked Java update site.

Your Java Version is Outdated

When I uploaded the Fileadventure file to VirusTotal, it came up with a 38% detection rate. The file is detected as Win32:IBryte-HL [PUP] by Avast, W32/A-138dbbfa!Eldorado by F-Prot, PUP.Optional.iBryte by Malwarebytes and AdKnowledge (fs) by VIPRE.

Fileadventure virustotal

Did you also find a Fileadventure file? Was it also promoted as a “Java Update”?

Thanks for reading.

Liquidbuild detected as Kazy, iBryte and Optimum Installer

Hi there! Just a quick Sunday post on a file named flashplayerpro_Setup.exe signed by Liquidbuild that I found while reviewing some files submitted to the FreeFixer database of files. The problem is that flashplayerpro_Setup.exe is not an official Flash Player download. If it was, it should be digitally signed by Adobe Systems Incorporated.

When I uploaded the Liquidbuild file to VirusTotal, it came up with a 28% detection rate. The file is detected as Adware/iBryte.bxow by Avira, Gen:Variant.Kazy.466717 by BitDefender, Gen:Variant.Kazy.466717 by F-Secure and Optimum Installer (fs) by VIPRE. It’s probably better to stay away from this file.

Liquidbuild virustotal report

Did you also find a Liquidbuild file?

Thanks for reading.

Safe Down – 22% Detection Rate – Detected as IBryte and

Welcome! Just a short post on a publisher called Safe Down. I just found a download named Java_Setup.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

What caught my attention was that the download was called Java_Setup.exe. This might look like an official Java download, but it is not. If it was an official download, it should be digitally signed by Oracle INC.

22% of the scanners detected the file. ESET-NOD32 reports Java_Setup.exe as a variant of Win32/AdWare.iBryte.BM, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky calls it Trojan.Win32.Badur.joje, McAfee reports IBryte-FRK and VIPRE names it Optimum Installer (fs).

safe down virustotal

Did you also find a Safe Down file?

Thank you for reading.

Fileangels – Detected as IBryte and OptimunInstaller

Welcome! Just a note on a publisher called Fileangels. The Fileangels download – setup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Fileangels? Was it also detected when you uploaded it to VirusTotal?

This is how Fileangels appears when running the file:

fileangels publisher

By looking at the certificate we can see that Fileangels appears to be located in Kansas City, USA.

Fileangels certificate

The reason I’m writing this blog post is that the Fileangels file is detected by some of the anti-malware scanners at VirusTotal. AVG detects setup.exe as AdPlugin.BNR, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky detects it as Trojan.Win32.Badur.jukw, Malwarebytes reports PUP.Optional.OptimunInstaller and McAfee detects it as IBryte-FRT. In addition, the Fileangels download was also promoted as a “Java Update”.

fileangels virustotal ibryte

Did you also find a file digitally signed by Fileangels? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.