Category Archives: digital signature

Plugin Update SL – Warning! Stay away from this file

adware, digital signature, freefixer, malware, ,

I’m in a hurry here, trying to wrap up the v1.12 release of FreeFixer, but I though I must write a few lines of about a file, digitally signed by Plugin Update SL, that was promoted as a Java update. Here’s how the ad appeared:

plugin update s.l ad - java update

When clicking on the ad, a download for something called Player_Setup.exe appeared. That file, is not a Java Update.

Plugin Update SL Certificate

The file is digitally signed by Plugin Update SL, which is a company that appears to be located on Tenerife, and if you run the file, it will start an installation of something called NewPlayer. During the installation, it offers lots of bundled unwanted software, such as Findopolis, FreeSoftToday, IStartSurf, etc, etc.

The VirusTotal scan also clearly shows why you should stay away from the Plugin Update SL malware file:

Plugin Update SL - Virus Total report

Some of the scanners report it as DomaIQ and SoftPulse.

Did you also find a file signed by Plugin Update SL? Was it also promoted as a Java update?

If you installed any of the bundled software, you can remove those with FreeFixer.

Hope this helped you avoid the Plugin Update SL software. Thanks for reading.

Oleh Aleksyuk – Stay away from files signed this publisher!

digital signature

Hello readers, just wanted to warn you about a publisher called Oleh Aleksyuk. I downloaded a file that claimed to be an e-book, but instead the file had an .exe extension and was digitally signed by someone named Oleh Aleksyuk. When launching the file, a bunch of bundled programs was offered in the installer. EZDownloader, SW-Booster and Adblocker were some of the programs that appeared after running the file.

Oleh Aleksyuk

The digital certificate appears to be rather new. It’s valid from the 24th of June, 2014. According to the certificate, Oleh Aleksyuk is located in Russia.

Oleh Aleksyuk certificate. Valid from 24 june 2014.

Currently the detection rate for the Oleh Alexsyuk file is very low. When I uploaded the file to VirusTotal, only MalwareBytes detected the file. The detection name is PUP.Optional.MultiPlug. It will be interesting to see if the other anti-virus programs will detect it in the future.

Oleh Aleksyok virustotal report

Did you also find a file digitally signed by Oleh Aleksyuk? Do you remember where you downloaded it? Please share by posting a comment.

File Monarch & java_setup.exe – Stay away from it – 34% detection rate

adware, digital signature

If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software.

While I was looking around on some recently submitted files here on freefixer.com I found a file called java_setup.exe signed by a company called File Monarch. The problem here is that if this really was a setup file for Java, it would have been digitally signed by Oracle and not by  some unknown company. This looks very suspicious. And the VirusTotal report shows that the File Monarch file should be avoided, since java_setup.exe is detected as Adware.IBryte, Optimum Installer and Trojan.Win32.Buzus.

File Monarch - java_setup.exe VirusTotal report

This tactic appears to be pretty common to get users to install something that they didn’t want: Pop up some file and claim that Java or the Flash Player needs to be updated.

Well, hope that helped you avoid some adware or whatever this java_setup.exe file would install.

Did you also find some file signed by File Monarch, or a file falsely claiming to be a Java setup file? Where did you find them?

I’ll dig around a bit more in the FreeFixer database to see if there’s some other faked Java setup files.

 

Wilmaonline LTD – VirusTotal and Bundling Report

digital signature, , , , , ,

Found a file this morning, claiming to be a Flash Player setup file. However, the file was not digitally signed by Adobe, which is the publisher of the Flash Player. Instead it was signed by a company called Wilmaonline LTD. which made it look suspicious.

Wilmaonline LTD. publisher

According to the certificate that is embedded in the file, Wilmaonline is a company located in Israel.

Wilmaonline LTD. certificate

So, what does the anti-virus programs say about the Wilmaonline file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Wilmaonline file, with names such as Adware.Downware and PUP.Optional.Amonetize.

Wilmaonline LTD Virus Total Report - PUP.Optional.Amonetize, Adware.Downware

To see more in details what changes the Wilmaonline file would do on a user’s computer I decided to run the file on my lab machine. The following InstallPath installer appeared, where “Flash Player”, Dolphin Deals, Flow Surf, Webssearches and OffersWizard selected for installation by default. This is probably the reason why the anti-virus programs detects the Wilmaonline file, in addition to using Adobe’s Flash trademark.

Wilmaonline LTD. - installer for Flash Player, Dolphin Deals, Flow Surf, Webssearches, OffersWizard

Did you also find a file digitally signed by Wilma Online? What kind of download was it and where did you find it?

