Category Archives: digital signature

Click Yes – 6% Detection Rate at VirusTotal

digital signature

Hi there! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. This morning I found another publisher named Click Yes. The following screenshot shows the User Account Control dialog when running the Click Yes file:

Click Yes publisher in the uac dialog

By looking at the certificate we can see that Click Yes appears to be located in Dublin, Ireland. The certificate is quite new. It’s validity period started yesterday, on the 21st of October.

Click Yes certificate

The VirusTotal report shows that the Click Yes file should probably be avoided, since setup.exe is detected as APPL/Downloader.Gen by Avira, Trojan.Packed.29192 by DrWeb and Win32/OutBrowse.AY by ESET-NOD32. The detection rate is only 6% which is quite low.

Click Yes virus total report - 6% detection rate

Did you also find a Click Yes file? What kind of download was it? If you remember the download link, please post it in the comments below and I’ll upload it to VirusTotal to see if the detection rate is improved.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Open Source Developer – 13% Detection Rate at VirusTotal

digital signature

Hello! Just a quick post on a publisher called Open Source Developer that I found some time ago while running some tests for the upcoming FreeFixer release. This is how it looks when double-clicking on the file and Open Source Developer appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties, if you’d like to do that.

Open Source Developer publisher

I decided to upload the file to VirusTotal. Of the 53 anti-malware scanners, 7 detected the file. That’s a 13% detection rate. InstallCore seem to be the common detection name.

open source developer virus total report

Did you also find a file digitally signed by Open Source Developer? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

Zoobam – 20% Detection Rate – Detected as WebInstallBundle and DownloadAdmin

digital signature

Hi there! Just wanted to give you heads-up on a file I found right now. The file is named installer_jdownloader_Spanish.exe and digitally signed by Zoobam. This is how Zoobam appears when running the file:

zoobam publisher

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that Zoobam seems to be located in USA and that the certificate is issued by Go Daddy Secure Certificate Authority – G2.

zoobam certificate

Of the 54 anti-malware scanners at VirusTotal, 11 detected the file. The installer_jdownloader_Spanish.exe file is detected as Adware:W32/WebInstallBundle by F-Secure, PUP.Optional.DownloadAdmin by Malwarebytes and DownloadAdmin (fs) by VIPRE.

zoobam virustotal

Did you also find a Zoobam download? What kind of download was it?

Thank you for reading.

DOZ-DEKORUM LLC – 17% Detection Rate at VirusTotal

digital signature,

Hello! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as FlashPlayer_6741_i1375671586_il280.exe, on your system signed by DOZ-DEKORUM LLC? Then read on..

Typically you’d see the DOZ-DEKORUM LLC publisher name appear when double-clicking on the FlashPlayer_6741_i1375671586_il280.exe file:

DOZ-DEKORUM LLC publisher

It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that DOZ-DEKORUM LLC is located in Kiev in Ukraine and that the certificate is issued by Thawte Code Signing CA – G2.

DOZ-DEKORUM LLC certificate

The problem here is that if FlashPlayer_6741_i1375671586_il280.exe really was an installer file for Flash Player, it should have been signed by Adobe Inc. and not by some unknown company. I think this looks suspicious.

So, what does the anti-virus programs say about the DOZ-DEKORUM LLC file? No problem, I just uploaded the file to VirusTotal and it turned out that some (17%) of the anti-virus programs detects the DOZ-DEKORUM LLC file, with names such as Generic.AF5, Adware.Downware.8818 and PUP.Optional.Amonetize.

DOZ-DEKORUM LLC virustotal report

Since some of the anti-virus programs detected the DOZ-DEKORUM LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, RegClean Pro and Wajam appeared on my computer. Did you also find a file digitally signed by DOZ-DEKORUM LLC? What kind of download was it and where did you find it?

Thanks for reading.

STMSetup – 18% Detection Rate by VirusTotal

digital signature,

Hello readers! Just found yet another interesting file, this time signed by STMSetup. The following screenshot shows the User Account Control dialog when running the STMSetup file:

STMSetup for Skype_Setup.exe

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that STMSetup appears to be located in Tel-Aviv in Israel and that the certificate is issued by COMODO Code Signing CA 2.

