???????????? - 26% Detection Rate *

Did you just stumble upon a download or a file on your computer that has been digitally signed by ????????????? Some of the security products refers to the detected files as Generic.2EE and Trojan.Generic.14850570. The detection rate for the ???????????? files collected here is 26%. Please read on for more details.

You'll probably notice ???????????? when double-clicking to run the file. The publisher name is then displayed as the "Verified publisher" in the UAC dialog as the screenshot shows:

Screenshot where ???????????? appears as the verified publisher in the UAC dialog

You can view the digital signature details for ???????????? with the following steps:

Open Windows Explorer and locate the ???????????? file
Right-click on the file and select Properties
Click on the Digital Signatures tab
Click on the View Certificate button

Here is a screenshot of a file that has been signed by ????????????:

Screenshot of the ???????????? certificate

As you can see in the screencap above, Windows reports that "This digital signature is OK". This means that the file has been published by ???????????? and that no one has tampered with the file.

If you click the View Certificate button shown in the screengrab above, you can view all the details of the certificate, such as when it was issued, who issued the certificate, how long it is valid, and so on. You can also see the address for ????????????, such as the street name, city and country.

VeriSign Class 3 Code Signing 2010 CA, Thawte Code Signing CA - G2, WoSign Class 3 Code Signing CA and Thawte Code Signing CA has issued the ???????????? certificates. You can also see the details of the issuer by clicking the View Certificate button shown in the screenshot above.

???????????? Files

The following are the ???????????? files I have gathered, thanks to the FreeFixer users.

Detection Ratio	File Name
3/54	KZipShell.dll
1/55	tslog.exe
3/57	kuaizipdrive.sys
2/55	KZipShell.dll
3/57	kuaizipdrive.sys
6/57	kuaizipupdatechecker.dll
38/56	guagua_23103204850.exe
7/60	KZipShell.dll
3/61	kuaizipdrive.sys
41/61	ktpop3.exe
28/43	crsing.dll
1/55	tslog.exe
5/56	Update.exe
2/57	KZipShell.dll
47/71	mininews-3.exe
1/56	jyueservice.exe
2/57	Update.exe
7/56	setup_10002.exe
0/56	memudrv.sys
0/56	windroyeboxdrv.sys
0/56	auds.exe

Scanner and Detection Names

Here is the detection names for the ???????????? files. I have grouped the detection names by each scanner engine. Thanks to VirusTotal for the scan results.

