?????????????? - 11% Detection Rate *

Did you just stumble upon a download or a file on your computer that is digitally signed by ??????????????? Some of the security products refers to the detected files as Adware.Mutabaha.779 and Trojan.Generic.16842506. The detection rate for the ?????????????? files collected here is 11%. Please read on for more details.

You will typically notice ?????????????? when running the file. The publisher name is then displayed as the "Verified publisher" in the UAC dialog as the screengrab shows:

Screenshot where ?????????????? appears as the verified publisher in the UAC dialog

You can view the digital signature details for ?????????????? with the following steps:

Open up Windows Explorer and locate the ?????????????? file
Right-click on the file and select Properties
Click the Digital Signatures tab
Click the View Certificate button

Here's a screenshot of a file digitally signed by ??????????????:

Screenshot of the ?????????????? certificate

As you can see in the screengrab above, Windows reports that "This digital signature is OK". This implies that the file has been published by ?????????????? and that no one has tampered with the file.

If you click the View Certificate button shown in the screenshot above, you can see all the details of the certificate, such as when it was issued, who issued the certificate, how long it is valid, etc. You can also view the address for ??????????????, such as the street name, city and country.

GlobalSign CodeSigning CA - G2, GlobalSign CodeSigning CA - SHA256 - G2, WoSign Class 3 Code Signing CA, GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, Thawte Code Signing CA - G2, WoSign Code Signing CA and VeriSign Class 3 Code Signing 2010 CA has issued the ?????????????? certificates. You can also see the details of the issuer by clicking the View Certificate button shown in the screenshot above.

?????????????? Files

The following are the ?????????????? files I've gathered, thanks to the FreeFixer users.

Detection Ratio	File Name
6/54	TSvr.exe
3/56	TSvr.exe
2/54	tsvr.exe
2/55	TSvr.exe
3/55	TSvr.exe
15/56	TSvr.exe
10/57	tsvr.exe
5/56	protectservice.exe
7/57	MiniLite_v6.6.2.2771.exe
9/57	ihpul.exe
13/54	tsvr.exe
1/57	yxqNetHelper1_20160915.exe
16/72	appupdui_03.exe
34/52	mh_ls.exe
16/54	m_soke.exe
6/57	1C6C0B903DF406BFF7108D35736B15DD.exe
3/55	TSvr.exe
9/57	filedown_257921.exe
20/57	Uninstall_20160811.exe
8/47	filedown_241881.exe
2/58	haozip_3.2.exe
10/66	51srcs14.exe
0/57	TSvr.exe
0/55	ArcServer.exe
0/54	mda_ntdrv.sys

Scanner and Detection Names

Here's the detection names for the ?????????????? files. I've grouped the detection names by each scanner engine. Thanks to VirusTotal for the scan results.

