Tag Archives: Adware.Downware

Wilmaonline LTD – VirusTotal and Bundling Report

August 5, 2014digital signatureAdware.Downware, Dolphin Deals, Flow Surf, InstallPath, OffersWizard, PUP.Optional.Amonetize, WebssearchesRoger Karlsson

Found a file this morning, claiming to be a Flash Player setup file. However, the file was not digitally signed by Adobe, which is the publisher of the Flash Player. Instead it was signed by a company called Wilmaonline LTD. which made it look suspicious.

According to the certificate that is embedded in the file, Wilmaonline is a company located in Israel.

So, what does the anti-virus programs say about the Wilmaonline file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the Wilmaonline file, with names such as Adware.Downware and PUP.Optional.Amonetize.

To see more in details what changes the Wilmaonline file would do on a user’s computer I decided to run the file on my lab machine. The following InstallPath installer appeared, where “Flash Player”, Dolphin Deals, Flow Surf, Webssearches and OffersWizard selected for installation by default. This is probably the reason why the anti-virus programs detects the Wilmaonline file, in addition to using Adobe’s Flash trademark.

Did you also find a file digitally signed by Wilma Online? What kind of download was it and where did you find it?

Update 13 Sep 2014: Thought I should follow up on this one. The Wilmaonline signed files are still being distributed. They are promoted as Flash Players, chess games, Ask.FM trackers, keygens, cracks, etc. The installer file includes lots of bundled programs, but for unknown reasons, nothing is installed when I click through the installer. Did you also see this behaviour, or did it install the bundled programs on your machine? The anti-virus programs have improved their detection rates somewhat for the WilmaOnline files:

18/54 – FlashPlayersetup__2570_i1300328638_il1783.exe
15/52 – Chess Titans setup__6670_il4710.exe
15/55 – Ask Fm Tracker 2014 Downloader__3687_i1301881522_il2700510.exe
14/55 – Keygen Installer__9167_il260.exe

Artur Kozak Publisher – Digital Signature Warning!

May 29, 2014digital signatureAdware.Downware, InstalleRex, TSULoader, Win32.AdloadRoger Karlsson

Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. This morning I found a new file in the FreeFixer database called digital-photo-2013-11-nov.pdf.exe, digitally signed by Artur Kozak.

You can see who the signer is when double-clicking on an executable file. Artur Kozak appears in the publisher field in the dialog that pops up. You can also see the Artur Kozak certificate under the digital signature tab.

So, why am I warning you about the Artur Kozak file? Check out what the anti-virus programs report about the file:

TSULoader, InstalleRex, Win32.Adload and Adware.Downware are some of the detection names reported by the anti-virus scanners.

Hope this helped you avoid getting some unwanted programs on your machine.

Where did you find the Artur Kozak file? What was the file called?

Boris Burkin Publisher – WARNING

May 23, 2014adware, digital signature, trojanAdware.Downware, Downloader.AdLoad, InstalleRex, Trojan.AntiFW, Win32.InfoLeakRoger Karlsson

Just a short post before I call it a day. I found yet another file that bundled a bunch of unwanted programs, and the file was signed by Boris Burkin. Typically you’d see the Boris Burkin publisher name appear when double-clicking on the file:

You will also see Boris Burkin appear if you check the file’s digital signature.

If you are considering to run the Boris Burkin signed file, I’ll advice you not to. Delete it instead. Just check out detection list by some of the anti-virus program:

The anti-virus program calls the file Trojan.AntiFW, InstalleRex, Adware.Downware, Win32.InfoLeak, Downloader.AdLoad, etc.

Did you also find a file digitally signed by Boris Burkin? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.