Scanner	Detection Names
ALYac	Trojan.Generic.14850570, Gen:Variant.Adware.Tpop.1
AVG	Generic.2EE, Generic_r.ATN, Agent3.BLK, Generic.4F7, FileRepMetagen [Adw]
AVware	Trojan.Win32.Generic!BT
Ad-Aware	Trojan.Generic.14850570, Gen:Variant.Adware.Tpop.1, Gen:Variant.Application.Strictor.172413
AegisLab	Virus.Gen!c, Virus.Gen\|2\|102!c, Virus.E3F.Gen!c
Agnitum	Riskware.GuaGua!
AhnLab-V3	Adware/Win32.PornTool, PUP/Win32.Amonetize.R196578, PUP/Win32.KuaiZip.C2722773
Alibaba	AdWare:Win32/KuziTui.fccc3d7d
AntiVir	TR/Proxy.Gen
Antiy-AVL	GrayWare[Porn-Tool]/Win32.GuaGua.q, GrayWare[AdWare]/Win32.Agent, Trojan/Win32.Feiyo.gen, GrayWare[AdWare]/Win32.KuaiZip
Arcabit	Trojan.Generic.DE29A0A, Trojan.Adware.Tpop.1, Trojan.Application.Strictor.D2A17D
Avast	Win32:Adware-gen [Adw], Win32:Malware-gen
Avast5	Win32:Malware-gen
Avira	TR/BAS.Dloader.izzgy, PUA/KuaiZip.Gen
BitDefender	Trojan.Generic.14850570, Gen:Variant.Adware.Tpop.1, MemScan:Trojan.Generic.5835834, Gen:Variant.Application.Strictor.172413
Bkav	W64.HfsAdware.C51A, W32.HfsAdware.C51A, W32.HfsAdware.4B8A, W32.HfsAdware.5D5A
CAT-QuickHeal	Porn-Tool.GuaGua.g4 (Not a Virus), Pua.Agent, Trojan.Mauvaise.SL1
Commtouch	W32/StartPage.AB.gen!Eldorado
Comodo	UnclassifiedMalware, Application.Win32.KuaiZip.D, ApplicUnwnt@#152s52zzi2ztx
CrowdStrike	malicious_confidence_80% (D), win/malicious_confidence_100% (D)
Cybereason	malicious.254271
Cylance	Unsafe
Cyren	W32/S-51653d07!Eldorado, W32/Adware.DCSH-0467, W32/S-13b12031!Eldorado
DrWeb	DLOADER.Trojan, Adware.Downware.9861, Trojan.DownLoader23.59620
ESET-NOD32	a variant of Win32/PornTool.GuaGua.A potentially unsafe, a variant of Win32/KuaiZip.D potentially unwanted, a variant of Win32/KuaiZip.B potentially unwanted, a variant of Win32/Bang5mai.A potentially unwanted, Win32/HongdaWanfang.A potentially unwanted
Emsisoft	Trojan.Generic.14850570 (B), Gen:Variant.Adware.Tpop.1 (B), Gen:Variant.Application.Strictor.172413 (B), Trojan.NSIS.Androm.8 (B)
Endgame	malicious (high confidence)
F-Prot	W32/S-51653d07!Eldorado, W32/StartPage.AB.gen!Eldorado, W32/S-13b12031!Eldorado
F-Secure	Trojan.Generic.14850570, Gen:Variant.Adware.Tpop, MemScan:Trojan.Generic.5835834, PotentialRisk.PUA/KuaiZip.Gen
FireEye	Generic.mg.1d84f67254271c84
Fortinet	Riskware/PornTool_GuaGua, Riskware/KuaiZip, W32/Msock.AF!tr.bdr, W32/PossibleThreat
GData	Trojan.Generic.14850570, Gen:Variant.Adware.Tpop.1, MemScan:Trojan.Generic.5835834, Gen:Variant.Application.Strictor.172413
Ikarus	not-a-virus:Porn-Tool.Win32.GuaGua, Trojan-Proxy
Invincea	heuristic, trojan.win32.dorv.b!rfn
Jiangmin	Porn-Tool.GuaGua.c, RiskTool.KuaiZip.g, Adware.Agent.yit, Trojan/Agent.ewkn, AdWare.KuaiZip.bf
K7AntiVirus	Riskware ( 0040eff71 ), Unwanted-Program ( 004bae261 ), Unwanted-Program ( 004f96bc1 ), Riskware, Unwanted-Program ( 004e256d1 ), Adware ( 004f7e1c1 )
K7GW	Riskware ( 0040eff71 ), Unwanted-Program ( 004bae261 ), Unwanted-Program ( 004f96bc1 ), Unwanted-Program ( 004e256d1 ), Adware ( 004f7e1c1 )
Kaspersky	not-a-virus:Porn-Tool.Win32.GuaGua.q, not-a-virus:RiskTool.Win32.KuaiZip.a, not-a-virus:AdWare.Win32.Agent.xxdfaq, Trojan.Win32.Agent.huno, not-a-virus:HEUR:AdWare.Win32.KuziTui.gen
MAX	malware (ai score=99)
Malwarebytes	Trojan.Chad.GS, Adware.Kuaiba, PUP.Optional.ChinAd
McAfee	GenericR-DJK!93CD490F4FDD, Artemis!DF71EA80B6F4, Artemis!0E88F2B8A753, Adware-KZip
McAfee-GW-Edition	GenericR-DJK!93CD490F4FDD, Artemis!PUP, Artemis!0E88F2B8A753, Adware-KZip
MicroWorld-eScan	Trojan.Generic.14850570, Gen:Variant.Adware.Tpop.1, Gen:Variant.Application.Strictor.172413
Microsoft	PUA:Win32/KuaiZip
NANO-Antivirus	Riskware.Win32.Downware.dqvuno, Riskware.Win32.KuaiZip.fhvuuo
Norman	W32/Suspicious_Gen2.EPKBC
PCTools	Trojan.ADH
Panda	Trj/CI.A, Generic Trojan, Trj/Genetic.gen
Rising	Malware.Generic.5!tfe (thunder:5:PY3L1EIqerU) , PUF.KuaiZip!8.2F40 (CLOUD)
SUPERAntiSpyware	Adware.TPOP/Variant
SentinelOne	static engine - malicious, DFI - Malicious PE
Sophos	Generic PUA PF (PUA), Generic PUA DI (PUA), Generic PUA DP (PUA)
Symantec	Trojan.Gen.2, SecurityRisk.gen1, Trojan.ADH, ML.Attribute.HighConfidence
TheHacker	Trojan/Downloader.Feiyo.j
TotalDefense	Heur/TrojanHorse.ZCIH!suspicious
TrendMicro	TROJ_GEN.R0EBC0OF915, TROJ_GEN.R0C1C0VC417
TrendMicro-HouseCall	TROJ_GEN.R0C1C0VC417
VBA32	AdWare.Agent, Trojan.Agent.huno, BScope.Downloader.KuziTui
VIPRE	Trojan.Win32.Generic!BT
ViRobot	Adware.Tpop.1218456.A[h], Adware.Kuaizip.2625560.B
VirusBuster	Trojan.Agent!iVTlt0iPLno
Webroot	Malicious, W32.Adware.Gen
Yandex	PUA.Agent!, PUA.KuaiZip!
Zillya	Adware.Ocna.Win32.17284, Tool.GuaGua.Win32.3, Adware.Agent.Win32.127296, Adware.KuaiZip.Win32.55
ZoneAlarm	not-a-virus:RiskTool.Win32.KuaiZip.a, not-a-virus:AdWare.Win32.Agent.xxdfaq, not-a-virus:HEUR:AdWare.Win32.KuziTui.gen
eGambit	Unsafe.AI_Score_99%
eSafe	Win32.Agent.DV.Bdr
eTrust-Vet	Win32/FeiYu_dc
nProtect	Trojan.Generic.14850570, Trojan-Downloader/W32.Feiyo.126872

* How the Detection Percentage is Calculated

The detection percentage is based on the fact that I have collected 7819 scan results for the ???????????? files. 2052 of these scan results came up with some sort of detection. You can review the full details of the scan results by examining the files listed above.

Analysis Details

The analysis has been done on certificates with the following serial numbers:

02b30ee595ad3bbe219e68dc6a431af2
1eca4d827ec25fb144574cef9de92c0e
1d2615e7efe5a00c8e24594052492b2e
1836ebbb13b8b77726995d8ed6da598a
078fd1480ad29272fb1f57614e67020e
2789c265abb2786a45f53dd5ca05047b
2fc9b15a59c9ef86432b0736cb16596a
5528d5543296bfe427d43b8ddc0a20c7
351b6b2992efb3fee7663a909dacf031

Comments

No comments posted yet.