Category Archives: digital signature

Rubin Sister – 16% Detection Rate – MultiPlug / Qudamah / Badur

digital signature, , ,

Hello! I was playing around and testing some downloads when I found a file digitally signed by Rubin Sister.

Rubin Sister publisher

If you have a Rubin Sister file on your computer you may have noticed that Rubin Sister pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by Certum Code Signing CA.

Rubin Sister certificate

A variant of Win32/Adware.MultiPlug.JZ, Riskware/Badur, Trojan.Win32.Qudamah.Gen.7 and suspected of Heur.Malware-Cryptor.Multiplug are some detection names according to VirusTotal:

Rubin Sister anti-virus report

Did you also find an Rubin Sister? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

VerifiedInstallation – 11% Detection Rate – AdGazelle

digital signature

Hello! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called VerifiedInstallation.

So, what does the anti-virus programs say about the VerifiedInstallation file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the VerifiedInstallation file, with names such as AdGazelle.246, Adware.Downware.11074, a variant of Win32/AdGazelle.J potentially unwanted and AdGazelle (fs).

VerifiedInstallation anti-virus report

Did you also find a VerifiedInstallation file? Do you remember where you downloaded it? Was your file also detected at VirusTotal?

Thanks for reading.

OOO Mad Advert – 5% Detection Rate – Trojan.InstallCore / Win32:Malware-gen

digital signature,

Hi there! Just wanted to give you heads-up on suspicious file I found right now. The file is named adobe_flash_setup.exe and digitally signed by OOO Mad Advert.

OOO Mad Advert publisher

You can also check the digital signature under the file’s properties.. The screenshot below shows the OOO Mad Advert certificate. From the certificate info we can see that OOO Mad Advert appears to be located in Moscow, Russia.

OOO Mad Advert cert

 

Here’s how the OOO MAD Advert download is promoted:

updater.safeplugin-update.org pop up

What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The detection rate is 3/55. Avast reports adobe_flash_setup.exe as Win32:Malware-gen, DrWeb calls it Trojan.InstallCore.508 and ESET-NOD32 calls it a variant of Win32/InstallCore.ZC potentially unwanted.

OOO Mad Advert anti-virus report

Did you also find a OOO Mad Advert file? Do you remember where you downloaded it?

Thank you for reading.

SAFe store btw – 42% Detection Rate At VirusTotal

digital signature,

Hello readers! Just a quick post on a publisher called SAFe store btw that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named installer_jdownloader_English.exe.

SAFe store btw publisher

You may see “SAFe store btw” appear as the publisher when double-clicking on the installer_jdownloader_English.exe file. You can also see the SAFe store btw certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SAFe store btw is located in Dublin in Ireland.

SAFe store btw cert

The scan result from VirusTotal below clearly shows why you should avoid the SAFe store btw file, unless you like bundled software. It is detected under names such as PUA/Outbrowse.Gen, Riskware/OutBrowse, Application.Bundler.Outbrowse.BA, Trojan.Win32.OutBrowse.dpuzhb and Suspici.FCDBA93D.

SAFE store btw anti-virus report

Did you also find an SAFe store btw? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

“Start Now” – 45% Detection Rate – OutBrowse

digital signature,

Welcome! Just wanted to let you know about a publisher called Start Now before going back to writing some code for FreeFixer.

Start Now publisher

If you have a Start Now file on your machine you may have noticed that Start Now is displayed as the publisher in the UAC dialog when double-clicking on the file. It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Start Now is located in Dublin, Ireland and that the certificate is issued by Go Daddy Secure Certificate Authority – G2.

Start Now cert

The detection rate is 25/56. Avira classifies Player.exe as PUA/Outbrowse.Gen, DrWeb detects it as Trojan.OutBrowse.413, F-Prot classifies it as W32/Outbrowse.B2.gen!Eldorado, F-Secure detects it as Application.Bundler.Outbrowse and VIPRE detects it as Adware.NSIS.Outbrowse.bu (v).

Start Now anti-virus report

Did you also find an Start Now? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Rodion Veresev – 33% Anti-Virus Detection Rate – MultiPlug

digital signature

Hi there! Was looking for some downloads to play around with and found one, digitally signed by Rodion Veresev.

Rodion Veresev cert

You can see who the signer is when double-clicking on an executable file. Rodion Veresev appears in the publisher field in the dialog that pops up. According to the cert, he is located in Ukraine. The certificate is issued by Certum Code Signing CA.

The reason for posting about Rodion Veresev is that the file is detected by many of the anti-virus programs. Avira reports Download Uc Browser V Handler Zip.exe as TR/Crypt.XPACK.Gen, DrWeb calls it Trojan.Crossrider1.25958, Sophos detects it as MultiPlug and Tencent reports Trojan.Win32.Qudamah.Gen.6.

Rodion Veresev virus report

Did you also find a Rodion Veresev file? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

App secure LLC – 30% Anti-Virus Detection – SoftPulse / Strictor / HfsAdware / DriverUpd

digital signature, , , , ,

Hello! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called App secure LLC.

