Category Archives: digital signature

Mari Mara – 20% Detection Rate – PUP.Optional.Maru / OutBrowse Revenyou

January 21, 2015digital signatureDublin, Ireland, OutBrowseRoger Karlsson

Hello! Just wanted to let you know about a publisher called Mari Mara that I found earlier today. Here’s how the UAC dialog looks like when running the file:

You can also check the digital signature under the file’s properties. According to the certificate we can see that Mari Mara appears to be located in Dublin, Ireland and that the certificate is issued by GlobalSign CodeSigning CA – G2.

The VirusTotal report shows that the Mari Mara file should probably be avoided, since setup.exe is detected as Win-PUP/OutBrowse by AhnLab-V3, Mari.668 by AVG, PUA.OutBrowse by Ikarus, PUP.Optional.Maru by Malwarebytes and OutBrowse Revenyou by Sophos.

Did you also find a Mari Mara file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Wecan Software – 39% Detection – Verti / PUP.Optional.WeCan.A / NextUp / Rocketfuel Installer

January 18, 2015digital signatureRoger Karlsson

Hi there! A short post on a publisher called Wecan Software that I found this morning while downloading some software. According to the certificate, Wecan Software is located in Bellevue, Washington in the United States of America.

Right now, 22 of the 57 anti-virus scanners detected the file. AVG reports MediaPlayerClassicInstaller.exe as Wecan.80E, Fortinet classifies it as Adware/Verti, Malwarebytes names it PUP.Optional.WeCan.A, Sophos classifies it as NextUp and VIPRE reports Rocketfuel Installer (fs).

Did you also find a file digitally signed by Wecan Software? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Dove Source (Fried Cooke Ltd.) – 4% Detection Rate – InstallCore

January 17, 2015digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hello readers! Short on time today this weekend, but I just wanted to give you the heads up on a publisher called Dove Source (Fried Cooke Ltd.). The signed file was named Skype_Setup.exe.

The certificate is rather new. It is valid from the 5th of January 2015. According to the cert, the company is located in Tel Aviv, Israel.

The problem here is that if Skype_Setup.exe really was an installer for Skype, it should be digitally signed by Skype Software Sarl and not by some unknown company. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.

The issue with the Dove Source (Fried Cooke Ltd.) file, in addition to using Skype’s name, is that it is detected by a few of the anti-malware scanners. Here are some of the detection names: ADWARE/InstallCore.Gen9 and a variant of Win32/InstallCore.UN.

Did you also find a Dove Source (Fried Cooke Ltd.) file? What kind of download was it?

Thanks for reading.

Small Island Development – Detection Rate: 18% – Smallis / PullUpdate / TVWizard

January 17, 2015adware, digital signaturePullUpdateRoger Karlsson

Welcome! Another quick post on a publisher called Small Island Development. I noticed that many FreeFixer users are submitting files digitally signed by this publisher, so I though I should write a few lines about them.

There seems to be many variants of the Small Islands files, and many of them seems to have a randomly generated filename. The file I’m currently looking on is detected by 10 of the scanners scanners at VirusTotal. The majority of the scanners classify the file as adware. AVG reports NXtcFoMlakD.dll as Smallis.5E4, Baidu-International names it Adware.MSIL.PullUpdate.BK, Comodo names it ApplicUnwnt, Panda reports Adware/TVWizard and Symantec calls it Yontoo.C.

Did you also find a Small Island Development file? What kind of download was it?

Thanks for reading.

Acute Angle Solutions Ltd – 18% Detection Rate -PullUpdate / AcuteAngle / Injekt

January 17, 2015adware, digital signatureRoger Karlsson

Welcome! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, while reviewing files submitted to the FreeFixer database, used by a publisher called Acute Angle Solutions Ltd..

You may see Acute Angle Solutions Ltd. appear as the publisher when checking the digital signature under the file’s properties.

It seems as the filename for this file is randomly generated: yzmHYl.dll.

Anyway, the reason I’m writing this blog post is that the Acute Angle Solutions Ltd. file is detected by many of the anti-malware scanners at VirusTotal. Antiy-AVL names yzmHYl.dll as Trojan/Win32.TSGeneric, AVG reports Acute.A40, Avira calls it Adware/PullUpdate.AQ, GData calls it Win32.Adware.AcuteAngle.B, Sophos classifies it as Pull Update and VIPRE detects it as Injekt (fs).

