Tag Archives: Amonetize

NEW SOFT Inkorporeishn, TOV – 11% Detection Rate – Amonetize

November 24, 2015UncategorizedAmonetize, UkraineRoger Karlsson

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called NEW SOFT Inkorporeishn, TOV.

You can see who the signer is when double-clicking on an executable file. NEW SOFT Inkorporeishn, TOV appears in the publisher field in the dialog that pops up. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the NEW SOFT Inkorporeishn, TOV certificate.

So, why am I writing about the NEW SOFT Inkorporeishn, TOV file? Check out what the anti-malware software report about the file:

SUPERAntiSpyware reports PUP.Amonetize/Variant, Malwarebytes classifies it as PUP.Optional.Amonetize, Qihoo-360 calls it HEUR/QVM10.1.Malware.Gen and DrWeb reports Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe as Trojan.Amonetize.11110 are a few of the detection names for Download Uc Browser V Handler Zip__15022_i1756037767_il542797.exe.

Did you also find a NEW SOFT Inkorporeishn, TOV download? What kind of download was it?

Thanks for reading.

LLC “TRUKONF SOFT” – 33% Detection Rate – AdLoad / PUP.Optional.Amonetize

November 9, 2015digital signatureAmonetize, Donetsk, UkraineRoger Karlsson

Welcome! Just wanted to give you heads-up on suspicious file I found right now. The file is digitally signed by LLC “TRUKONF SOFT”.

This is how it looks when double-clicking on the file and LLC “TRUKONF SOFT” appears as the publisher. Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that LLC “TRUKONF SOFT” is located in Ukraine.

The reason I’m writing this blog post is that the LLC “TRUKONF SOFT” file is detected by many of the antimalware progams at VirusTotal. VBA32 names it SScope.Trojan.Zbot.gen, Baidu-International detects the file as PUA.Win32.Amonetize.LI, Kaspersky calls it not-a-virus:Downloader.Win32.AdLoad.rppk, Sophos calls it Generic PUA JA (PUA), Panda reports PUP/Multitoolbar and Malwarebytes detects it as PUP.Optional.Amonetize.

Did you also find a LLC “TRUKONF SOFT” file?

Thank you for reading.

LLC DE PROEKT – 39% Detection Rate – Amonetize / Strictor / PUP.Optional.Bundle

July 26, 2015digital signatureAmonetize, bitcoin miner, Comodo, fake flash software, Strictor, Ukraine, UserTrustRoger Karlsson

Hi there! Short on time this evening, but I just wanted to give you the heads up on a publisher called LLC DE PROEKT.

If you have a LLC DE PROEKT file on your machine you may have noticed that LLC DE PROEKT is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate is issued by COMODO RSA Code Signing CA. The publisher is located in the Ukraine.

The problem here is that if FlashPlayer__6741_i1561835113_il7532.exe really was a setup file for Adobe Flash Player, it should have been digitally signed by Adobe Systems Incorporated and not by some unknown company. This looks suspicious. Here’s how the authentic Adobe Flash Player looks like when you double click on it. Notice that the “Verified publisher” says “Adobe Systems Incorporated”.

The issue with the LLC DE PROEKT file is that it is detected by many of the antimalware software. Here are some of the detection names: Trojan.Application.Strictor.D164B3, BundleApp.IVU, W32.HfsAdware.B493, Gen:Variant.Application.Strictor, PUP.Optional.Bundle and Amonetize (fs).

Did you also find a download that was digitally signed by LLC DE PROEKT? What kind of download was it and was it detected by the anti-viruses at VirusTotal? Please share by posting a comment.

Thanks for reading.

Update 2015-08-18: Found another download today, also signed by LLC DE PROEKT and also using “Flash” in the filename to confuse users. The detection rate for this file was 25% according to VirusTotal:

When I ran the installer it disclosed that it bundled a bitcoin miner or some other type of crypto currency miner:

Just a quick update on the certificate chain. It begins with UserTrust, then Comodo and then LLC DE PROEKT:

LLC BK UKRBUDMONTAZH – 11% Anti-Virus Detection – Amonetize

April 9, 2015digital signatureAmonetize, Kiev, UkraineRoger Karlsson

Welcome! Short on time today, but I just wanted to give you the heads up on a publisher called LLC BK UKRBUDMONTAZH.

If you have a LLC BK UKRBUDMONTAZH file on your machine you may have noticed that LLC BK UKRBUDMONTAZH is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that LLC BK UKRBUDMONTAZH seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

When I uploaded the LLC BK UKRBUDMONTAZH file to VirusTotal, it came up with a 11% detection rate. The file is detected as Trojan/Win32.TGeneric by Antiy-AVL, Amonetize (fs) by AVware, Trojan.Amonetize.2350 by DrWeb, a variant of Win32/Amonetize.EF potentially unwanted by ESET-NOD32 and Amonetize (fs) by VIPRE.

Since you probably came here after finding a download that was digitally signed by LLC BK UKRBUDMONTAZH, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thanks for reading.

Install Path Ltd – 25% Detection Rate – Strictor, Amonetize

January 26, 2015digital signatureAmonetize, InstallPath, Israel, StrictorRoger Karlsson

Hi there! Sorry for the silence for the last days. I’ve been having a few days off. Anyway, I’m back on the blog again.

Did you just download something to your system digitally signed by Install Path Ltd? Then read on..

By examining the embedded certificate, we can see that Install Path Ltd is located in Israel. The certificate is issued by COMODO RSA Code Signing CA. The certificate appears to be quite new.

