Category Archives: digital signature

CoolMirage Ltd. – 28 % Detection Rate – DefaultTab / OneClickDownloader / MultiToolbar

digital signature, , , , ,

Hello! Here’s a short blog post from a foggy Stockholm. If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called CoolMirage Ltd. which appears to have been around for some time.

CoolMirage Ltd. publisher in the UAC dialog

 

The file is named in a way which can make some users think they are downloading a movie, rather than an executable file.

Typically you’d see the CoolMirage Ltd. publisher name appear when double-clicking on the downloaded file: Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that CoolMirage Ltd. is located in Tel Aviv, Israel.

The CoolMirage Ltd. certificate

The issue with the CoolMirage Ltd. file is that it is detected by many of the anti-malware scanners. Here are some of the detection names: Gen:Application.Bundler.DefaultTab.1, PUP.Optional.OneClickDownloader.A, Adware-SweetIM, PUP/MultiToolbar.A and CoolMirage.

CoolMirage Ltd. virustotal scan report

Did you also find a CoolMirage Ltd. file? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Tiger Download – 33% Detection Rate – Kazy / IBryte

digital signature,

Hi there! Did you just find a file that’s digitally signed by Tiger Download and came to this blog to find more about it? I ran into this one while I was looking at the steady stream of files submitted to the FreeFixer library.

The reason for posting about Tiger Download is that the file is detected by many of the anti-virus programs. F-Secure classifies flashplayerpro_Setup.exe as Gen:Variant.Adware.Kazy.491026, Kaspersky detects it as not-a-virus:AdWare.Win32.iBryte.jig, Malwarebytes detects it as PUP.Optional.Fusion.A and VIPRE names it Optimum Installer (fs). Big thanks to VirusTotal for the scan report.

Tiger Download

Another problem with the Tiger Download file is how it is named: “flashplayerpro”. Users might think that it is an official Flash Player setup file, but it’s not. The official Flash Player download should be signed by Adobe Systems Incorporated, not by Tiger Download. Here’s how the official Flash Player installer should look like when you run it:

Adobe Systems Incorporated - Adobe Flashplayer Installer

Did you also find a Tiger Download file? Do you remember where you downloaded it?

Thanks for reading.

“File Verified” – 11% Detection Rate – InstallMetrix

digital signature

Welcome! Just a short note on a publisher called File Verified that I just found while going through some of the latest additions in the FreeFixer library.

What caught my attention was that the download was called Chrome_Updater.exe. This might look like official Chrome software, but it is not. If it was an official “Chrome Updater”, it should have been digitally signed by Google Inc. and not by some company that no one never heard of.

It turns out that File Verified file is detected by some of the anti-malware scanners, according to VirusTotal. Avira reports Chrome_Updater.exe as Adware/InstallMet.hc, ESET-NOD32 detects it as a variant of Win32/Adware.InstallMetrix.F, Norman detects it as InstallMetrix.E and VIPRE reports InstallMetrix (fs)

File Verified

Did you also find a File Verified download? What kind of download was it?

Thank you for reading.

Fileadventure – Fake Java Update – 38% Detection Rate

digital signature, ,

Hello! Just a short note on a publisher called Fileadventure.

Fileadventure publisher

If you have a Fileadventure file on your machine you may have noticed that Fileadventure is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also look at the Fileadventure certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Fileadventure is located in Kansas City, USA.

Fileadventure certificate

The problem here is that if setup.exe really was an installer file for Java, it would be digitally signed by Oracle America Inc. and not by some unknown company.

The Fileadventure file was promoted by adware that showed a pop-up in the browser saying “Your Java Version is Outdated“. The pop-up opened up a faked Java update site.

Your Java Version is Outdated

When I uploaded the Fileadventure file to VirusTotal, it came up with a 38% detection rate. The file is detected as Win32:IBryte-HL [PUP] by Avast, W32/A-138dbbfa!Eldorado by F-Prot, PUP.Optional.iBryte by Malwarebytes and AdKnowledge (fs) by VIPRE.

Fileadventure virustotal

Did you also find a Fileadventure file? Was it also promoted as a “Java Update”?

Thanks for reading.

