Category Archives: digital signature

viD PLAY – 33% Detection Rate – OutBrowse

digital signature

Hello readers! If you are a regular here on the FreeFixer blog, you know that I’ve been examining files that have a digital signature and bundle various types of potentially unwanted software. Today I found another publisher named viD PLAY that bundles some software.

viD PLAY publisher

If you have a viD PLAY file on your computer you may have noticed that viD PLAY pops up as the publisher in the User Account Control dialog when running the file. The certificate is issued by thawte SHA256 Code Signing CA.

viD PLAY certificate

Thawte at the root in the certificate chain:

viD PLAY cert chain

After uploading the viD PLAY file – Player.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 33% and some of the detection names were: Downloader.UIA, PUP.Optional.Vidplay, Adware-OutBrowse.h and OutBrowse.

viD PLAY virustotal

Did you also find a viD PLAY file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Cash Buyer Media – 18% Detection Rate – GamePlayLabs / Vittalia / DownloadAdmin

digital signature

Hello readers! Just a short post on a publisher called Cash Buyer Media before going back to some coding on FreeFixer.

Cash Buyer Media publisher

You will also see Cash Buyer Media listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file: Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that Cash Buyer Media is located in San Fransisco in California, US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Cash Buyer Media certificate

 

Here’s VeriSign in the cert chain:

Cash Buyer Media cert chain

After uploading the Cash Buyer Media file – vlc-media-player.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 18% and some of the detection names were: GrayWare[AdWare]/Win32.GamePlayLabs.a, W32.HfsAdware.81DC, Trojan.Vittalia.368 and DownloadAdmin (PUA).

Cash Buyer Media anti-virus report

Did you also find a download that was signed by Cash Buyer Media? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share in posting comments below.

Thanks for reading.

LLC FOTO-TSENTR – 7% Detection Rate – QVM10.1.Malware.Gen / Amonetize

digital signature,

Welcome! Just a short post on a publisher called LLC `FOTO-TSENTR `. I just found a download named Moboroboexe__15022_i1619995140_il543480.exe that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

LLC FOTO-TSENTR publisher

You may see LLC `FOTO-TSENTR ` appear as the publisher when double-clicking on the Moboroboexe__15022_i1619995140_il543480.exe file. To view more information about the embedded certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that LLC `FOTO-TSENTR ` seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

LLC `FOTO-TSENTR ` cert

Here’s Comodo in the certificate chain:

LLC FOTO-TSENTR cert chain

The issue with the LLC `FOTO-TSENTR ` file is that it is detected by some of the anti-viruses. Here are some of the detection names: ADWARE/Amonetize.Gen, a variant of Win32/Amonetize.HU potentially unwanted and HEUR/QVM10.1.Malware.Gen.

LLC FOTO-TSENTR anti-virus report

Since you probably came here after finding a file that was digitally signed by LLC `FOTO-TSENTR `, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thank you for reading.

Update 2015-09-08: I found another file signed by LLC FOTO-TSENTR. The detection rate has increased to 13/56:

LLC FOTO-TSENTR report

LLC “SOFT TRADE LTD” – 5% Detection Rate – Amonetize

digital signature, ,

Hello! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called LLC “SOFT TRADE LTD”.

LLC SOFT TRADE LTD

Typically you’d see the LLC “SOFT TRADE LTD” publisher name appear when double-clicking on the FlashPlayer__6741_i1609075630_il45347.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the LLC “SOFT TRADE LTD” certificate.

LLC SOFT TRADE LTD certificate

 

The company is located in Ukraine says the certificate. UserTrust and Comodo is found in the certificate chain:

SOFT TRADE LTD LLC cert chain

What caught my attention was that the download was called FlashPlayer__6741_i1609075630_il45347.exe. This might look like an official Adobe Flash Player download, but it is not. If it was an official download, it should be digitally signed by Adobe Systems Incorporated. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

 

Here’s how the LLC “SOFT TRADE LTD” installer looks like:

LLC SOFT TRADE LTD installer

ADWARE/Amonetize.Gen and a variant of Win32/Amonetize.HN potentially unwanted are some detection names according to VirusTotal:

LLC SOFT TRADE LTD anti-virus report

Did you also find a LLC “SOFT TRADE LTD” file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Sambamedia LLC – 26% Detection Rate – SoftPulse / Domaiq / Mikey

digital signature

Hello! Short on time today, but I just wanted to give you the heads up on a publisher called Sambamedia LLC.

Sambamedia LLC publisher

Windows will display Sambamedia LLC as the publisher when running the file. It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Sambamedia LLC is located in Wilmington, Delaware in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

Sambamedia LLC certificate

 

The certification path, which shows VeriSign at the root:

Sambamedia LLC certificate chain

The issue here is that if google_chrome.exe really was a setup file for Google Chrome, it should have been digitally signed by Google Inc. and not by some unknown company. I think this looks suspicious. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.

