TOV "SOFT LIGHT" - 24% Detection Rate *
Did you just find a download or a file on your computer that is digitally signed by TOV "SOFT LIGHT"? Some of the security products refers to the detected files as Unwanted-Program ( 004d83611 ) and Generic.DE1. The detection rate for the TOV "SOFT LIGHT" files collected here is 24%. Please read on for more details.
You'll typically notice TOV "SOFT LIGHT" when double-clicking to run the file. The publisher name shows up as the "Verified publisher" in the UAC dialog as the screencap shows:
You can view the additional details from the TOV "SOFT LIGHT" digital signature with the following procedure:
- Open up Windows Explorer and locate the TOV "SOFT LIGHT" file
- Right-click the file and select Properties
- Click on the Digital Signatures tab
- Click the View Certificate button
Here's a screenshot of a file that has been digitally signed by TOV "SOFT LIGHT":
As you can see in the screenshot above, Windows states that "This digital signature is OK". This means that the file has been published by TOV "SOFT LIGHT" and that the file has not been tampered with.
If you click the View Certificate button shown in the screenshot above, you can view all the details of the certificate, such as when it was issued, who issued the certificate, how long it is valid, etc. You can also view the address for TOV "SOFT LIGHT", such as the street name, city and country.
COMODO RSA Code Signing CA has issued the TOV "SOFT LIGHT" certificates. You can also see the details of the issuer by clicking the View Certificate button shown in the screenshot above.
TOV "SOFT LIGHT" Files
The following are the TOV "SOFT LIGHT" files I have collected, thanks to the FreeFixer users.
| Detection Ratio | File Name |
|---|---|
| 13/55 | FM 2115 Care and Use of Individual Clothing and Equipment Department of the Army (1977)__15022_i1765308129_il462382.exe |
Scanner and Detection Names
Here is the detection names for the TOV "SOFT LIGHT" files. I've grouped the detection names by each scanner engine. Thanks to VirusTotal for the scan results.
| Scanner | Detection Names |
|---|---|
| AVG | Generic.DE1 |
| Avira | ADWARE/Amonetize.Gen |
| Baidu-International | PUA.Win32.Amonetize.MD |
| DrWeb | Trojan.Amonetize.11110 |
| ESET-NOD32 | a variant of Win32/Amonetize.MD potentially unwanted |
| Fortinet | Riskware/Amonetize |
| K7AntiVirus | Unwanted-Program ( 004d83611 ) |
| K7GW | Unwanted-Program ( 004d83611 ) |
| Malwarebytes | PUP.Optional.Amonetize |
| McAfee | Artemis!B9AE82EAD30E |
| McAfee-GW-Edition | Artemis |
| Qihoo-360 | Win32/Virus.Adware.8ff |
| SUPERAntiSpyware | PUP.Amonetize/Variant |
* How the Detection Percentage is Calculated
The detection percentage is based on that I have gathered 55 scan results for the TOV "SOFT LIGHT" files. 13 of these scan reports came up with some sort of detection. If you like, you can review the full details of the scan reports by examining the files listed above.
Analysis Details
The analysis is done on certificates with the following serial numbers:
- 00ff3aa7b5600e09fb8898ab099f8a70d9
Comments
Bo Standler writes
Microsoft Security Essentials lists the virus type as SoftwareBundler:Win32/Mizenota and has been renamed as SoftwareBundler:Win32/Amonetize with a severity rating of SEVERE.
