Category Archives: digital signature

Stepan Rybin – 44% Detection Rate – MultiPlug / Adware.Mikey

digital signature, ,

Hello! Did you see a file, such as WhatsApp.exe, on your system signed by Stepan Rybin? Then read on..

I found this Stepan Rybin file while reviewing some of the submissions to the FreeFixer web site. I thought it looked a little bit like a typical “MultiPlug” adware file and the VirusTotal scan result showed that was the case. Ad-Aware reports WhatsApp.exe as Gen:Variant.Adware.Mikey.7658, Avast calls it Win32:MultiPlug-TP [PUP], Cyren names it W32/S-05e718fa!Eldorado, F-Prot calls it W32/S-05e718fa!Eldorado and Sophos detects it as MultiPlug.

Stepan Rybin anti-virus report

Did you also find a Stepan Rybin download? Do you remember where you downloaded it? Please post the URL in the comments below. I’d like to install this download on my lab machine to have a closer look at it.

Thank you for reading.

System Alerts – 16% Anti-Virus Detection Rate – Adware.Agent.PHD

digital signature

Welcome! Was as usual looking though some of the recent submissions to the FreeFixer database and0 found an interesting file, signed by System Alerts. The file is named v7GATO64.dll.

The VirusTotal report shows that the System Alerts file should probably be avoided, unless you like adware on your machine of course;) v7GATO64.dll is detected as Adware.Agent.PHD by BitDefender, Adware.Agent.PHD by F-Secure, Adware.Agent.PHD by nProtect and Suspicious_GEN.F47V0209 by TrendMicro-HouseCall.

System Alerts anti-virus report

Did you also find a file digitally signed by System Alerts? What kind of download was it and where did you find it? Please let me know, I’d like to test this adware on my lab machine.

Thank you for reading.

Funnel Connector (Fried Cookie Ltd) – 7% Detection Rate By VirusTotal – InstallCore

digital signature, ,

Welcome! Just wanted to give you the heads up on a file called Skype_Setup.exe that’s digitally signed by Funnel Connector (Fried Cookie Ltd.).

Funnel Connector Fried Cookie Ltd. certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it should have been digitally signed by Skype Software Sarl. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.
Skype Software Sarl publisher

The problem with the Funnel Connector (Fried Cookie Ltd.) file is that it is detected by some of the anti-viruses. Here are some of the detection names: Application.Win32.FriedCookie.CIRK, Win32.Application.InstallCore.DI and InstallCore (fs).

Funnel Connector Fried Cookie Ltd anti-virus report

Did you also find an Funnel Connector (Fried Cookie Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

OOO PREM”ER-SERVIS – 11% Anti-Virus Detection Rate – InstallCore

digital signature, ,

Welcome! I was playing around and testing some downloads when I found a file digitally signed by OOO PREM”ER-SERVIS. The OOO PREM”ER-SERVIS certificate shows that the publisher is located in Moscow, Russia.

OOO PREM''ER-SERVIS certificate

The problem here is that if adobe_flash_setup.exe really was an installer file for Adobe Flash Player, it should have been signed by Adobe Systems Incorporated and not by some unknown company. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

Right now, 6 of the antimalware scanners detected the file. Some of the detection names for the adobe_flash_setup.exe file are Adware/InstallCore.783896, a variant of Win32/InstallCore.WX potentially unwanted, Trojan ( 004b61851 ) and Trojan ( 004b61851 ).

OOO PREM''ER-SERVIS anti-virus report

Did you also find a file digitally signed by OOO PREM”ER-SERVIS? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Ronen Kvurt – Anti-Virus Detection Rate: 37% – MultiPlug / Mikey

digital signature

Hi there! Just wanted to give you the heads up on a publisher called Ronen Kvurt that I found right now while examining the latest submissions to FreeFixer’s database. The file name seems to suggest that the download is the “The Legend of Zelda: The Wind Waker” computer game.

Avira reports Legend_of_Zelda_The_Wind_Waker_U_STARCUBE.exe as Adware/MPlug.trov, F-Secure detects it as Gen:Variant.Adware.Mikey.7658, McAfee-GW-Edition detects it as BehavesLike.Win32.SoftPulse.tc and Sophos detects it as MultiPlug.

Ronen Kvurt anti-virus report

Did you also find a Ronen Kvurt download? Do you remember the download link? Please post it the comments. I’d like to test it myself.

There’s a bunch of other developers that signs files often detected as MultiPlug, such as Edward KosarAndrey Hmelnikov and Oleh Aleksyuk.

Thanks for reading.

Best Standard (Fried Cookie Ltd.) – 9% Detection Rate – InstallCore

digital signature, ,

Welcome! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called Best Standard (Fried Cookie Ltd.).

