Tag Archives: Strictor

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

LLC DE PROEKT publisher

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

LLC DE PROEKT cert

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

LLC DE PROEKT virustotal report

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

LLC DE PROEKT av report update

 

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

LLC DE PROEKT bitcoin miner

 

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

LLC DE PROEKT certificate chain

App secure LLC – 30% Anti-Virus Detection – SoftPulse / Strictor / HfsAdware / DriverUpd

Hello! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called App secure LLC.

App secure LLC publisher

Windows will display App secure LLC as the publisher when running the file. Information about a digital signature and the certificate can also be found under the Digital Signature tab. The screenshot below shows the App secure LLC certificate. From the certificate info we can see that App secure LLC appears to be located in Wilmington, Delaware in the US.

App secure LLC certificate

When I uploaded the App secure LLC file to VirusTotal, it came up with a 30% detection rate. The file is detected as Win32:SoftPulse-FZ [PUP] by Avast, W32.HfsAdware.8302 by Bkav, Gen:Variant.Strictor.83505 (B) by Emsisoft, a variant of Win32/SoftPulse.AB potentially unwanted by ESET-NOD32, not-a-virus:Downloader.Win32.DriverUpd.wui by Kaspersky and SoftPulse by Sophos.

App secure LLC virus report

The company web site appears to be APPSECURELLC.COM. Here’s some of the info from the WHOIS database:

Registrant Name: Roberto Blangino 
Registrant Organization: App Software LLC
Registrant Street: 501 Silverside Road, Suite 105 
Registrant City: Wilmington
Registrant State/Province: Delaware
Registrant Postal Code: 19809
Registrant Country: US

I checked some of services that provides domain info based on an IP address, and the following sites appears to be or have been located on the same IP:

  • 123maxmusic.com
  • 88dls.com
  • acpsoftwarellc.com
  • www.magnoplayer.com
  • www.newvideoplayer.com

Did you also find a file that was signed by App secure LLC? What kind of download was it and was it detected by the anti-virus scanners at VirusTotal? Please share in posting comments below.

Thanks for reading.

Jelbrus LLC from The Pirate Bay – 23% Anti-Virus Detection Rate – Strictor / Techsnab / HfsAdware

Welcome! Saturday night post this time 😉 Just wanted to let you know about a publisher called Jelbrus LLC. You may run into this download if you are visiting sites such as The Pirate Bay.

Jelbrus LLC make changes

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the embedded certificate we can see that Jelbrus LLC seems to be located in Moscow in Russia and that the certificate is issued by Thawte Code Signing CA – G2.

Jelbrus LLC certificate

So what’s up with Jelbrus? The file I found is, named Breaking_Bad_Season_1_Complete_720p.BRrip.Sujaidr_(pimprg)_.exe, so you might get the impression that this is a download for the famous TV-Series called Breaking Bad. It’s not.

Here’s how the Jelbrus installer looks like if you run the file:

Jelbrus LLC installer

When clicking the Next button a bunch settings are changed and some files are added on your computer. Here’s the interesting stuff from a FreeFixer log:

FreeFixer v1.13 log
http://www.freefixer.com/

Scheduled tasks (39 whitelisted)
================================
Great Performance Ultimate, C:\Program Files (x86)\PrivateVPN\gpup.exe , signer: [unsigned]
Jelbrus Secure Web Task, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe , signer: [unsigned]
Malware Cleaner, C:\Users\honeypotter\AppData\Roaming\1265.tmp.exe (file is missing)

Processes (42 whitelisted)
==========================
C:\Windows\mlwps.exe, signer: [unsigned]
C:\Users\HONEYP~1\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]

Services (47 whitelisted)
=========================
Live Malware Protection, Live Malware Protection, c:\windows\mlwps.exe, signer: [unsigned]
PrivoxyService, Privoxy (PrivoxyService), c:\program files (x86)\jelbrus secure web\privoxy.exe, signer: [unsigned]

Recently created/modified files
===============================
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, signer: Jelbrus LLC [valid]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, signer: [unsigned]
20 minutes, c:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, signer: [unsigned]
20 minutes, c:\Users\honeypotter\AppData\Local\Temp\92.tmp.exe, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\tasks.dll, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\tasks.dll, signer: [unsigned]
21 minutes, c:\Program Files (x86)\PrivateVPN\gpup.exe, signer: [unsigned]
21 minutes, c:\Users\honeypotter\AppData\Local\Temp\580C.tmp.exe, signer: [unsigned]
23 minutes, c:\Users\honeypotter\AppData\Local\Temp\1716.tmp.exe, signer: [unsigned]
24 minutes, c:\Users\honeypotter\AppData\Local\Temp\6E23.tmp.exe, signer: [unsigned]

LAN Proxy Settings
==================
*=127.0.0.1:8118

You will also see advertisements while browsing the web labelled “Ad by CouponDropDown“. Here’s the “Ad by CouponDropDown” ads on Google:

Ad by CouponDropDown

So what does the anti-virus scanners at VirusTotal say about Jelbrus’ “Breaking Bad” file? The detection rate is 13/57. Gen:Variant.Strictor.75172, Jelbrus.3C0, Adware/Techsnab.9058, Jelbrus LLC (fs), W32.HfsAdware.307F and Gen:Variant.Strictor.75172 were some of the detection names.

Jelbrus LLC anti-virus report

Did you also find an Jelbrus LLC? Did you also find it at The Pirate Bay?

Thank you for reading.

Install Path Ltd – 25% Detection Rate – Strictor, Amonetize

Hi there! Sorry for the silence for the last days. I’ve been having a few days off.  Anyway, I’m back on the blog again.

Did you just download something to your system digitally signed by Install Path Ltd? Then read on..

Install Path LTD comodo

By examining the embedded certificate, we can see that Install Path Ltd is located in Israel. The certificate is issued by COMODO RSA Code Signing CA. The certificate appears to be quite new.

Install Path Ltd certificate

So, why did I put up this blog post? Well, the thing is that the Install Path Ltd file is detected by many of the scanners, according to VirusTotal. Avast detects Setup__6741_i1454683454_il235.exe as Win32:Rootkit-gen [Rtk], AVG calls it InstallPath.7F5 , Avira detects it as ADWARE/Adware.Gen2, BitDefender calls it Gen:Variant.Adware.Strictor.75886, ESET-NOD32 classifies it as a variant of Win32/Amonetize.CX, Malwarebytes classifies it as PUP.Optional.Bundle and Panda calls it PUP/MultiToolbar.A.

Install Path Ltd virustotal

Did you also find an Install Path Ltd? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Update 2015-03-03: Found another Install Path file. The detection was almost the same: 28%.