Sanflex – 33% Detection Rate – WebInstallBundle, DownloadAdmin and Artemis

digital signature, ,

Hello! Just a quick post on a file named installer_adobe_flash_player_Swedish.exe signed by Sanflex. The following screenshot shows the User Account Control dialog when running the Sanflex file:

Sanflex publisher

By looking at the certificate we can see that Sanflex appears to be located in San Fransisco, United States of America.

Sanflex certificate

The problem here is that if installer_adobe_flash_player_Swedish.exe really was a setup file for the official Adobe Flash Player, it would be digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks very suspicious.

If you are considering to run the Sanflex signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program. Big thanks to VirusTotal for the scan result.

Sanflex virustotal

F-Secure detects installer_adobe_flash_player_Swedish.exe as Adware:W32/WebInstallBundle, Fortinet reports Riskware/DownloadAdmin, Malwarebytes classifies it as PUP.Optional.DownloadAdmin and McAfee detects it as Artemis.

Did you also find a Sanflex file? What kind of download was it?

Thanks for reading.

SVAN TRANS LLC – 25% Detection Rate

digital signature, ,

Hi there! Just wanted to give you the heads-up on suspicious file I found right now before having my lunch. The file is named FlashPlayer__6741_i1404957756_il13.exe and digitally signed by SVAN TRANS LLC.

SVAN TRANS LLC publisher

You can also see the SVAN TRANS LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SVAN TRANS LLC is located in Kiev, Ukraine.

SVAN TRANS LLC certificate

The issue is that FlashPlayer__6741_i1404957756_il13.exe is not an official Flash Player download. If it was, it would be digitally signed by Adobe Systems Incorporated, and not by some unknown company from Ukraine.

25% of the scanners detected the file. The FlashPlayer__6741_i1404957756_il13.exe file is detected as PUA.Amonetize! by Agnitum, Gen:Variant.Application.Jaik by F-Secure and PUP.Optional.Amonetize by Malwarebytes. Thanks to VirusTotal for the scan report.

svan trans llc virustotal

Since some of the anti-virus programs detected the SVAN TRANS LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, Salus Net Protector, RocketTab and My Start Search were disclosed.

SVAN TRANS Salus SVAN Trans Rockettab

Did you also find an SVAN TRANS LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Volvan Premium SL – 28% Detection Rate

digital signature, ,

Welcome! Was looking for some downloads to play around with and found one, digitally signed by Volvan Premium SL. The file is named google_chrome.exe.

Volvan Premium SL publisher

To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the embedded certificate we can see that Volvan Premium SL is located in Barcelona, Spain and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Volvan Premium SL certificate

The problem here is that if google_chrome.exe really was a setup file for Google, it would be digitally signed by Google Inc and not by some unknown company. This looks very suspicious.

So, why did I put up this blog post? Well, the thing is that the Volvan Premium SL file is detected by many of the anti-virus scanners, according to VirusTotal. F-Secure classifies google_chrome.exe as Gen:Variant.Application.Bundler, Malwarebytes calls it PUP.Optional.DomaIQ and McAfee calls it SoftPulse.a

Volvan Premium SL virustotal

When I ran the Volvan Premium SL file it offered a bunch of bundled softwares, such as Wajam, HostSecurePlugin, Salus, SpeedChecker and Super Optimizer.

Did you also find a Volvan Premium SL file? Do you remember where you downloaded it?

Thanks for reading.

LiveSoftAction – 11% Detection Rate at VirusTotal

digital signature,

Hi there! Just wanted to let you know about a publisher called LiveSoftAction before going back to writing some code for FreeFixer.

The following screenshot shows the User Account Control dialog when running the LiveSoftAction file:LifeSoftAction SuperInstall publisher

Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that LiveSoftAction is located in Bucharest in Romania.

LiveSoftAction certificate

11% of the scanners detected the file when I uploaded it to VirusTotal. ESET-NOD32 classifies provided through Diplodocs.exe as a variant of Win32/GetNow.D and Malwarebytes detects it as PUP.Optional.LiveSoftAction.

LiveSoftAction virustotal

Did you also find a file digitally signed by LiveSoftAction? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.