Welcome! Just wanted to give you the heads up on a file called “additionaloffers-setup.exe” that’s digitally signed by TEA TIME BISCUITS.
I found this file on my lab machine after trying out a download from CNet’s Download.com site.
You can view the certificate shown above by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the embedded certificate we can see that TEA TIME BISCUITS seems to be located in San Fransisco, California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.
So, what the issue with the TEA TIME BISCUITS file? Just check out detection list by some of the anti-virus program:
F-Secure reports additionaloffers-setup.exe as Gen:Variant.Application.Jaik, GData detects it as Gen:Variant.Application.Jaik.8223 and Malwarebytes calls it PUP.Optional.DownloadAdmin.
Did you also find a TEA TIME BISCUITS file? Do you remember where you downloaded it?
Thank you for reading.
Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Trend Interactive.
It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Trend Interactive certificate.
Versign has issued the certificate:
When I uploaded the Trend Interactive file to VirusTotal, it came up with a 19% detection rate. The file is detected as PUA/DownloadAdmin.Gen7 by Avira, Gen:Variant.Application.Jaik.8223 by BitDefender and Adware ( 004c86ce1 ) by K7GW.
Did you also find a file digitally signed by Trend Interactive? What kind of download was it and where did you find it?
Hope this blog post helped you avoid some unwanted software on your machine.
Thanks for reading.
Hi there! Just wanted to give you the heads-up on suspicious file I found right now before having my lunch. The file is named FlashPlayer__6741_i1404957756_il13.exe and digitally signed by SVAN TRANS LLC.
You can also see the SVAN TRANS LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SVAN TRANS LLC is located in Kiev, Ukraine.
The issue is that FlashPlayer__6741_i1404957756_il13.exe is not an official Flash Player download. If it was, it would be digitally signed by Adobe Systems Incorporated, and not by some unknown company from Ukraine.
25% of the scanners detected the file. The FlashPlayer__6741_i1404957756_il13.exe file is detected as PUA.Amonetize! by Agnitum, Gen:Variant.Application.Jaik by F-Secure and PUP.Optional.Amonetize by Malwarebytes. Thanks to VirusTotal for the scan report.
Since some of the anti-virus programs detected the SVAN TRANS LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, Salus Net Protector, RocketTab and My Start Search were disclosed.
Did you also find an SVAN TRANS LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Thanks for reading.