Category Archives: digital signature

Proinstall Applications SRL – 9% Detection Rate

digital signature

Hi there! Just a note on a publisher called Proinstall Applications SRL. This is the publisher that digitally signs the downloads available from CNet’s Download.com site. The Proinstall Applications SRL download – KMPlayer_3.9.1.132.exe – was detected when I uploaded it to VirusTotal.

Proinstall Applications SRL UAC

You can also see the Proinstall Applications SRL certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Proinstall Applications SRL is located in Romania.Proinstall Applications SRL certificate

When I tested the installer, it bundled software from Spigot, which I could skip by clicking the Decline button.Proinstall Applications SRL cnet installer

The problem with the Proinstall Applications SRL file is that it is detected by some of the anti-malware progams. Here are some of the detection names: Generic.8BF,  Adware.Downware.9446, Malware.QVM06.Gen and Spigot (fs).

Proinstall Applications SRL virustotal

Thanks for reading.

Syndacato – syesubc3_p2v3.exe – Comes with uTorrent

digital signature

Did you find a file called syesubc3_p2v3.exe, digitally signed by Syndacato and wonder where it came from? I found this file in my Temp folder after installing uTorrent on my lab machine. Did you also recently install uTorrent, or did it come bundled with some other download in your case?

Update 2015-02-08: Now the file is called syesubc8_p2v3.exe.

Syndacato certificate

What does the Syndacato file do? Appears it did nothing on my machine. It just terminated after I double-clicked it. SuperAntiSpyware detects the file, Symantec tags it with their “Reputation” flag. The other 54 anti-virus programs does not detect it when I uploaded it to Virustotal.

Syndacato - syesubc3_p2v3.exe virustotal

Alpha IS (Fried Cookie Ltd.) – 14% Detection Rate – InstallCore

digital signature

Hi there! Just wanted to give you heads-up on suspicious file I found right now. The file is named installer_jdownloader_English.exe and digitally signed by Alpha IS (Fried Cookie Ltd.).

According to the certificate, Alpha IS (Fried Cookie Ltd.) is located in Tel Aviv, Israel.

Alpha IS Fried Cookie Ltd. cert

So, why did I put up this blog post? Well, the thing is that the Alpha IS (Fried Cookie Ltd.) file is detected by some of the anti-malware scanners, according to VirusTotal. Comodo reports installer_jdownloader_English.exe as Application.Win32.FriedCookie.CIRK, ESET-NOD32 detects it as a variant of Win32/InstallCore.UW, K7AntiVirus detects it as Trojan ( 004b25f41 ), K7GW calls it Trojan ( 004b25f41 ) and VIPRE detects it as InstallCore (fs)

Did you also find an Alpha IS (Fried Cookie Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Bully Unity LTD – Not The Real Mozilla Firefox Download

digital signature

Did you find a “Mozilla Firefox” download signed by Bully Unity LTD? Just wanted to give you the heads up that this is not the official Mozilla Firefox download. The real deal should be signed by Mozilla Corporation.

Mozilla Corporation real firefox

I uploaded the file to VirusTotal, but it was not detected by any of the anti-virus scanners. Did you also find a Bully Unity LTD file? Was it detected by the anti-virus programs?

Thank you for reading.

Bully Unity LTD certificate

Edward Kosar – 39% Detection Rate – Adware.MultiPlug

digital signature

Welcome! Just a quick post on a publisher called Edward Kosar that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named “How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe”.

Edward Kosar UAC

The certificate is issued by Certum Code Signing CA. According to the cert, Edward Kosar is located in Ukraine.

Edward Kosar certificate

So, why did I put up this blog post? Well, the thing is that the Edward Kosar file is detected by many of the scanners, according to VirusTotal. F-Prot classifies How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe as W32/S-e70371e2!Eldorado, Kaspersky reports not-a-virus:AdWare.Win32.MultiPlug.oaqy, McAfee detects it as MultiPlug-FTW, Panda classifies it as Trj/Genetic.gen and VBA32 reports suspected of Heur.Malware-Cryptor.Multiplug.

Edward Kosar virustotal

Did you also run into a file that was digitally signed by Edward Kosar? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share in posting comments below.

Thank you for reading.

Alpha Apps (Fried Cookie Ltd.) – 14% Detection Rate – InstallCore

digital signature,

Hi there! Just wanted to give you the heads up on a file called Skype_Setup.exe that’s digitally signed by Alpha Apps (Fried Cookie Ltd.).

Here how Alpha Apps (Fried Cookie Ltd.) appears in the UAC dialog when running Skype_Setup.exe as admin:

Alpha Apps Fried Cookie LTD

The Alpha Apps (Fried Cookie Ltd.) certificate shows that the publisher is located in Tel-Aviv, Israel.