App secure LLC publisher

Windows will display App secure LLC as the publisher when running the file. Information about a digital signature and the certificate can also be found under the Digital Signature tab. The screenshot below shows the App secure LLC certificate. From the certificate info we can see that App secure LLC appears to be located in Wilmington, Delaware in the US.

App secure LLC certificate

When I uploaded the App secure LLC file to VirusTotal, it came up with a 30% detection rate. The file is detected as Win32:SoftPulse-FZ [PUP] by Avast, W32.HfsAdware.8302 by Bkav, Gen:Variant.Strictor.83505 (B) by Emsisoft, a variant of Win32/SoftPulse.AB potentially unwanted by ESET-NOD32, not-a-virus:Downloader.Win32.DriverUpd.wui by Kaspersky and SoftPulse by Sophos.

App secure LLC virus report

The company web site appears to be APPSECURELLC.COM. Here’s some of the info from the WHOIS database:

Registrant Name: Roberto Blangino 
Registrant Organization: App Software LLC
Registrant Street: 501 Silverside Road, Suite 105 
Registrant City: Wilmington
Registrant State/Province: Delaware
Registrant Postal Code: 19809
Registrant Country: US

I checked some of services that provides domain info based on an IP address, and the following sites appears to be or have been located on the same IP:

  • 123maxmusic.com
  • 88dls.com
  • acpsoftwarellc.com
  • www.magnoplayer.com
  • www.newvideoplayer.com

Did you also find a file that was signed by App secure LLC? What kind of download was it and was it detected by the anti-virus scanners at VirusTotal? Please share in posting comments below.

Thanks for reading.

SaFe SoftwaRe sLL – 30% Anti-Virus Detection – OutBrowse

digital signature

Welcome! I was playing around and testing some downloads when I found a file signed by SaFe SoftwaRe sLL.

You can see who the signer is when double-clicking on an executable file. SaFe SoftwaRe sLL appears in the publisher field in the dialog that pops up.

SaFe SoftwaRe sLL publisher

You can also check the digital signature under the file’s properties. According to the embedded certificate we can see that SaFe SoftwaRe sLL seems to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

SaFe SoftwaRe sLL certificate

 

The certificate is quite new. It’s valid from the 5th of April 2015.

So, why am I writing about the SaFe SoftwaRe sLL file? Check out what the anti-malware scanners report about the file:

SaFe SoftwaRe sLL virus report

AVG names Player.exe as Downloader.FLM, Cyren detects it as W32/Outbrowse.B2.gen!Eldorado, DrWeb names it Trojan.OutBrowse.296, F-Prot detects it as W32/Outbrowse.B2.gen!Eldorado and McAfee calls it Adware-OutBrowse.e are a few of the detection names for Player.exe.

Did you also find a SaFe SoftwaRe sLL file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

LLC BK UKRBUDMONTAZH – 11% Anti-Virus Detection – Amonetize

digital signature, ,

Welcome! Short on time today, but I just wanted to give you the heads up on a publisher called LLC BK UKRBUDMONTAZH.

LLC BK UKRBUDMONTAZH publisher

If you have a LLC BK UKRBUDMONTAZH file on your machine you may have noticed that LLC BK UKRBUDMONTAZH is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that LLC BK UKRBUDMONTAZH seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

LLC BK UKRBUDMONTAZH cert

When I uploaded the LLC BK UKRBUDMONTAZH file to VirusTotal, it came up with a 11% detection rate. The file is detected as Trojan/Win32.TGeneric by Antiy-AVL, Amonetize (fs) by AVware, Trojan.Amonetize.2350 by DrWeb, a variant of Win32/Amonetize.EF potentially unwanted by ESET-NOD32 and Amonetize (fs) by VIPRE.

LLC BK UKRBUDMONTAZH virus report

Since you probably came here after finding a download that was digitally signed by LLC BK UKRBUDMONTAZH, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thanks for reading.

FASt download got – 18% Anti-Virus Detection – OutBrowse

digital signature

Welcome! I was playing around and testing some downloads when I found a file digitally signed by FASt download got.

FASt download got publisher

If you have a FASt download got file on your computer you may have noticed that FASt download got pops up as the publisher in the User Account Control dialog when running the file. You can also see the FASt download got certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, FASt download got is located in Dublin in Ireland.

FASt download got certificate

The problem is that installer_adobe_flash_player_English.exe is not an official Adobe Flash Player download. If it was, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

If you are considering to run the FASt download got signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

FASt download got anti virus

Avast reports installer_adobe_flash_player_English.exe as Win32:PUP-gen [PUP], AVG names it Downloader.FFH, CAT-QuickHeal reports Adware.NSIS.OutBrowse.A, DrWeb calls it Trojan.OutBrowse.263, ESET-NOD32 reports Win32/OutBrowse.BU potentially unwanted and McAfee-GW-Edition calls it BehavesLike.Win32.Suspicious.hc.

Did you also find a file digitally signed by FASt download got? What kind of download was it and where did you find it?

Thanks for reading.