Hi there! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called Advertaizing Grupp.
You can view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Advertaizing Grupp is located in Russia and that the certificate is issued by COMODO RSA Code Signing CA.
What caught my attention was that the download was called adobe_flash_setup.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it would be signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
So, what does the anti-virus programs say about the Advertaizing Grupp file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Advertaizing Grupp file, with names such as Win32:Rootkit-gen [Rtk], Adware/InstallCo.zlz, Trojan.InstallCore.57, Trojan ( 004b4b721 ), Riskware.Win32.InstallCore.dnxkbc and Win32/Tnega.MFNTaRB.
Did you also find a download that was digitally signed by Advertaizing Grupp? What kind of download was it and was it detected by the anti-virus progams at VirusTotal? Please share in posting comments below.
Hope this blog post helped you avoid some unwanted software on your machine.
Thank you for reading.
Right around 2/19/2015, I was infected with cryptowall 03. I have now found a file in my c:/users/appdata/roaming called 5.exe with the digital signature of Polyanskaya Irina.
Sounds odd to me. Any thoughts?