Category Archives: digital signature

Andrey Hmelnikov – 35% Detection Rate – Kazy/MultiPlug

November 4, 2014digital signatureKazy, MultiPlugRoger Karlsson

Hi there! Just wanted to give you the heads up on files digitally signed by Andrey Hmelnikov.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Andrey Hmelnikov certificate. He’s located in Russia.

So, what does the anti-virus programs say about the Andrey Hmelnikov file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Andrey Hmelnikov file, with names such as Gen:Variant.Adware.Kazy, and MultiPlug.

To see more in details what changes the Andrey Hmelnikov file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as GoSave and YoutubeAdBlocke.

Did you also find an Andrey Hmelnikov file? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Liquidbuild detected as Kazy, iBryte and Optimum Installer

November 2, 2014digital signatureiBryte, Kazy, OptimunInstallerRoger Karlsson

Hi there! Just a quick Sunday post on a file named flashplayerpro_Setup.exe signed by Liquidbuild that I found while reviewing some files submitted to the FreeFixer database of files. The problem is that flashplayerpro_Setup.exe is not an official Flash Player download. If it was, it should be digitally signed by Adobe Systems Incorporated.

When I uploaded the Liquidbuild file to VirusTotal, it came up with a 28% detection rate. The file is detected as Adware/iBryte.bxow by Avira, Gen:Variant.Kazy.466717 by BitDefender, Gen:Variant.Kazy.466717 by F-Secure and Optimum Installer (fs) by VIPRE. It’s probably better to stay away from this file.

Did you also find a Liquidbuild file?

Thanks for reading.

Verti Technology Group, Inc. – 33% Detection Rate by VirusTotal

October 28, 2014digital signatureRoger Karlsson

Hello! Just a note on a publisher called Verti Technology Group, Inc.. The Verti Technology Group, Inc. download that I found yesterday – MediaPlayerClassic_RocketFuelInstaller.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Verti Technology Group, Inc.? Was it also detected when you uploaded it to VirusTotal?

You can see who the signer is when double-clicking on an executable file. Verti Technology Group, Inc. appears in the publisher field in the dialog that pops up. To view more information about the certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Verti Technology Group, Inc. is located in BelleVue, USA and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Adware.Downware.8721, Riskware/Verti, PUP.Optional.Rocketfuel, Artemis and Rocketfuel Installer (fs) are some detection names according to VirusTotal:

Did you also find a file digitally signed by Verti Technology Group, Inc.? What kind of download was it and where did you find it?

Thank you for reading.

Shetef Solutions & Consulting (1998) Ltd. – 25% Detection Rate

October 27, 2014digital signatureAmonetize, Downware, GraftorRoger Karlsson

Good evening! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. Right now I found a new file called FlashPlayer__6741_i1387048386_il2537.exe, digitally signed by Shetef Solutions & Consulting (1998) Ltd..

You can also look at the Shetef Solutions & Consulting (1998) Ltd. certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Shetef Solutions & Consulting (1998) Ltd. is located in Rannana, Israel. The certificate appears to relatively new. Its validity began on the 13th of October.

The issue here is that if FlashPlayer__6741_i1387048386_il2537.exe really was an installer file for Flash Player, it should have been digitally signed by Adobe System Incorporated and not by some unknown company. This looks suspicious.

The VirusTotal report shows that the Shetef Solutions & Consulting (1998) Ltd. file should be avoided, since FlashPlayer__6741_i1387048386_il2537.exe is detected as Adware.Downware.8876 by DrWeb, Gen:Variant.Graftor.161610 by F-Secure and PUP.Optional.Amonetize by Malwarebytes.

Since the download was detected I decided to give it a try to see what it installed. During my test I could see Wajam, Salus – Net Protector and My Start Search install on my lab machine.

Did you also find a file digitally signed by Shetef Solutions & Consulting (1998) Ltd.? What kind of download was it and where did you find it?

Thanks for reading.

OOO “Finans Servis” – 9% Detection Rate: InstallCore/CryptInno

October 25, 2014digital signatureCryptInno, InstallCoreRoger Karlsson

Just wanted to give you the heads up on files digitally signed by OOO “Finans Servis”.

The OOO “Finans Servis” certificate shows that the publisher is located in Moscow in Russia.

The problem here is that the OOO Finans Servis was promoted as an update for Adobe’s Flash Player. If adobe_flash_setup.exe really was a setup file for Adobe Flash Player, it should be digitally signed by Adobe Systems Incorporated and not by some unknown company located in Moscow.

9% of the anti-malware scanners detected the file. PUP.Optional.InstallCore and BehavesLike.Win32.CryptInno.bc were two of the detection names. I think we will see the other anti-virus programs add this one to the detection list soon.

Since you probably came here after finding a file that was digitally signed by OOO Finans Servis, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thanks for reading.