The Certification values that I have discovered are as follows:
right-click -> properties -> Digital Properties:
[Name of signer:] TOV "SOFT LIGHT"
[E-mail address:] laytsoft@layt-soft.com.ua
[Timestamp:] 11/12/2015 10:15:13 AM
click <Details>
Under the [General] tab
(Signer Information):
[Name:] TOV "SOFT LIGHT"
[E-mail:] laytsoft@layt-soft.com.ua
[Signing time:] 11/12/2015 10:15:13 AM
(Countersignatures):
[Name:] Symantec Time Stamping Services Signer - G4,
[E-mail address:] Not available
[Timestamp:] 11/12/2015 10:15:13 AM
In the [General] tab, under (Signer information), click <View Certificate>
[General] Tab:
[Issued to:] TOV "SOFT LIGHT"
[Issued by:] COMODO RSA Code Signing CA
[Valid from] 09/ 19/ 2015 TO 09/ 19/ 2016
[Details] Tab:
[Version] V3
[Serial number] 00 ff 3a a7 b5 60 0e 09 fb 88 98 ab 09 9f 8a 70 d9
[Signature algorithm] sha256RSA
[Signature hash algorithm] sha256
[Issuer]
CN = COMODO RSA Code Signing CA
O = COMODO CA Limited
L = Salford
S = Greater Manchester
C = GB
[Valid from] 09/19/2015 7:00:00 PM
[Valid to] 09/19/2016 6:59:59 PM
[Subject]
CN = TOV "SOFT LIGHT"
OU = IT
O = TOV "SOFT LIGHT"
STREET = 03127, m.Kiїv, AVENUE 40 RІCHCHYA Zhovtnya, Budinok 122, Building 1, Apartment 73
L = Kiev
S = Kiev
PostalCode = 03127
C = UA
[Public key]
30 82 01 0a 02 82 01 01 00 d4 d9 8a 8b ac 2c c1 c5 4b e9 84 cd 07 91 0a 5d e1 ec 6d a2 8e 42 98 9f 16 b9 9b e1 da c7 82 62 4d 61 4e 92 56 16 1f 8d 74 50 cb e8 1b e1 ec f7 a2 cd 26 4c 88 1a ee 8c 88 3d 1f 47 4c 5c c6 e8 27 1e 2b 70 fb 75 5f b6 1f 47 46 b7 93 35 fc b2 24 53 02 3f 11 81 71 a2 2c fc 63 6f c3 a2 8c ed 22 40 87 0a db 65 78 73 8c ca 5d ce dc 01 fd 16 0e 38 1a d2 36 2e df 85 0c 33 2b 94 b6 d7 7f 6c e3 4d 4a a0 16 29 18 df ea 99 98 c8 c1 25 d2 d0 19 fe 02 92 5a b5 eb b5 ed f6 20 34 a6 73 05 10 4a a5 41 af 67 e0 84 ba aa cb de fc 94 da 58 b7 d1 ef ae 52 01 f9 b7 b5 00 8c 26 df 08 38 af bf 3e 00 91 55 2a cc f7 f6 28 f8 af 34 51 bf 1b 39 4d 5f ae d6 02 be 66 ad 0b 0a 6f f9 a2 00 aa 6d a0 13 2e a3 76 83 bf ae 67 a7 d8 f8 18 7d fb e2 35 b6 c0 8f ff cf 35 c5 e9 9d a7 13 bb 1f 4d 01 02 03 01 00 01
[Authority Key Identifier] KeyID=29 91 60 ff 8a 4d fa eb f9 a6 6a b8 cf f9 e6 4b bd 49 ce 12
[Subject Key Identifier] 90 fd ea c5 99 15 f3 b3 2e 5e 1f b4 2d eb 83 ea 55 40 2a b2
[Enhanced Key Usage] Code Signing (1.3.6.1.5.5.7.3.3)
[Netscape Cert Type] Signature (10)
[Certificate Policies] [1]Certificate Policy:
Policy Identifier=1.3.6.1.4.1.6449.1.2.1.3.2
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
https :/ / secure. comodo. net/ CPS
[CRL Distribution POINTS] [1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http :/ / crl. comodoca. com/ COMODORSACodeSigningCA.crl
[Authority Information Access] [1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http :/ / crt. comodoca. com/ COMODORSACodeSigningCA.crt
[2]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http : // ocsp. comodoca. com
[Subject Alternative Name] RFC822 Name=laytsoft@layt-soft.com.ua
[Key Usage] Digital Signature (80)
[Basic Constraints] Subject Type=End Entity
Path Length Constraint=None
[Thumbprint algorithm] sha1
[Thumbprint] 7c 5b 0c de 8b 47 b9 8f e7 83 1e 18 c8 b9 10 35 73 97 09 a0
[Extended Error Information] Revocation Status : OK. Effective Date <12/05/2015 9:20:55 PM> Next Update <12/09/2015 9:20:55 PM>
[Certification Path] tab:
COMODO SECURE (TM)
...|_ COMODO RSA Code Signing CA
.........|_ TOV "SOFT LIGHT"
Each of the listed certificates can be clicked on, and the details brought up on each. The dates for each one does not coincide with the TOV "SOFT LIGHT" certificate, which I thought was interesting.
I am unsure if anyone else has looked this deep into the certificate(s), but I just wanted to throw this information out there for anyone that may be interested, or wants/wanted more information.
# 6 Dec 2015, 0:21
Roger Karlsson writes