Category Archives: digital signature

Best Service (Fried Cookie Ltd) – Detected by 9% of the Anti-Virus Scanners

digital signature, ,

Hello readers! Bugging you with another of those Fried Cookie posts 🙂 This publisher is called Best Service (Fried Cookie Ltd). The suspicious file is was named FlvPlayerSetup.exe.

Best Service Fried Cookie Ltd certificate

You can see the Best Service (Fried Cookie Ltd) certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Best Service (Fried Cookie Ltd) is located in Tel Aviv in Israel.

So, why did I put up this blog post? Well, the thing is that the Best Service (Fried Cookie Ltd) file is detected by some of the anti-malware scanners, according to VirusTotal. Avira classifies FlvPlayerSetup.exe as ADWARE/InstallCore.Gen, ESET-NOD32 reports a variant of Win32/InstallCore.WI potentially unwanted and VIPRE classifies it as InstallCore.b (fs).

Best Service virustotal

Did you also find a Best Service (Fried Cookie Ltd) file?

Thank you for reading.

Leading Funnel (Fried Cookie Ltd.) – 16% Detection Rate – InstallCore

digital signature, , ,

Heya! I was playing around and testing some downloads last night and found a file digitally signed by Leading Funnel (Fried Cookie Ltd.).

Leading Funnel Fried Cookie Ltd certificate

To view more information about the certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Leading Funnel (Fried Cookie Ltd.) appears to be located in Tel Aviv and that the certificate is issued by GlobalSign CodeSigning CA – G2.

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 16% of the antivirus scanners detected the file. The file is detected as Application.Win32.FriedCookie.CIRK by Comodo, Trojan.InstallCore.53 by DrWeb, a variant of Win32/InstallCore.VM potentially unwanted by ESET-NOD32 and InstallCore (fs) by VIPRE.

Leading Funnel Fried Cookie Ltd. virustotal

Did you also find a Leading Funnel (Fried Cookie Ltd.) file? Do you remember where you downloaded it?

Thanks for reading.

Domains and hosting LLC – 35% Detection Rate – Amonetize / Strictor

digital signature

Welcome! Just a short post on a publisher called Domains and hosting LLC.

Domains and hosting LLC pop up

If you have a Domains and hosting LLC file on your machine you may have noticed that Domains and hosting LLC is displayed as the publisher in the UAC dialog when double-clicking on the file.

Domains and hosting LLC certificate

It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Domains and hosting LLC is located in Vinnycya/Vinnycka, Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

35% of the scanners detected the file. Some of the detection names for the MediaPlayer__6741_i1466276160_il50790.exe file are Gen:Variant.Adware.Strictor.77177, PUA.Amonetize!, Trojan.Amonetize.441, not-a-virus:AdWare.Win32.Amonetize.zzl and PUP.Optional.Amonetize.

Domains and hosting LLC anti-virus report

Did you also find a file digitally signed by Domains and hosting LLC? What kind of download was it and where did you find it?

Thanks for reading.

Software Association LLC – 16% Detection Rate – Sevas-S / iBryte / OpenCandy

digital signature, ,

Hi there! Just wanted to give you the heads up on a file called skypesetupfull.exe that’s digitally signed by Software Association LLC. This is how it looks when double-clicking on the file and Software Association LLC appears as the publisher.

Software Association LLC uac

Software Association LLC is located in Ukraine. The certificate is issued by DigiCert SHA2 Assured ID Code Signing CA.

Software Association LLC certificate

The issue is that skypesetupfull.exe is not an official Skype download. If it was, it would have been digitally signed by Skype Software Sarl. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.
Skype Software Sarl publisher

The reason I’m writing this blog post is that the Software Association LLC file is detected by some of the anti-malware scanners at VirusTotal. AVG detects skypesetupfull.exe as OpenCandy.F33, AVware names it Sevas-S Installer (fs), Jiangmin detects it as Adware/iBryte.hhhm, K7GW names it DoS-Trojan ( 200b63e51 ) and Malwarebytes reports PUP.Optional.OpenCandy.

Software Association LLC virustotal

Did you also find a file digitally signed by Software Association LLC? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Broken Spoke Digital – 28% Detection Rate – DownloadAdmin / Downware

digital signature,

Hi there! Just a short post on a publisher called Broken Spoke Digital. You may see Broken Spoke Digital appear as the publisher when double-clicking on the installer_jdownloader_English.exe file.

Broken Spoke Digital uac dialog-*

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that Broken Spoke Digital is located in San Fransisco in US and that the certificate is issued by Go Daddy Secure Certificate Authority – G2.

Broken Spoke Digital certificate

When I uploaded the Broken Spoke Digital file to VirusTotal, it came up with a 28% detection rate. The file is detected as Riskware.Agent! by Agnitum, PUP/Win32.Downware by AhnLab-V3, Trojan/Win32.TSGeneric by Antiy-AVL, DownloadAdmin (fs) by AVware, Win.Adware.Downloadadmin by ClamAV, W32/S-92ce39bf!Eldorado by F-Prot, PUP.Optional.DownloadAdmin by Malwarebytes and DownloadAdmin (fs) by VIPRE.

