Category Archives: digital signature

Safemode Install (Fried Cookie Ltd) – 18% Detection Rate – InstallCore

October 28, 2015digital signatureGlobalSign, InstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a short post on a publisher called Safemode Install (Fried Cookie Ltd). I just found a download named chrome-download.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

By looking at the certificate we can see that Safemode Install (Fried Cookie Ltd) appears to be located in Israel. GlobalSign has issued the certificate.

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it would be digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

So, why did I put up this blog post? Well, the thing is that the Safemode Install (Fried Cookie Ltd) file is detected by many of the scanners, according to VirusTotal. ESET-NOD32 detects it as a variant of Win32/InstallCore.ADE potentially unwanted, Malwarebytes detects it as PUP.Optional.InstallCore, AVG names chrome-download.exe as InstallCore.F22 and Sophos detects it as Install Core Click run software (PUA).

Did you also find a file digitally signed by Safemode Install (Fried Cookie Ltd)? What kind of download was it and where did you find it?

Thanks for reading.

MaxAgile (New Media Holdings Ltd.) – 9% Detection Rate – InstallCore

October 21, 2015digital signatureGlobalSign, InstallCore, Israel, Tel AvivRoger Karlsson

Hi there! Just a short post on a publisher called MaxAgile (New Media Holdings Ltd.) before going back to some coding on FreeFixer.

You can also check who signed a file by checking the digital signature tab. According to the embedded certificate we can see that MaxAgile (New Media Holdings Ltd.) seems to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

The issue is that chrome-download.exe is not an official Google Chrome download. If it was, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

The scan result from VirusTotal below clearly shows why you should avoid the MaxAgile (New Media Holdings Ltd.) file. It is detected under names such as Trojan.InstallCore.1364, PUP.Optional.InstallCore and InstallCore (fs).

Did you also find a MaxAgile (New Media Holdings Ltd.) file?

Thanks for reading.

LLC “B2B SOFT UA” – 14% Detection Rate

October 13, 2015digital signatureComodo, Kiev, UkraineRoger Karlsson

Hello readers! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by LLC “B2B SOFT UA”.

You will also see LLC “B2B SOFT UA” listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: The certificate is issued by COMODO RSA Code Signing CA. The company is located in Kiev, Ukraine:

The VirusTotal report shows that the LLC “B2B SOFT UA” file should be avoided, since How I Met Your Mother S09E22 HDTV x264KILLERS[ettv]__15022_i1707449201_il379351.exe is detected as ADWARE/Amonetize.Gen by Avira, PE:Malware.RDM.15!5.15[F1] by Rising, HEUR/QVM10.1.Malware.Gen by Qihoo-360 and Trj/Genetic.gen by Panda.

Did you also find a LLC “B2B SOFT UA” file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Arkhigrad Proekt, TOV – 9% Detection Rate

September 30, 2015digital signatureComodo, Russia, Simferopol, UkraineRoger Karlsson

Hello readers! Just wanted to give you the heads up on a publisher called Arkhigrad Proekt, TOV. Here how Arkhigrad Proekt, TOV appears in the UAC dialog when double-clicking on the Download__15022_i1683705761_il3.exe file:

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that Arkhigrad Proekt, TOV is located in Simferopol, Ukraine/Russia and that the certificate is issued by COMODO RSA Code Signing CA.

Generic.3ED, ADWARE/Amonetize.Gen and PUP.Optional.Amonetize are some detection names according to VirusTotal:

Did you also find a file digitally signed by Arkhigrad Proekt, TOV? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thank you for reading.

Hummingbird Limited – 26% Detection Rate At VirusTotal

September 19, 2015digital signatureOakland, US, VerisignRoger Karlsson

Hello! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as vlc-media-player.exe, on your system digitally signed by Hummingbird Limited? Then read on..

The certificate information can also be viewed from Windows Explorer. According to the embedded certificate we can see that Hummingbird Limited is located in Oakland in California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

26% of the scanners detected the file. The vlc-media-player.exe file is detected as Trojan.Vittalia.456 by DrWeb, a variant of Win32/DownloadAdmin.N potentially unwanted by ESET-NOD32, PUP.Optional.DownLoadAdmin by Malwarebytes, DownloadAdmin by McAfee and Trojan.Win32.Generic!BT by VIPRE.