Scanner	Detection Names
ALYac	Trojan.Generic.16842506
AVG	FileRepMalware [PUP], Win32/DH{JAMTCg?}
AVware	Adware.Elex, Trojan.Win32.Generic!BT
Ad-Aware	Trojan.Generic.11296648, Trojan.Generic.16842506
AegisLab	Adware.W32.Elex!c, Virus.W32.Gen!c
Agnitum	Riskware.Agent!
AhnLab-V3	PUP/Win32.Generic, PUP/Win32.Elex
AntiVir	TR/Rogue.11271601
Antiy-AVL	GrayWare[AdWare:not-a-virus]/Win32.ELEX, GrayWare[:not-a-virus]/Win32.StartPage.gen
Arcabit	Trojan.Generic.D100FF0A
Avast	Win32:Adware-gen [Adw], Win32:Malware-gen, Win32:Trojan-gen
Avira	ADWARE/ELEX.116368, PUA/Subtab.Gen7, ADWARE/ELEX.oifr
Baidu-International	Adware.Win32.ELEX.GE, Adware.Win32.ELEX.HB
BitDefender	Trojan.Generic.11296648, Trojan.Generic.16842506
Bkav	W32.Clod2fa.Trojan.dc95
CAT-QuickHeal	Downloader.Agent.g5 (Not a Virus), AdWare.Agent
ClamAV	Win.Adware.ELEX-13, Win.Trojan.Agent-1394427
Commtouch	W32/Agent.AP.gen!Eldorado, W32/Downloader-Web-based!Maximu
Comodo	Application.Win32.SearchProtect.~WT, ApplicUnwnt.Win32.Mnhb.A, UnclassifiedMalware, ApplicUnwnt.Win32.Downloader.Updater
CrowdStrike	malicious_confidence_60% (D), win/malicious_confidence_80% (D), malicious_confidence_60% (W)
Cyren	W32/Downloader-Web-based!Maximu, W32/Trojan.YXPJ-6830
DrWeb	Adware.Mutabaha.779, Adware.Mutabaha.1314, Adware.Downware.2734, Trojan.StartPage1.1416, Trojan.Click2.47487
ESET-NOD32	a variant of Win32/ELEX.GE potentially unwanted, a variant of Win32/ELEX.HB potentially unwanted, a variant of Win32/ELEX.GK potentially unwanted, a variant of Win32/Meinhudong.A, a variant of Win32/AceDeceiver.A
Emsisoft	Trojan.Generic.11296648 (B), Trojan.Generic.16842506 (B)
Endgame	malicious (high confidence)
F-Prot	W32/Agent.AP.gen!Eldorado, W32/Downloader-Web-based!Maximu
F-Secure	Trojan.Generic.11296648, Trojan.Generic.16842506
FireEye	Generic.mg.d26410a0f6abb08e
Fortinet	Adware/ELEX, W32/Agent.NPR!tr.dldr, W32/Dloader.NSIS!tr, W32/AceDeceiver.A!tr
GData	Win32.Application.Agent.34EOTW, Win32.Application.SearchProtect.AA@gen, Win32.Application.Agent.66DJBQ, Trojan.Generic.11296648, Trojan.Generic.16842506, Win32.Trojan.Agent.6QFMQR
Ikarus	Trojan-Downloader.Win32.Adload, Trojan.Agent, PUA.Meinhudong, Trojan.Win32.Acedeceiver, Win32.SuspectCrc, PUA.XYLauncher
Invincea	heuristic, virus.win32.parite.b
Jiangmin	AdWare.ELEX.dg
K7AntiVirus	Adware ( 004e02bd1 ), Adware ( 004ef82d1 ), Riskware ( 0040eff71 ), Unwanted-Program ( 00454f261 ), Virus ( 8630feb90 )
K7GW	Adware ( 004e02bd1 ), Adware ( 004ef82d1 ), Riskware ( 0040eff71 ), Unwanted-Program ( 00454f261 )
Kaspersky	not-a-virus:AdWare.Win32.ELEX.gk, not-a-virus:Downloader.NSIS.Agent.fr
MAX	malware (ai score=93)
Malwarebytes	PUP.Optional.MiniLite.A, PUP.Optional.Elex, PUP.Optional.Bundle
McAfee	Artemis!BB9643D5573E, Artemis!D0A4FD099B7E, Artemis!B916CCD9AE80, Artemis!D26410A0F6AB, Artemis!1C07794FB8C7, Artemis!F0480841F1A5, Artemis!1C6C0B903DF4, Artemis!BAEF3EE563EA, Artemis!EB9611A299DD
McAfee-GW-Edition	Artemis, BehavesLike.Win32.Suspicious.hc, Artemis!PUP, Artemis!Trojan, Artemis!1C07794FB8C7, Artemis!EB9611A299DD
MicroWorld-eScan	Trojan.Generic.11296648, Trojan.Generic.16842506
Microsoft	BrowserModifier:Win32/SupTab, TrojanDownloader:Win32/Adload.DL!bit, PUA:Win32/Youxun
NANO-Antivirus	Trojan.Nsis.Agent.cxpogi, Trojan.Nsis.StartPage.dczvgc
Norman	Startpage.!genr
Panda	Generic Suspicious, Trj/Genetic.gen
Rising	PUA.ELEX!8.E6-p4XkdgYcJaN (Cloud), Downloader.Adload!8.D1 (CLOUD), Malware.Undefined!8.C-Q75zgGJuseF (cloud), Malware.Undefined!8.C-28edPdzB9VP (cloud), PUA.XYLauncher!8.300F (CLOUD)
SUPERAntiSpyware	Adware.Downware/Variant, Trojan.Agent/Gen-Downloader
SentinelOne	DFI - Suspicious PE
Sophos	Generic PUA LN (PUA), Troj/StartP-HW, Mal/Generic-S, Generic PUA PG (PUA)
Symantec	PUA.SearchProtect, Trojan.Gen.2, ML.Attribute.HighConfidence, WS.Reputation.1, Trojan.ADH.2, Trojan.ADH
Tencent	Win32.Adware.Elex.Hqlp, Win32.Adware.Adspread.Ezpm
TrendMicro	ADW_AGENT
TrendMicro-HouseCall	ADW_AGENT, Suspicious_GEN.F47V0807, TROJ_GEN.F47V1114, Suspicious_GEN.F47V0512
VBA32	Downloader.Agent
VIPRE	Adware.Elex (not malicious), Trojan.Win32.Generic!BT
ViRobot	Trojan.Win32.Z.Suspectcrc.818144[h]
Webroot	W32.Adware.Gen
Zillya	Adware.BrowseFox.Win32.136082, Adware.ELEX.Win32.1, Adware.PatchedCRTD.Win32.365
eGambit	Unsafe.AI_Score_99%
nProtect	Trojan.Generic.11296648

* How the Detection Percentage is Calculated

The detection percentage is based on that I have gathered 1820 scan reports for the ?????????????? files. 201 of these scan reports came up with some sort of detection. If you like, you can view the full details of the scan results by examining the files listed above.

Analysis Details

The analysis has been done on certificates with the following serial numbers:

112188c06ce42fec143689eb8c1dfd2b586c
1121f16ff0116d0f7caa5f06d836157bca02
1121eed58e5f3b9897a9e54316de64fbf98c
1121d0e3a5adf02c8e55d614d3556cd00e39
0323d4fa827f76
339c47b220644dd395ed0818
0c39ba73c647846d6c0c7e219cdb3163
1121489eb7d6639a5b0cb949a9c319c024fe
22f24024c2800bad3711bca7be4e1f7b
11d208d5878e4d25734d335f71c64a5d
02063d256ef565e68a3fe498399fd60f
1121ea6e421b9b3ef75718e91fcd4a60a14e
6e09c52a1e2f531e2a1513e8dc994139
0ad643854376c0595a51fe449d7a7a64

Comments

No comments posted yet.