Category Archives: digital signature

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

digital signature, , , , , ,

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

LLC DE PROEKT publisher

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

LLC DE PROEKT cert

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.
Adobe Systems Incorporated - Adobe Flashplayer Installer

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

LLC DE PROEKT virustotal report

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

LLC DE PROEKT av report update

 

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

LLC DE PROEKT bitcoin miner

 

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

LLC DE PROEKT certificate chain

Dmitry Banak – 30% Detection Ratio – Kryptik / MultiPlug / WebPick

digital signature

Welcome! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe, digitally signed by Dmitry Banak.

Dmitry Banak pop up

Dmitry Banak certificate

Of the 56 scanners, 17 detected the file. The How I Met Your Mother S09E22 HDTV x264-KILLERS[ettv].exe file is detected as Win32:MultiPlug-ABB [PUP] by Avast, a variant of Win32/Kryptik.DPGT by ESET-NOD32, PUP.Optional.Multiplug by Malwarebytes and Trojan.Win32.WebPick.dtsbvc by NANO-Antivirus.

Dmitry Banak virus total

Did you also find a Dmitry Banak download? What kind of download was it?

Thank you for reading.

TRUSTED INSTALL SOFTWARE – Generic.AA1 or False Positive?

digital signature,

Hi there! Just a quick post on a file named finaltorrent-setup.exe digitally signed by TRUSTED INSTALL SOFTWARE.

TRUSTED INSTALL SOFTWARE publisher

Typically you’d see the TRUSTED INSTALL SOFTWARE publisher name appear when double-clicking on the finaltorrent-setup.exe file: It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that TRUSTED INSTALL SOFTWARE is located in San Fransisco in US and that the certificate is issued by VeriSign Class 3 Code Signing 2010 CA.

TRUSTED INSTALL SOFTWARE cert

So, what’s the problem here? Well, AVG detects this as Generic.AA1. All the other anti-virus programs over at VirusTotal did not detect the file. Could AVG’s detection be a false positive? What do you think?

TRUSTED INSTALL SOFTWARE virustotal

Did you also find a file signed by the same publisher? Does the scanners at VirusTotal detect it?

Thanks for reading.

Astori LLC – 18% Detection Rate

digital signature,

Hello! Was looking for some downloads to play around with and found one, digitally signed by Astori LLC. The file is named in such a way that users might think it is a download for the Game of Thrones TV series.

The following screenshot shows the User Account Control dialog when running the Astori LLC file:

Astori LLC publisher

It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that Astori LLC appears to be located in Moscow, Russia and that the certificate is issued by COMODO Code Signing CA 2.

Astori LLC cert

I found an older file, also signed by Astori LLC. This one was detected by 10 of the 57 scanners over at VirusTotal:

Astori LLC virustotal

Did you also find a Astori LLC file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

GLobal appS Roi – 27% Detection Rate – Downloader.MTU / HfsAdware / OutBrowse

digital signature,

Hi there! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named GLobal appS Roi.

GLobal appS Roi publisher

If you have a GLobal appS Roi file on your machine you may have noticed that GLobal appS Roi is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also see the GLobal appS Roi certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, GLobal appS Roi is located in Dublin, Ireland.

GLobal appS Roi cert

These are the current VirusTotal detections for the file. Downloader.MTU, W32.HfsAdware.4546, Trojan.OutBrowse.760 and Adware-OutBrowse.g as a few of the detection names for the Player.exe file.

GLobal appS Roi signature report

Did you also find a GLobal appS Roi file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Artur Flomenko – 11% Detection Rate

digital signature,

Welcome! Just wanted to give you the heads up on files digitally signed by Artur Flomenko.

Artur Flomenko publisher

If you have a Artur Flomenko file on your machine you may have noticed that Artur Flomenko is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by Certum Code Signing CA. Mr Flomenko is located in Ukraine.

Artur Flomenko cert

So, what does the anti-virus programs say about the Artur Flomenko file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the Artur Flomenko file, with names such as Win32:FakeDownload-G [PUP], a variant of Win32/Kryptik.DPGT, Trojan.Downloader, Trj/Genetic.gen and PE:AdWare.Win32.MultiPlug.aq!1075358402.

Artur Flomenko virustotal

Did you also find an Artur Flomenko? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

COnfirmED APp nLn – 18% Detection Rate – OutBrowse

digital signature, ,

Hi there! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file called Player.exe, digitally signed by COnfirmED APp nLn.

The following screenshot shows the User Account Control dialog when running the COnfirmED APp nLn file:

COnfirmED APp nLn publisher

You can also check the digital signature under the file’s properties. According to the certificate we can see that COnfirmED APp nLn seems to be located in Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

COnfirmED APp nLn cert

The problem with the COnfirmED APp nLn file is that it is detected by many of the antivirus progams. Here are some of the detection names: Downloader.LIR, PUA.OutBrowse.A and Adware-OutBrowse.g.

COnfirmED APp nLn anti-virus detection

Since you probably came here after finding a file that was signed by COnfirmED APp nLn, please share what kind of download it was and if it was detected by the antivirus scanners at VirusTotal.

Thank you for reading.

Top Scale (New Media Holdings Ltd.) – 14% Detection Rate – InstallCore

digital signature, ,

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Top Scale (New Media Holdings Ltd.).

Top Scale New Media Holdings Ltd publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Top Scale (New Media Holdings Ltd.) certificate.

Top Scale New Media Holdings Ltd. cert

Top Scale is located in Tel Aviv, Israel, according to the certificate.

What caught my attention was that the download was called GoogleChromeSetup.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it should have been signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

So, what does the anti-virus programs say about the Top Scale (New Media Holdings Ltd.) file? No problem, I just uploaded the file to VirusTotal and it turned out that some of the anti-virus programs detects the Top Scale (New Media Holdings Ltd.) file, with names such as InstallCore.A98, W32.HfsAdware.D59D, PUP.Optional.InstallCore.A and InstallCore (fs).

Top Scale New Media Holdings anti-virus report

Did you also find an Top Scale (New Media Holdings Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Egor Klochko – 34% Detection Rate – MultiPlug / Graftor

digital signature, ,

Welcome! Just a note on a publisher called Egor Klochko. The Egor Klochko download – Download Uc Browser V Handler Zip.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Egor Klochko? Was it also detected when you uploaded it to VirusTotal?

Egor Klochko publisher

Typically you’d see the Egor Klochko publisher name appear when double-clicking on the Download Uc Browser V Handler Zip.exe file: It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Egor Klochko certificate.

Egor Klochko certificate

The VirusTotal report shows that the Egor Klochko file should be avoided, since Download Uc Browser V Handler Zip.exe is detected as Trojan.Adware.Graftor.D31885 by Arcabit, Gen:Variant.Adware.Graftor.202885 by BitDefender and PUP.Optional.Multiplug by Malwarebytes.

Egor Klochko anti-virus report

Did you also find a Egor Klochko file? Do you remember where you downloaded it?

Thank you for reading.

Alekxandr Zabaro – 13% VirusTotal Detection Rate

digital signature

Hi there! Just a quick post on a publisher called Alekxandr Zabaro that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Download.exe.

Alekxandr Zabaro file

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Alekxandr Zabaro certificate.

Alekxandr Zabaro cert

After uploading the Alekxandr Zabaro file – Download.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 13% and some of the detection names were: Win32:MultiPlug-AAE [PUP], a variant of Win32/Adware.MultiPlug.MO and Unwanted-Program ( 0040f9681 ).

Alekxandr Zabaro anti virus report

Did you also find a Alekxandr Zabaro file? Do you remember where you downloaded it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.