Did you also find a Acute Angle Solutions Ltd. download? What kind of download was it?

Thank you for reading.

Rational Thought Solutions – 18% Detection Rate – MSIL.Adware.PullUpdate

January 15, 2015digital signaturePullUpdateRoger Karlsson

Found another publisher that appears to be signing adware related files while checking out the new files added to FreeFixer’s database. The publisher is called Rational Thought Solutions.

When I uploaded the Rational Thought Solutions file to VirusTotal, it came up with a 18% detection rate. The file is detected as Downloader.CBD by AVG, a variant of MSIL/Adware.PullUpdate.G.gen by ESET-NOD32, PUP.Optional.StormAlert.A by Malwarebytes, Artemis!707FECAF8B22 by McAfee and MSIL.Adware.PullUpdate by VIPRE.

From what I can tell from the Rational Thought Solutions files added to the FreeFixer database, the file names seems to be randomly generated. The files are located at C:\ProgramData\%random%\%random%.exe.

Did you also stumble upon a download that was signed by Rational Thought Solutions? What kind of download was it and was it reported by the anti-virus scanners at VirusTotal? Please share in posting comments below.

Thanks for reading.

Jambo Digital Ltd Signing CozaGhost.exe – 5% Detection Rate – PUP.Optional.Zoomify.A

January 15, 2015digital signatureRoger Karlsson

Hi there! Just wanted to give you the heads up on a publisher called Jambo Digital Ltd before calling it a day. The actual file is called cozaghost.exe and I found it while reviewing some of the files recently added by users into the FreeFixer database.

The VirusTotal report shows that the Jambo Digital Ltd file should be avoided, since cozaghost.exe is detected as Generic.397 by AVG, PUP.Optional.Zoomify.A by Malwarebytes and Zoomify by Sophos. The detection rate is pretty low. Just 5%.

Did you also find a Jambo Digital Ltd download? Do you remember the download link? If so, please post it in the comments and I’ll check it out to see if the detection rate is improved.

Thanks for reading.

Dove Delivery (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

January 15, 2015adware, digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Was looking for some downloads to play around with and found one, signed by Dove Delivery (Fried Cookie Ltd.). The file is named FlvPlayerSetup.exe.

You can look at the Dove Delivery (Fried Cookie Ltd.) certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Dove Delivery (Fried Cookie Ltd.) is located in Tel Aviv in Israel.

So, why did I put up this blog post? Well, the thing is that the Dove Delivery (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. Avira reports FlvPlayerSetup.exe as ADWARE/InstallCore.Gen, DrWeb reports Trojan.Packed.29923, ESET-NOD32 detects it as a variant of Win32/InstallCore.UQ and VIPRE reports InstallCore (fs).

Did you also find a Dove Delivery (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

CLICKCAPTION – 33% Detection Rate – Vitruvian / InfoAtoms

January 15, 2015adware, digital signatureInfoAtoms, VitruvianRoger Karlsson

Hi there! I was reviewing some of the files added to the FreeFixer database this morning. Found a publisher called CLICKCAPTION that you probably want to know about. The file I found is called ccsvc.exe and digitally signed by CLICKCAPTION.

AVG reports ccsvc.exe as Clickcaption.5CF, DrWeb classifies it as Adware.Popad.11, Jiangmin detects it as AdWare/Vitruvian.f, Kaspersky reports not-a-virus:AdWare.Win32.Vitruvian.b, Malwarebytes classifies it as PUP.Optional.ClickCaption.A and VIPRE reports InfoAtoms (fs).

Did you also find a CLICKCAPTION file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Swift Network (Fried Cookie Ltd.) – 23% Detection Rate – InstallCore

January 14, 2015digital signatureRoger Karlsson

Welcome! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named Swift Network (Fried Cookie Ltd.) while reviewing some of the recent files submitted to this web site.

You can see who the signer is when double-clicking on an executable file. Swift Network (Fried Cookie Ltd.) appears in the publisher field in the dialog that pops up. The certificate is issued by GlobalSign CodeSigning CA – G2.

13 of the 56 anti-malware scanners detected the file. The IDM2-Win-EN.exe file is detected as Application.Win32.FriedCookie.CIRK by Comodo, Trojan.InstallCore.44 by DrWeb, Artemis by McAfee-GW-Edition, WS.Reputation.1 by Symantec and InstallCore (fs) by VIPRE.

Did you also find a file digitally signed by Swift Network (Fried Cookie Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.