Safe Down – 22% Detection Rate – Detected as IBryte and

October 24, 2014digital signatureiBryte, OptimunInstallerRoger Karlsson

Welcome! Just a short post on a publisher called Safe Down. I just found a download named Java_Setup.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

What caught my attention was that the download was called Java_Setup.exe. This might look like an official Java download, but it is not. If it was an official download, it should be digitally signed by Oracle INC.

22% of the scanners detected the file. ESET-NOD32 reports Java_Setup.exe as a variant of Win32/AdWare.iBryte.BM, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky calls it Trojan.Win32.Badur.joje, McAfee reports IBryte-FRK and VIPRE names it Optimum Installer (fs).

Did you also find a Safe Down file?

Thank you for reading.

Astro Network (Fried Cookie Ltd.) Publisher Information

October 24, 2014digital signatureRoger Karlsson

Hello! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of programs. This morning I found another publisher named Astro Network (Fried Cookie Ltd.).

The following screenshot shows the User Account Control dialog when running the Astro Network (Fried Cookie Ltd.) file:

You can also check who signed a file by checking the digital signature tab. According to the certificate we can see that Astro Network appears to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would have been signed by Skype Software Sarl. And that’s why I’m writing this blog post. If you are looking for the official Skype download, go to http://www.skype.com/ to get the real deal.

I uploaded the Skype_Setup.exe file to VirusTotal, but none of the 50+ anti-virus scanners detected it. Was your file detected by the anti-virus programs?

Did you also find a file signed by Astro Network? What kind of download was it and where did you find it? How was the download promoted? Did it appear in the sponsored search results in one of the search engines?

Fileangels – Detected as IBryte and OptimunInstaller

October 23, 2014digital signaturefake Java software, iBryte, OptimunInstallerRoger Karlsson

Welcome! Just a note on a publisher called Fileangels. The Fileangels download – setup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Fileangels? Was it also detected when you uploaded it to VirusTotal?

This is how Fileangels appears when running the file:

By looking at the certificate we can see that Fileangels appears to be located in Kansas City, USA.

The reason I’m writing this blog post is that the Fileangels file is detected by some of the anti-malware scanners at VirusTotal. AVG detects setup.exe as AdPlugin.BNR, Fortinet detects it as W32/Zbot.AAN!tr, Kaspersky detects it as Trojan.Win32.Badur.jukw, Malwarebytes reports PUP.Optional.OptimunInstaller and McAfee detects it as IBryte-FRT. In addition, the Fileangels download was also promoted as a “Java Update”.

Did you also find a file digitally signed by Fileangels? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

Astro Delivery (Fried Cookie Ltd.) – 4% Detection Rate

October 22, 2014digital signatureInstallCoreRoger Karlsson

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Astro Delivery (Fried Cookie Ltd.).

You can also check the digital signature under the file’s properties. According to the certificate we can see that Astro Delivery (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2. The certificate is pretty new: its validity period started yesterday, on the 21st of October.

One issue here, and this could perhaps be one of the reason why a few anti-virus programs have chosen to detect the file, is that Skype_Setup.exe is not an official Skype download. If it was, it would be digitally signed by Skype Software Sarl.

The scan result from VirusTotal below shows that only 4% of the antivirus programs detect the Astro Delivery (Fried Cookie Ltd.) file. It is detected under names such as a variant of Win32/InstallCore.QH and Riskware.Win32.InstallCore.dfgoti. It will be interesting to see if other anti-virus scanners choose to follow ESET and NANO.

Did you also find a Astro Delivery (Fried Cookie Ltd.) file?

Thanks for reading.

Green Tech Software LLC – Detected as InstallBrain – 37% Detection Rate

October 22, 2014digital signatureInstallBrain, SoftangoRoger Karlsson

Hello! If you are a regular visitor here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of potentially unwanted softwares. Today I found another certificate, used by a publisher called Green Tech Software LLC.

This is how it looks when double-clicking on the file and Green Tech Software LLC appears as the publisher. You can also see the Green Tech Software LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, Green Tech Software LLC is located in Beaverton, Oregon, USA.

The download I found was the “Softango Downloader“. It downloads some third party software, in my case a Zip program, and during the installation process, it will offer the user to install additional software.

The reason for posting about Green Tech Software LLC is that the file is detected by many of the anti-virus programs. F-Secure reports SoftangoDownloader_Zip.exe as Application.Bundler.InstallBrain, Malwarebytes detects it as PUP.Optional.Softango.A and VIPRE classifies it as InstallBrain (fs). The detection rate is 37%

I decided to run the Green Tech Software LLC signed file, and it offered four additional programs called Speed Test, PC Performer, UnknownFile and MyPC Backup in the installer.

Since you probably came here after finding a file that was signed by Green Tech Software LLC, please share what kind of download it was and if it was reported by the anti-malware software at VirusTotal.

Hope this blog post helped you avoid some potentially unwanted software on your machine.

Thank you for reading.