Tag Archives: InstallCore

Webcellence Ltd. – Detected by AVG, NOD32 and DrWeb

October 13, 2014digital signatureInstallCoreRoger Karlsson

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. A few days ago I found another publisher called Webcellence Ltd..

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab: According to the certificate we can see that Webcellence Ltd. is located in Moshav Ora, Israel and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

The reason I’m writing this blog post is that the Webcellence Ltd. file is detected by a few of the anti-virus progams at VirusTotal. DrWeb classifies adobe_flash_player.exe as Trojan.MulDrop5.38502 and ESET-NOD32 calls it a variant of Win32/InstallCore.QD.

Although the file is named adobe_flash_player.exe it’s not the official download for the Adobe Flash Player. The real flash player installer should be digitally signed by the Adobe company.

Did you also find an Webcellence Ltd.? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

ICS Setup – 16% Detection Rate By VirusTotal

October 11, 2014digital signatureCryptInno, Eldorado, InstallCoreRoger Karlsson

Hello! Just a quick post on a file named ChromeSetup.exe signed by ICS Setup before calling it a day. This is how appears when running the file:

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that ICS Setup seems to be located in Tel-Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

9 of the anti-virus scanners detected the file. Some of the detection names for the ChromeSetup.exe file are W32/InstallCore.AC.gen!Eldorado, BehavesLike.Win32.CryptInno.bc and InstallCore.b (fs).

Did you also find a ICS Setup file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Advertiso GmbH – 15% Detection Rate at VirusTotal

October 6, 2014digital signatureInstallCoreRoger Karlsson

Found another software publisher that bundles lots of potentially unwanted software. The publisher is called Advertiso GmbH and the file was called adobe-flash-player_setup.exe.

When I uploaded the file to VirusTotal, it came up with a 15% detection rate.

InstallCore seems to be the common detection name for the Advertiso GmbH file.

When I ran the Advertiso GmbH file it offered a bunch of bundled softwares, such as Web Finder Pro (Site Finder Pro), AdvanceElite, AstroMenda, PennyBee, etc. An in addition, it failed to install Adobe’s Flash Player, with the error “Installation encountered errors“:

Hope this helped figure out what the Advertiso GmbH installer will do to your system.

If you want to download the Flash Player, please do so from Adobe’s official web site:

http://get.adobe.com/flashplayer/

Did you also find a file from Advertiso GmbH? What kind of download was it? Was it also detected by the anti-virus programs at VirusTotal? Please share in the comments below?

Update 2015-09-10: Found another download signed by Advertiso called chrome_download.exe. The detection rate for that file is 20%:

Symbolicom Holdings Limited – 7% Detection Rate at VirusTotal

September 29, 2014digital signatureHEUR/Malware.QVM10.Gen, InstallCoreRoger Karlsson

Just wanted to let you know about a publisher called Symbolicom Holdings Limited before going back to writing some code for FreeFixer. When I uploaded the Symbolicom Holdings Limited file, named adobe_flash_player.exe, to VirusTotal it came up with a 7% detection rate.

Some of the detection names are Trojan.MulDrop5, a variant of Win32/InstallCore and HEUR/Malware.QVM06.Gen.

Although the file name contains “adobe” and “flash” it’s not an official Adobe Flash download. The official Adobe Flash Player should be digitally signed by Adobe Inc.

Did you also find a Symbolicom Holdings Limited download? What kind of download was it?

Information Technology Systems – 16% Detection Rate at VirusTotal

August 31, 2014digital signaturefake flash software, InstallCoreRoger Karlsson

Just a quick post on a faked Flash Player download, named adobe_flash_setup.exe, digitally signed by Information Technology Systems. This download was promoted with the following pop-up:

Information Technology Systems seems to be located in Montenegro based on the embedded certificate.

The current detection rate is 16% according to VirusTotal. InstallCore appears to be the most common detection name.

Did you also find a Information Technology Systems file? Do you remember where you downloaded it?

Information Technology Systems doo – VirusTotal Report

July 25, 2014digital signaturefake Java software, InstallCoreRoger Karlsson

Just wanted to give you the heads up on a publisher called Information Technology Systems doo.

According to the certificate, the publisher is located in Montenegro:

This is the VirusTotal scan report for the Information Technology Systems doo file:

Generic.DAA, Unwanted-Program and are some of the detection names.

Did you also find a file signed by Information Technology Systems doo? What kind of download was it? In my case, the download claimed to be the Flash Player installer.

Update 2014-09-03: Found a file promoted as a Java installer, signed by Information Technology Systems doo:

The web page is hosted on softkopro.net. The file is called java_setup.exe and is detected by 10 of the 55 anti-virus programs at VirusTotal.

According to the web page, java_setup.exe is a downloader, rather than the real Java setup file:

“Coinis downloader is distributing a proprietary download manager that will take you to the official download of this program. Prior to taking you to the official download, we will offer optional sponsored software that you may be interested in. You are not required to install any additional software to receive your download.”

Update 2016-09-23: I’ve rescanned the java_setup.exe file. Now the detection rate is 31/57. Based on the scan result over at VirusTotal and by looking at the java_setup.exe executable file, it seems that the file contains the InstallCore software rather the Coinis downloader, contrary to what the web page at softkopro.net stated.

SuperCool Applications Publisher – Warning

May 29, 2014digital signatureInstall Core Click run Software, InstallCore, Max Setup, PUP.Optional.InstallCoreRoger Karlsson

This night I found a file claiming to be an installer for Adobe’s Flash Player. However, the file was not signed by Adobe as it should be. Instead SuperCool Applications appeared as the publisher:

SuperCool Applications also appears under the digital signature tab. SuperCool Applications is located in Tel Aviv, Israel.

So, why should you avoid the SuperCool Applications “Flash Player” and instead download Flash from the official site? The anti-virus scanners should convince you:

Seven of the anti-virus programs detects the the SuperCool Applications file, and refers to it as Max Setup, InstallCore, Install Core Click run Software and PUP.Optional.InstallCore.

Hope this helped you to get the official Flash Player and skip the SuperCool Applications download.

Please let me know if you found this blog post useful.