Chrome Google Inc publisher

The issue with the Sambamedia LLC file is that it is detected by many of the anti-malware progams. Here are some of the detection names: Riskware.Agent!, PUA/SoftPulse.oanu, W32.HfsAdware.7208, Trojan.Domaiq.302, Gen:Variant.Mikey.22953 (B), a variant of Win32/SoftPulse.AJ potentially unwanted and Gen:Variant.Mikey.22953.

Sambamedia LLC ant-virus report

Did you also find a Sambamedia LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Vega Resource, LLC – 16% Detection Rate – HEUR:AdWare.Win32.Generic

digital signature, ,

Hello readers! Just a short post on a publisher called Vega Resource, LLC. I just found a download named “Download.exe” that was digitally by this publisher, and it turns out that it is detected by some anti-virus programs.

Vega Resource, LLC publisher

This is how it looks when double-clicking on the file and Vega Resource, LLC appears as the publisher. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Vega Resource, LLC certificate.

Vega Resource, LLC certificate

By clicking at the Certificate Path tab, we can see that Thawte has issued the certificate:

Vega Resource LLC cert path

The scan result from VirusTotal below clearly shows why you should avoid the Vega Resource, LLC file. It is detected under names such as Generic6.BURQ, a variant of Win32/Adware.MultiPlug.NX, Unwanted-Program ( 004ccd421 ), not-a-virus:HEUR:AdWare.Win32.Generic, PE:Packer.Win32.Mian007.a!1074235325 and Trojan.Agent/Gen-Downloader.

Vega Resource anti-virus report

Did you also run into a download that was digitally signed by Vega Resource, LLC? What kind of download was it and was it reported by the anti-malwares at VirusTotal? Please share in posting comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

BEst inSTall TLl – 49% Detection Rate

digital signature, ,

Hello readers! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called BEst inSTall TLl.

BEst inSTall TLl publisher

If you have a BEst inSTall TLl file on your machine you may have noticed that BEst inSTall TLl is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also check the digital signature under the file’s properties. According to the embedded certificate we can see that BEst inSTall TLl is located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

BEst inSTall TLl certificate

Thawte has issued the certificate.

BEst inSTall TLl cert chain

So, what does the anti-virus programs say about the BEst inSTall TLl file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the BEst inSTall TLl file, with names such as NSIS:OutBrowse-DQ [PUP], Downloader.QWU, Gen:Variant.Adware.Mikey.21084, HEUR/QVM30.1.Malware.Gen and Generic PUA AA (PUA).

BEst inSTall TLl anti-virus report

Did you also find a BEst inSTall TLl file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Update 2015-08-18: Found another download, also signed by Best Install TLl, claiming to be an episode of a famous TV series. The detection rate for this file was 45%. Notice that the installer does not have any button to cancel the installation.

BEst inSTall TLl installer window

Semen Korzuba – VirusTotal: 33% Detection – MultiPlug, Trj/Genetic.gen

digital signature,

Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Semen Korzuba.

Semen Korzuba warning

Windows will display Semen Korzuba as the publisher when running the file. The certificate is issued by Certum Code Signing CA.

Semen Korzuba cert chain Semen Korzuba certificate

The VirusTotal report shows that the Semen Korzuba file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as TR/Dropper.Gen by Avira, a variant of Win32/Adware.MultiPlug.NU by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes, Trj/Genetic.gen by Panda and MultiPlug (v) by VIPRE.

Semen Korzuba anti-virus report

Did you also find a file digitally signed by Semen Korzuba? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Thanks for reading.

starT PlaYInG – 53% Detection Rate – Mikey / PUGO / OutBrowse

digital signature, ,

Hi there! Just wanted to let you know about a publisher called starT PlaYInG before going back to writing some code for FreeFixer.

starT PlaYInG publisher

If you have a starT PlaYInG file on your machine you may have noticed that starT PlaYInG is displayed as the publisher in the UAC dialog when double-clicking on the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the starT PlaYInG certificate.

starT PlaYInG certificate

Thawte has issued the certificate:

starT PlaYInG thawte

If you are considering to run the starT PlaYInG signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

Avast reports Player.exe as NSIS:OutBrowse-DQ [PUP], AVG calls it Downloader.OPP, BitDefender detects it as Gen:Variant.Adware.Mikey.21084, Cyren reports W32/Adware.PUGO-0761 and VIPRE reports OutBrowse (fs).

starT PlaYInG anti-virus report

Did you also find a starT PlaYInG file?

Thank you for reading.

Trend Interactive – 19% Detection Rate – DownloadAdmin / Application.Jaik

digital signature, , , ,

Hello! Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Trend Interactive.

Trend Interactive publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Trend Interactive certificate.

Trend Interactive certificate

Versign has issued the certificate:

Trend Interactive cert path

When I uploaded the Trend Interactive file to VirusTotal, it came up with a 19% detection rate. The file is detected as PUA/DownloadAdmin.Gen7 by Avira, Gen:Variant.Application.Jaik.8223 by BitDefender and Adware ( 004c86ce1 ) by K7GW.

Trend Interactive anti-virus report

Did you also find a file digitally signed by Trend Interactive? What kind of download was it and where did you find it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.