Did you also find a Hummingbird Limited file? Do you remember where you downloaded it?

Thank you for reading.

LLC “LEVADIYA-PROEKT” – 5% Detection Rate At VirusTotal

September 16, 2015digital signatureComodo, Lviv, UkraineRoger Karlsson

Hi there! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named LLC “LEVADIYA-PROEKT” that bundles some software.

You can also see the LLC “LEVADIYA-PROEKT” certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, LLC “LEVADIYA-PROEKT” is located in Lviv, Ukraine. Comodo has issued the certificate.

The issue is that FlashPlayer__6741_i1651201445_il1668.exe is not an official Adobe Flash Player download. If it was, it would have been digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.

So, what does the anti-virus programs say about the LLC “LEVADIYA-PROEKT” file? No problem, I just uploaded the file to VirusTotal and it turned out that a few of the anti-virus programs detects the LLC “LEVADIYA-PROEKT” file, with names such as ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.IQ potentially unwanted.

Did you also find a LLC “LEVADIYA-PROEKT” file?

Thank you for reading.

CrossBeam (New Media Holdings Ltd.) – 9% Detection Rate at VirusTotal

September 15, 2015digital signatureGlobalSign, Israel, Tel AvivRoger Karlsson

Hello! Was looking for some downloads to play around with and found one, digitally signed by CrossBeam (New Media Holdings Ltd.). The file is named chrome-download.exe.

Typically you’d see the CrossBeam (New Media Holdings Ltd.) publisher name appear when double-clicking on the chrome-download.exe file: By examining the certificate, we can see that CrossBeam (New Media Holdings Ltd.) appears to be located in Tel Avivl, Israel.

The certificate is issued by GlobalSign CodeSigning CA – G2.

The issue here is that if chrome-download.exe really was a setup file for Google Chrome, it should be signed by Google Inc. and not by some unknown company. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

9% of the anti-virus scanners detected the file. Some of the detection names for the chrome-download.exe file are a variant of Win32/InstallCore.ACQ.gen potentially unwanted, PUP.Optional.InstallCore and InstallCore (fs).

When I tested the CrossBeam file it bundled StormFall and Norton 360. The checkbox for these two programs were not checked by default.

Did you also find a CrossBeam (New Media Holdings Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

BeST ApP – 32% Detection Rate – OutBrowse

September 11, 2015digital signatureDublin, IrelandRoger Karlsson

Hello! Just a quick post on a publisher called BeST ApP that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Player.exe.

You will also see BeST ApP listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the BeST ApP certificate.

Downloader.UVA, Generic PUA OP (PUA) and OutBrowse are some detection names according to VirusTotal:

Did you also find a file digitally signed by BeST ApP? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

SM Install (Fried Cookie Ltd.) – 12% Detection Rate

September 11, 2015digital signatureIsrael, Tel AvivRoger Karlsson

Welcome! Just a short post on a publisher called SM Install (Fried Cookie Ltd.) before going back to some coding on FreeFixer.

You can view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that SM Install (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

What caught my attention was that the download was called chrome-download.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

When I uploaded the SM Install (Fried Cookie Ltd.) file to VirusTotal, it came up with a 12% detection rate. The file is detected as Generic.BEC by AVG, Install Core Click run software (PUA) by Sophos and InstallCore (fs) by VIPRE.

Did you also find a SM Install (Fried Cookie Ltd.) file?

Thank you for reading.

safe InStAll OPT – 28% Detection Rate – PUP.Optional.Bundle / OutBrowse

September 10, 2015digital signatureThawteRoger Karlsson

Hi there! Just wanted to give you the heads up on files digitally signed by safe InStAll OPT.

You can see who the signer is when double-clicking on an executable file. safe InStAll OPT appears in the publisher field in the dialog that pops up. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that safe InStAll OPT appears to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

Here’s Thawte in the certificate chain:

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 28% of the antivirus scanners detected the file. The file is detected as Downloader.USS by AVG, PUP.Optional.Bundle by Malwarebytes and Adware-OutBrowse.h by McAfee-GW-Edition.

Did you also find a safe InStAll OPT file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.