Best Standard Certificate

To get more details on the publisher, you can view the embedded certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that Best Standard (Fried Cookie Ltd.) seems to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would have been signed by Skype Software Sarl. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.
Skype Software Sarl publisher

When I uploaded the Best Standard (Fried Cookie Ltd.) file to VirusTotal, it came up with a 9% detection rate. The file is detected as Application.Win32.FriedCookie.CIRK by Comodo, a variant of Win32/InstallCore.WX potentially unwanted by ESET-NOD32 and InstallCore (fs) by VIPRE.

Best Standard Fried Cookie Ltd

Did you also find a file digitally signed by Best Standard (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

Polyanskaya Irina – 21% Detection Rate – Vonteera / Crossid

digital signature,

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Polyanskaya Irina while reviewing the latest submissions to the FreeFixer database.

So, why did I put up this blog post? Well, the thing is that the Polyanskaya Irina file is detected by many of the antivirus scanners, according to VirusTotal. ESET-NOD32 names Convertor.exe as a variant of Win32/Adware.Vonteera.L, Ikarus classifies it as PUA.Vonteera, Symantec calls it Adware.Crossid and VIPRE detects it as Adware.Crossid.

Polyanskaya Irina anti-virus report

Did you also find a file signed by Polyanskaya Irina? What download was it and where did you find it? Please let me know. I’d like to test this download on my lab machine.

Thanks for reading.

Max Source (After Download Ltd.) – 9% Detection Rate – InstallCore

digital signature, , ,

Hello readers! Just a short post on a publisher called Max Source (After Download Ltd.) that I found while downloading “FileZilla” from SourceForge. Big thanks to Peter for letting me know about this download.

This is how Max Source (After Download Ltd.) appears when running the file:

Max Source After Download Ltd in the User Account Control dialog

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that Max Source (After Download Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Max Source After Download Ltd certificate

It turns out that SourceForge.net has been into bundling for quite some time. Here’s a blog post dated July 2013 which describes the DevShare bundling program.

The reason I’m writing this blog post is that the Max Source (After Download Ltd.) file is detected by some of the anti-malware software at VirusTotal. Avira detects FileZilla_3.10.1.1_win32-setup.exe as Adware/InstallCore.765232, DrWeb classifies it as Trojan.InstallCore.52, ESET-NOD32 reports a variant of Win32/InstallCore.WI potentially unwanted, K7AntiVirus calls it Trojan ( 004b52261 ) and K7GW calls it Trojan ( 004b52261 ).

Max Source anti-virus report

Did you also find a file digitally signed by Max Source (After Download Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Here’s how the download screen looks like for FileZilla at sourceforge.net. It hints that something will be bundled by saying “provide you some options during the installation process…”

sourceforge downloader

Thanks for reading.

Bon Don Jov – Anti-Virus Detection: 18% – OutBrowse Revenyou

digital signature, ,

Welcome! Did you just find a file that’s digitally signed by Bon Don Jov and came here to find more about it? You will see Bon Don Jov listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file:

Bon Don Jov in the User Account Control dialog

To get more details on the publisher, you can view the embedded certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that Bon Don Jov seems to be located in Dublin, Ireland and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Bon Don Jov certificate - States that the publisher is located in Dublin, Ireland

10 of the scanners at VirusTotal detected the file. Win32:OutBrowse-X [PUP], APPL/Downloader.Gen, Trojan.OutBrowse.54, Win32/OutBrowse.BU potentially unwanted, OutBrowse Revenyou and OutBrowse (fs) were the detection names.

Bon Don Jov anti virus report. 18% Detection Rate. Detection name: OutBrowse

Did you also find a Bon Don Jov file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Avitzur Efrati Management Initiatives Ltd – 4% Anti-Virus Detection Rate – InstallCore

digital signature,

Hello! Hope you are doing well. I’m working from the local library today. Was looking for some downloads to play around with last night and found one, signed by Avitzur Efrati Management Initiatives Ltd. The file is named mozilla_firefox.exe.

Avitzur Efrati Management Initiatives Ltd

The Avitzur Efrati Management Initiatives Ltd certificate shows that the publisher is located in Petah Tikva, Israel.

The problem here is that if mozilla_firefox.exe really was an installer file for Mozilla Firefox, it would have been signed by Mozilla Corporation and not by some unknown company. Here’s how the authentic Mozilla Firefox looks like when you double click on it. Notice that the “Verified publisher” says “Mozilla Corporation”.
Mozilla Corporation publisher

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – Only 4% of the scanners detected the file. The file is detected as Generic.C83 by AVG and a variant of Win32/InstallCore.WT potentially unwanted by ESET-NOD32.

Did you also find a Avitzur Efrati Management Initiatives Ltd file? What kind of download was it?

Thank you for reading.