Alpha Apps certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.
Skype Software Sarl publisher

The problem with the Alpha Apps (Fried Cookie Ltd.) file is that it is detected by some of the antimalware scanners. Here are some of the detection names: Trojan.InstallCore.39, a variant of Win32/InstallCore.SX, Unwanted-Program ( 004b2d871 ) and InstallCore (fs).

alpha apps virustotal

Did you also find a Alpha Apps (Fried Cookie Ltd.) file?

Thanks for reading.

Tweaks App (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

digital signature, ,

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Tweaks App (Fried Cookie Ltd.).

Tweaks App Fried Cookie Ltd. publisher

The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that Tweaks App (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

Tweaks App Fried Cookie Ltd. cert

So, why did I put up this blog post? Well, the thing is that the Tweaks App (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. AVG reports FlvPlayerSetup.exe as Generic.411, ESET-NOD32 detects it as a variant of Win32/InstallCore.SS and VIPRE calls it InstallCore (fs)

Tweaks apps virustotal

Did you also find a Tweaks App (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

IMALI – N.I. MEDIA TD – Detection Rate: 1/54 – Legit or malware?

digital signature, ,

Hi there! Just a quick post this Friday evening. Did you see a file, such as setup.exe, on your system signed by IMALI – N.I. MEDIA TD? Then read on..

You can see who the signer is when double-clicking on an executable file. IMALI – N.I. MEDIA TD appears in the publisher field in the dialog that pops up.

IMALI - N.I. MEDIA TD publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the IMALI – N.I. MEDIA TD certificate.

IMALI - N.I. MEDIA TD certificate

The detection rate is only 1/54, that is 2%. The setup.exe file is detected as suspected of Trojan.Downloader.gen.h by VBA32. What do you think, is it a false positive or should the other anti-virus programs detect it?

IMALI - N.I. MEDIA TD virustotal

Did you also find a IMALI – N.I. MEDIA TD file? Do you remember where you downloaded it?

Thank you for reading.

Update 2015-01-28: Found another file signed by IMALI – N.I. MEDIA TD. It’s called ESy1Avb1ax.exe and it is detected by 7 of the 57 anti-virus programs at VirusTotal:

IMALI - N.I. MEDIA TD virus total detections

 

Update 2015-02-16: Found another file, with a slightly different publisher name: “IMALI – N.I. MEDIA LTD“. The publisher is located in Ramat Gan, Israel according to the certificate. These are the detections (8/57):

  • Avira TR/Dldr.Agent.443648
  • AVware Trojan.Win32.Generic!BT
  • GData Win32.Trojan.Agent.W8AUB8
  • Ikarus Trojan-Downloader.Agent
  • Qihoo-360 HEUR/QVM10.1.Malware.Gen
  • Symantec Infostealer.Limitail
  • TrendMicro-HouseCall Suspicious_GEN.F47V0210
  • VIPRE Trojan.Win32.Generic!BT

IMALI – N.I. MEDIA LTD anti-virus report - 14% Detection Rate

Prompt Distribution – 7% Detection Rate – InstallCore

digital signature

Hello readers! Just a note on a publisher called Prompt Distribution (Fried Cookie Ltd.). The Prompt Distribution (Fried Cookie Ltd.) download – Skype_Setup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Prompt Distribution (Fried Cookie Ltd.)? Was it also detected when you uploaded it to VirusTotal?

By examining the certificate, we can see that Prompt Distribution (Fried Cookie Ltd.) is located in Tel Aviv in Israel. The certificate is issued by GlobalSign CodeSigning CA – G2.

Prompt Distribution Fried Cookie cert

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it should have been signed by Skype Software Sarl.

These are the current VirusTotal detections for the file. Generic.48E, a variant of Win32/InstallCore.SC and InstallCore (fs) as a few of the detection names for the Skype_Setup.exe file.

Prompt Distribution - virustotal

Did you also find a file digitally signed by Prompt Distribution? What kind of download was it and where did you find it?

Thank you for reading.

One Floor App LTD – 27% Detection Rate – Widdit / FirstFloor / SimplyInstaller

digital signature, , , ,

Hello! Just wanted to give you the heads up on a file called 1Convert.exe that’s digitally signed by One Floor App LTD. You will also see One Floor App LTD listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file:

One Floor App LTD

Information about a digital signature and the certificate can also be found under the Digital Signature tab.. The screenshot below shows the One Floor App LTD certificate. From the certificate info we can see that One Floor App LTD appears to be located in Bnei Brak in Israel.

One Floor App LTD cert

ESET-NOD32 classifies 1Convert.exe as a variant of Win32/Toolbar.Widdit.A, Kaspersky detects it as not-a-virus:WebToolbar.Win32.FirstFloor.a and Malwarebytes detects it as PUP.Optional.SimplyInstaller.

One Floor App LTD virustotal

Did you also find a download that was signed by One Floor App LTD? What kind of download was it and was it detected by the anti-virus software at VirusTotal? Please share by posting a comment.

Thanks for reading.