Hi there! Just a quick post today from a rainy Stockholm. Working with the next release of FreeFixer. Anyway, did you see a file, such as ChromeSetup.exe, on your system digitally signed by Dova Network (New Media Holdings Ltd.)? Then read on..
You can also check who signed a file by checking the digital signature tab. According to the certificate we can see that Dova Network (New Media Holdings Ltd.) is located in Tel Aviv in Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.
What caught my attention was that the download was called ChromeSetup.exe. This might look like an official Google Chrome download, but it is not. If it was an official download, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 9% of the scanners detected the file. The file is detected as Generic.C54 by AVG, InstallCore.b (fs) by AVware, a variant of Win32/InstallCore.SS by ESET-NOD32 and InstallCore.b (fs) by VIPRE.
To see more in details what changes the Dova Network (New Media Holdings Ltd.) file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as Vosteran, Avast Anti-Virus, Google Chrome Packages, Hold Page and MyPC Backup:
Did you also find an Dova Network (New Media Holdings Ltd.)? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.
Thank you for reading.
Hej!
I got a ccleaner install file signed by Dova.
Last night my buddies sister asked me to fix her computer because it was so slow its unusable(an old asus eeepc), so I did the usual “download ccleaner and see if it speeds things up”. But I didn’t really pay attention while I did it. Add that Bing was set as default search engine when I searched for “ccleaner”(dont think the fake ever have shown up with google for me). As mentioned, I wasnt really paying attention and hit install. After a while I noticed there was something off with the UI of the install program, so I cancelled the install(luckily the internet connection was so slow it only got halfway).
Unfortunately I cant dig up the link now, but i still got the file.
Do you think any harm was done even though I didnt finish the install?
Hello Robi,
Difficult to say if the installer managed to install something before you shut down the installer. Personally, I would examine the computer to make sure nothing unwanted snuck in.
I’m fixing a friend’s computer, which appears to have been infected and rendered unusable by badly-written adware (explorer.exe crashes). It looks like the original source of the infection was a fake Firefox download, signed by the same “Dova Network” that you’re seeing here.
Firefox installer from:
hxxp://bubblyapps .com/?dl=1&pi=ATAdNzC3OTgyAi%3D%3D&osos=VdluDrW3cw%3D%3D&chnl=&dr=cHaWck1mIXvlDmW4vExthXN3DKV0AQDzcj1QDyDphXAmD3vpDZ0m%2BrcWDK4m7dAWx0am7dREhKVuvmAWASDChTMm7dlChV84NZnwAzgwOTnm7K2pDZ1fNjn3AzayOZn0Ag%3D%3D&pd=2323UEvP2rLt2XNlUmNJ%2Bi%3D%3D&campaignId=9jn0Azi0NZndAZMq
Signed by Dova Network