So, why did I put up this blog post? Well, the thing is that the Install Path Ltd file is detected by many of the scanners, according to VirusTotal. Avast detects Setup__6741_i1454683454_il235.exe as Win32:Rootkit-gen [Rtk], AVG calls it InstallPath.7F5 , Avira detects it as ADWARE/Adware.Gen2, BitDefender calls it Gen:Variant.Adware.Strictor.75886, ESET-NOD32 classifies it as a variant of Win32/Amonetize.CX, Malwarebytes classifies it as PUP.Optional.Bundle and Panda calls it PUP/MultiToolbar.A.

Did you also find an Install Path Ltd? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Update 2015-03-03: Found another Install Path file. The detection was almost the same: 28%.

SVAN TRANS LLC – 25% Detection Rate

November 14, 2014digital signatureAmonetize, Downware, JaikRoger Karlsson

Hi there! Just wanted to give you the heads-up on suspicious file I found right now before having my lunch. The file is named FlashPlayer__6741_i1404957756_il13.exe and digitally signed by SVAN TRANS LLC.

You can also see the SVAN TRANS LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SVAN TRANS LLC is located in Kiev, Ukraine.

The issue is that FlashPlayer__6741_i1404957756_il13.exe is not an official Flash Player download. If it was, it would be digitally signed by Adobe Systems Incorporated, and not by some unknown company from Ukraine.

25% of the scanners detected the file. The FlashPlayer__6741_i1404957756_il13.exe file is detected as PUA.Amonetize! by Agnitum, Gen:Variant.Application.Jaik by F-Secure and PUP.Optional.Amonetize by Malwarebytes. Thanks to VirusTotal for the scan report.

Since some of the anti-virus programs detected the SVAN TRANS LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, Salus Net Protector, RocketTab and My Start Search were disclosed.

Did you also find an SVAN TRANS LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Shetef Solutions & Consulting (1998) Ltd. – 25% Detection Rate

October 27, 2014digital signatureAmonetize, Downware, GraftorRoger Karlsson

Good evening! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. Right now I found a new file called FlashPlayer__6741_i1387048386_il2537.exe, digitally signed by Shetef Solutions & Consulting (1998) Ltd..

You can also look at the Shetef Solutions & Consulting (1998) Ltd. certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Shetef Solutions & Consulting (1998) Ltd. is located in Rannana, Israel. The certificate appears to relatively new. Its validity began on the 13th of October.

The issue here is that if FlashPlayer__6741_i1387048386_il2537.exe really was an installer file for Flash Player, it should have been digitally signed by Adobe System Incorporated and not by some unknown company. This looks suspicious.

The VirusTotal report shows that the Shetef Solutions & Consulting (1998) Ltd. file should be avoided, since FlashPlayer__6741_i1387048386_il2537.exe is detected as Adware.Downware.8876 by DrWeb, Gen:Variant.Graftor.161610 by F-Secure and PUP.Optional.Amonetize by Malwarebytes.

Since the download was detected I decided to give it a try to see what it installed. During my test I could see Wajam, Salus – Net Protector and My Start Search install on my lab machine.

Did you also find a file digitally signed by Shetef Solutions & Consulting (1998) Ltd.? What kind of download was it and where did you find it?

Thanks for reading.

DOZ-DEKORUM LLC – 17% Detection Rate at VirusTotal

October 17, 2014digital signatureAmonetize, DownwareRoger Karlsson

Hello! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as FlashPlayer_6741_i1375671586_il280.exe, on your system signed by DOZ-DEKORUM LLC? Then read on..

Typically you’d see the DOZ-DEKORUM LLC publisher name appear when double-clicking on the FlashPlayer_6741_i1375671586_il280.exe file:

It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that DOZ-DEKORUM LLC is located in Kiev in Ukraine and that the certificate is issued by Thawte Code Signing CA – G2.

The problem here is that if FlashPlayer_6741_i1375671586_il280.exe really was an installer file for Flash Player, it should have been signed by Adobe Inc. and not by some unknown company. I think this looks suspicious.

So, what does the anti-virus programs say about the DOZ-DEKORUM LLC file? No problem, I just uploaded the file to VirusTotal and it turned out that some (17%) of the anti-virus programs detects the DOZ-DEKORUM LLC file, with names such as Generic.AF5, Adware.Downware.8818 and PUP.Optional.Amonetize.

Since some of the anti-virus programs detected the DOZ-DEKORUM LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, RegClean Pro and Wajam appeared on my computer. Did you also find a file digitally signed by DOZ-DEKORUM LLC? What kind of download was it and where did you find it?

Thanks for reading.

KOMPANIYA КRЕАТА LLC – Detected by 16 anti-virus scanners

July 12, 2014digital signatureAmonetiz, AmonetizeRoger Karlsson

Just wanted to give you the heads up on a publisher called KOMPANIYA КRЕАТА LLC. When I scanned the KOMPANIYA КRЕАТА LLC file, it was detected by 16 of the anti-virus scanners at VirusTotal. Many of the scanners detects it as Amonetiz or Amonetize.

Here’s how KOMPANIYA КRЕАТА LLC appears when running the downloaded file.

You can also view the KOMPANIYA КRЕАТА LLC certificate from the file’s properties. KOMPANIYA КRЕАТА appears to be a Ukrainian company.

Did you also find a file signed by KOMPANIYA КRЕАТА? Where did you find it and what kind of download was it?