STMSetup certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the official Skype signature looks like:

Skype Software Sarl

So, what does VirusTotal say about Skype_Setup.exe? BehavesLike.Win32.CryptInno.bc, Install Core Click run software and InstallCore (fs) are some detection names:

STMSetup virustotal report

Did you also find a STMSetup file?

Thanks for reading.

Webcellence Ltd. – Detected by AVG, NOD32 and DrWeb

digital signature

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. A few days ago I found another publisher called Webcellence Ltd..

Webcellence Ltd. UAC prompt

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab: According to the certificate we can see that Webcellence Ltd. is located in Moshav Ora, Israel and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Webcellence Ltd. certificate - adobe_flash_player.exe

The reason I’m writing this blog post is that the Webcellence Ltd. file is detected by a few of the anti-virus progams at VirusTotal. DrWeb classifies adobe_flash_player.exe as Trojan.MulDrop5.38502 and ESET-NOD32 calls it a variant of Win32/InstallCore.QD.

Webcellence Ltd virus totalAlthough the file is named adobe_flash_player.exe it’s not the official download for the Adobe Flash Player. The real flash player installer should be digitally signed by the Adobe company.

Did you also find an Webcellence Ltd.? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

ICS Setup – 16% Detection Rate By VirusTotal

digital signature, ,

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how  appears when running the file:

ICS Setup

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

ICS Setup certificate

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

ICS Setup virustotal

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

InstallationSafe – 15% Detection Rate – Detected as AdGazelle

adware, digital signature

Was looking for some downloads to play around with and found one, digitally signed by InstallationSafe, that claimed “Your Java version may be outdated” trying to get me to installs something else than the official Java download.

InstallationSafe publisher in the UAC dialog

InstallationSafe fake java installer

The InstallationSafe download is distributed from fugupdates101 dot com. Some of the anti-virus programs are detecting the InstallationSafe file. The detection rate is 15 %. AdGazelle is one of the detection names.

InstallationSafe virustotal report - AdGazelle

Did you also find a download that was digitally signed by InstallationSafe? What kind of download was it and was it detected by the anti-virus programs at VirusTotal? Please share by posting a comment.

Thank you for reading.

Advertiso GmbH – 15% Detection Rate at VirusTotal

digital signature

Found another software publisher that bundles lots of potentially unwanted software. The publisher is called Advertiso GmbH and the file was called adobe-flash-player_setup.exe.

Advertiso GmbH

When I uploaded the file to VirusTotal, it came up with a 15% detection rate.

Advertiso GmbH virustotal

InstallCore seems to be the common detection name for the Advertiso GmbH file.

When I ran the Advertiso GmbH file it offered a bunch of bundled softwares, such as Web Finder Pro (Site Finder Pro), AdvanceElite, AstroMenda, PennyBee, etc. An in addition, it failed to install Adobe’s Flash Player, with the error “Installation encountered errors“:

adobe flash player installer failed - Installation encountered errors

Hope this helped figure out what the Advertiso GmbH installer will do to your system.

If you want to download the Flash Player, please do so from Adobe’s official web site:

http://get.adobe.com/flashplayer/

Did you also find a file from Advertiso GmbH? What kind of download was it? Was it also detected by the anti-virus programs at VirusTotal? Please share in the comments below?

Update 2015-09-10: Found another download signed by Advertiso called chrome_download.exe. The detection rate for that file is 20%:

Advertiso GmbH anti-virus report

 

Symbolicom Holdings Limited – 7% Detection Rate at VirusTotal

digital signature,

Just wanted to let you know about a publisher called Symbolicom Holdings Limited before going back to writing some code for FreeFixer. When I uploaded the Symbolicom Holdings Limited file, named adobe_flash_player.exe, to VirusTotal it came up with a 7% detection rate.

Symbolicom Holdings Limited certificate for adobe_flash_player.exe Symbolicom Holdings Limited publisher in the UAC dialog Symbolicom Holdings Limited Virus Total Report

Some of the detection names are Trojan.MulDrop5a variant of Win32/InstallCore and  HEUR/Malware.QVM06.Gen.

Although the file name contains “adobe” and “flash” it’s not an official Adobe Flash download. The official Adobe Flash Player should be digitally signed by Adobe Inc.

Did you also find a Symbolicom Holdings Limited download? What kind of download was it?