Category Archives: digital signature

Statscom – 16 % Detection Rate at VirusTotal

September 21, 2014digital signatureDownloadAdminRoger Karlsson

Hello, just a quick post on a publisher called Statscom. When I uploaded it to VirusTotal it came up with a 16% detection rate. DownloadAdmin is one of the detection names.

I decided to run the Statscom signed file, and it offered two other programs called FindWide Toolbar and AllGenius in the installer.

After running the installer Mozilla Firefox started to crash repeatedly 🙁

Innovative Systems LLC – 9% Detection Rate at VirusTotal

September 17, 2014digital signatureRoger Karlsson

Just a short note on a publisher called Innovative Systems LLC. When I uploaded the Innovative Systems LLC file to VirusTotal it had a 9% detection rate. Some of anti-virus scanners calls the file InstallCore. Symantec classifies the file as Trojan.Gen.2:

According to the certificate, Innovative Systems LLC is located in Ukraine.

Did you also find a file digitally signed by Innovative Systems LLC? What kind of download was it and where did you find it?

I’ll try to follow up on this one later, to see if the other anti-virus programs adds it to their detection.

PSK LOGEUM LLC – 4% Detection Rate at VirusTotal

September 15, 2014digital signatureRoger Karlsson

Hello again, sorry for being slow on the posting lately. I blame it on the cold I caught last week. Anyway, just wanted to give you the heads up on a publisher called PSK LOGEUM LLC, that according to the embedded certificate appears to be located in Russia.

The reason I’m writing this blog post is that the PSK LOGEUM LLC file is detected by a few on the anti-virus programs. McAfee report it as BehavesLike.Win32.Dropper.ch and Qihoo reports it as Win32/Rootkit.Rootkig.7e5.

When I tested the PSK LOGEUM LLC file it installed an adware called BlockAndSurf.

Did you also find a PSK LOGEUM LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Bestop-app – 22% detection rate – InstallCore

September 10, 2014digital signatureRoger Karlsson

Hello readers, just a short post on a publisher called Bestop-app before going back to some coding on FreeFixer. By looking at the embedded certificate we can see that Bestop-app appears to be located in Tel Aviv in Israel.

After uploading the Bestop-app file – FlvPlayerSetup.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 22% and some of the detection names were: PUP.Optional.InstallCore, CryptInno and Install Core Click run software.

Did you also find a Bestop-app file?

OOO Alians – 7% Detection Rate at VirusTotal

September 10, 2014digital signaturefake flash softwareRoger Karlsson

Just a short post on a publisher called OOO Alians. I just found a download named adobe_flash_setup.exe that was digitally by this publisher, and it turns out that it is detected by some of the anti-virus programs.

Adware/InstallCore, AdWare.Win32.InstallCore and PUA.Alians are some of the detection names.

Did you also find a OOO Alians download? Was that also promoted as Adobe’s Flash Player.

Now, back to programming on the FreeFixer tool 🙂

Gogo Network Club – 13% Detection Rate – Win32.Adware.CrossRider

September 8, 2014adware, digital signatureCrossRiderRoger Karlsson

Just a quick post today, since I’m busy working with the next release of FreeFixer. If you see some files on your system, such as Browser+ Apps-be.exe, that are digitally signed by Gogo Network Club, you probably have the CrossRider adware on your machine. Here’s the scan result from VirusTotal:

Hope this helped you figure out what the Gogo Network Club files are.

OUTbrowse Ltd – 13% Detection rate: Trojan.Win32.OutBrowse and Adware.Win32.OutBrowse

September 3, 2014adware, digital signatureAdware.Win32.OutBrowse, PUP.Optional.OutBrowse, Trojan.Win32.OutBrowseRoger Karlsson

If you’ve been following me for the last months you know that I’ve been examining many software publishers that put a digital signature on their downloads. Yesterday I found another publisher called OUTbrowse Ltd. This is how it appears when running the file:

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab:

According to the certificate information, OUTbrowse Ltd appears to be located in Israel. The certificate is about two weeks old.

When running the OUTbrowse file, it displayed a link to the OUTbrowse Terms and Conditions, which were located on www.mixi.dj.

So, why did I put up this blog post? Well, the thing is that the OUTbrowse file is detected by some anti-virus programs, according to VirusTotal:

PUP.Optional.OutBrowse, Trojan.Win32.OutBrowse and Adware.Win32.OutBrowse are a few of the detection names. The detection rate is 7/54, that is 13%.

Hope this blog post helped you avoid some unwanted software on your machine.

Did you also find an OUTbrowse file? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

FIRSERIA S.L. – 41% Detection Rate

August 31, 2014digital signatureRoger Karlsson

Just a note on a publisher called FIRSERIA S.L. The FIRSERIA S.L. download that I found had a high detection rate, 41% when I uploaded it to VirusTotal. Did you also find a download by FIRSERIA S.L.? Was it also detected when you uploaded it to VirusTotal?

Information Technology Systems – 16% Detection Rate at VirusTotal

August 31, 2014digital signaturefake flash software, InstallCoreRoger Karlsson

Just a quick post on a faked Flash Player download, named adobe_flash_setup.exe, digitally signed by Information Technology Systems. This download was promoted with the following pop-up:

Information Technology Systems seems to be located in Montenegro based on the embedded certificate.

The current detection rate is 16% according to VirusTotal. InstallCore appears to be the most common detection name.

Did you also find a Information Technology Systems file? Do you remember where you downloaded it?

Kiril Skiba – 2 of 54 Anti-Virus programs detect the Kiril Skiba file

August 26, 2014digital signature, freefixerCertum Code Signing CA, HEUR/Malware.QVM10.GenRoger Karlsson

Hello there, just a quick post on a publisher called Kiril Skiba that I found while running some tests on FreeFixer v1.12. I should have this new version of FreeFixer out this week. The suspicious file is named ldownload.exe and the following screenshot shows the User Account Control dialog when running the Kiril Skiba file.

The digital certificate appears to be relatively new. It’s valid from the 11th of Junly, 2014. According to the certificate, Kiril Skiba is located in Ukraine. The certificate is issued by Certum Code Signing CA.

At the time being, the detection score for the Kiril Skiba file is very low. When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – only QIhoo-360 and VBA32 detected the file. The detection names are HEUR/Malware.QVM10.Gen and suspected of Trojan.Downloader.gen.h. With those two detections, I’d stay away from the file. It will be interesting to see if the other anti-virus programs will add this file it in the future.

When I tested to run the Kiril Skiba file, nothing appeared to happen. I could not see any modification at all on my lab computer. No windows popped up. Nothing.

Did you also find a file digitally signed by Kiril Skiba? Did it pose as something useful?