Broken Spoke Digital virustotal

Did you also find a Broken Spoke Digital file? Do you remember where you downloaded it?

Thanks for reading.

Mathematical Applications – 32% Detection Rate – PullUpdate / Jatif / Artemis

digital signature, ,

Hello readers! Short on time today, but I just wanted to give you the heads up on a publisher called Mathematical Applications. I’ve seen many files digitally signed by this publisher submitted to the FreeFixer database, so I thought it was about time to write a few lines about it.

The issue with the Mathematical Applications file is that it is detected by many of the anti-virus progams. Here are some of the detection names: Downloader.CBD, Adware.Yontoo.55, a variant of MSIL/Adware.PullUpdate.G.gen, Gen:Variant.Adware.Jatif.92, PUP.Optional.CrimeWatch.A and Artemis. In other words, you are probably better off removing these files.

Mathematical Applications virustotal

Did you also find a download that was signed by Mathematical Applications? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share in posting comments below.

Thanks for reading.

World Setup (New Media Holdings Ltd.) – 11% Detection Rate – InstallCore

digital signature, , ,

Hello readers! Just wanted to give you heads-up on suspicious file I found right now. The file is named ChromeSetup.exe and digitally signed by World Setup (New Media Holdings Ltd.).

It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that World Setup (New Media Holdings Ltd.) appears to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

World Setup (New Media Holdings Ltd.) certificate

The problem is that ChromeSetup.exe is not an official Google Chrome download. If it was, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

After uploading the World Setup (New Media Holdings Ltd.) file – ChromeSetup.exe – to VirusTotal, it was clear that it’s probably better to stay away from file than running it. The detection rate was 11% and some of the detection names were: ADWARE/InstallCore.Gen, Application.Win32.InstallCore.DR and InstallCore (fs).

Since you probably came here after finding a download that was digitally signed by World Setup (New Media Holdings Ltd.), please share what kind of download it was and if it was detected by the antimalware scanners at VirusTotal.

Thanks for reading.

Setup Delivery (Fried Cookie Ltd.) – 21% Detection Rate – InstallCore

digital signature,

Hi there! Just wanted to give you the heads up on a publisher called Setup Delivery (Fried Cookie Ltd.). By looking at the certificate we can see that Setup Delivery (Fried Cookie Ltd.) appears to be located in Tel Aviv in Israel.

Setup Delivery (Fried Cookie Ltd.) certificate

So, why did I put up this blog post? Well, the thing is that the Setup Delivery (Fried Cookie Ltd.) file is detected by many of the scanners, according to VirusTotal. Avira names installer_jdownloader_English.exe as ADWARE/InstallCore.Gen7, Comodo classifies it as Application.Win32.FriedCookie.CIRK, Sophos detects it as Install Core and VIPRE classifies it as InstallCore (fs)

Setup Delivery virustotal

Did you also find an Setup Delivery (Fried Cookie Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Nextup – 30% Detection Rate – PUA.Verti / NextUp / Rocketfuel Installer

digital signature

Hi there! Another short post this evening. Just wanted to give you the heads up on a publisher called Nextup.

Nextup UAC

If you have a Nextup file on your machine you may have noticed that Nextup is displayed as the publisher in the UAC dialog when double-clicking on the file. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that Nextup seems to be located in Bellevue, Washington in US and that the certificate is issued by COMODO Code Signing CA 2.

Nextup certificate

After uploading the Nextup file – MediaPlayerClassicInstaller.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 30% and some of the detection names were: PUA.Verti, NextUp and Rocketfuel Installer (fs).

Nextup virustotal

Did you also run into a download that was signed by Nextup? What kind of download was it and was it detected by the anti-virus progams at VirusTotal? Please share by posting a comment.

Thanks for reading.

Install Path Ltd – 25% Detection Rate – Strictor, Amonetize

digital signature, , ,

Hi there! Sorry for the silence for the last days. I’ve been having a few days off.  Anyway, I’m back on the blog again.

Did you just download something to your system digitally signed by Install Path Ltd? Then read on..

Install Path LTD comodo

By examining the embedded certificate, we can see that Install Path Ltd is located in Israel. The certificate is issued by COMODO RSA Code Signing CA. The certificate appears to be quite new.

Install Path Ltd certificate

So, why did I put up this blog post? Well, the thing is that the Install Path Ltd file is detected by many of the scanners, according to VirusTotal. Avast detects Setup__6741_i1454683454_il235.exe as Win32:Rootkit-gen [Rtk], AVG calls it InstallPath.7F5 , Avira detects it as ADWARE/Adware.Gen2, BitDefender calls it Gen:Variant.Adware.Strictor.75886, ESET-NOD32 classifies it as a variant of Win32/Amonetize.CX, Malwarebytes classifies it as PUP.Optional.Bundle and Panda calls it PUP/MultiToolbar.A.

Install Path Ltd virustotal

Did you also find an Install Path Ltd? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Update 2015-03-03: Found another Install Path file. The detection was almost the same: 28%.