Update 13 Sep 2014: Thought I should follow up on this one. The Wilmaonline signed files are still being distributed. They are promoted as Flash Players, chess games, Ask.FM trackers, keygens, cracks, etc. The installer file includes lots of bundled programs, but for unknown reasons, nothing is installed when I click through the installer. Did you also see this behaviour, or did it install the bundled programs on your machine? The anti-virus programs have improved their detection rates somewhat for the WilmaOnline files:

  • 18/54 – FlashPlayersetup__2570_i1300328638_il1783.exe
  • 15/52 – Chess Titans setup__6670_il4710.exe
  • 15/55 – Ask Fm Tracker 2014 Downloader__3687_i1301881522_il2700510.exe
  • 14/55 – Keygen Installer__9167_il260.exe

Igor Kramoren – Warning for files signed by this publisher!

digital signature, ,

Stumbled on a file this morning, digitally signed by Igor Kramoren.

Igor Kramoren Certificate Igor Kramoren publisher

The issue with the Igor Kramoren file is that it is detected by many of the anti-virus programs. Here are some of the detection names:

  • BitDefender Gen:Variant.Zusy.100672
  • DrWeb Trojan.Siggen6.21336
  • ESET-NOD32 a variant of Win32/AdWare.MultiPlug.AQ
  • F-Secure Gen:Variant.Zusy.100672
  • Ikarus AdWare.Graftor
  • Malwarebytes PUP.Optional.InstallRex
  • McAfee PUP-FMH
  • Panda Trj/Kazy.AS

Did you also find a file digitally signed by Igor Kramoren? What kind of download was it and where did you find it?

 

Smart Secure Software S.l – Bundling and VirusTotal Report

digital signature

Just a quick post before going back to working on FreeFixer. Found a “Google Chrome” download this morning, digitally signed by Smart Secure Software S.l. 

Smart Secure Software S.l

Smart secure software sl - google_chrome.exe - Click Yes to begin setup

The problem is that it was not an official Chrome download. The setup file bundled a large number of potentially unwanted programs, such as GridMonetize, IStartSurf, PepperZip, Severe Weather Alerts, Wajam, Browser App and CostMin, as shown in the screenshots below:IstartSurf installer GridMonetize installer CostMin installer

And here’s the VirusTotal report:

Smart Secure Software Virus Total Report

DomainIQ, SoftPulse and Smart Secure Software are some of the detection names.

Did you also find a file digitally signed by Smart Secure Software S.l.? What kind of download was it and where did you find it?

Stanislav Kabin – Certificate Warning

digital signature

Just a quick post to warn you files digitally signed by Stanislav Kabin. The file I found was detected by many of the anti-virus programs. Here’s how Stanislav Kabin appears in the UAC dialog.

Stanislav Kabin Publisher

 

The Stanislav Kabin certificate shows that the publisher is located in Russia.

Stanislav Kabin Certificate

Did you also find a file signed by Stanislav Kabin? What kind of file was it, and where did you find it?

Here’s the VirusTotal scan results:

Stanislav Kabin VirusTotal Report

 

Information Technology Systems doo – VirusTotal Report

digital signature,

Just wanted to give you the heads up on a publisher called Information Technology Systems doo.

Information Technology Systems doo Publisher

According to the certificate, the publisher is located in Montenegro:

Information Technology Systems doo Certificate

This is the VirusTotal scan report for the Information Technology Systems doo file:

Information Technology Systems doo - VirusTotal

Generic.DAA, Unwanted-Program and  are some of the detection names.

Did you also find a file signed by Information Technology Systems doo? What kind of download was it? In my case, the download claimed to be the Flash Player installer.

Update 2014-09-03: Found a file promoted as a Java installer, signed by Information Technology Systems doo:

Information Technology Systems doo

The web page is hosted on softkopro.net. The file is called java_setup.exe and is detected by 10 of the 55 anti-virus programs at VirusTotal.

According to the web page, java_setup.exe is a downloader, rather than the real Java setup file:

“Coinis downloader is distributing a proprietary download manager that will take you to the official download of this program. Prior to taking you to the official download, we will offer optional sponsored software that you may be interested in. You are not required to install any additional software to receive your download.”

Update 2016-09-23: I’ve rescanned the java_setup.exe file. Now the detection rate is 31/57. Based on the scan result over at VirusTotal and by looking at the java_setup.exe executable file, it seems that the file contains the InstallCore software rather the Coinis downloader, contrary to what the web page at softkopro.net stated.