Tag Archives: Downware

Broken Spoke Digital – 28% Detection Rate – DownloadAdmin / Downware

February 1, 2015digital signatureDownloadAdmin, DownwareRoger Karlsson

Hi there! Just a short post on a publisher called Broken Spoke Digital. You may see Broken Spoke Digital appear as the publisher when double-clicking on the installer_jdownloader_English.exe file.

Information about a digital signature and the certificate can also be found under the Digital Signature tab. According to the certificate we can see that Broken Spoke Digital is located in San Fransisco in US and that the certificate is issued by Go Daddy Secure Certificate Authority – G2.

When I uploaded the Broken Spoke Digital file to VirusTotal, it came up with a 28% detection rate. The file is detected as Riskware.Agent! by Agnitum, PUP/Win32.Downware by AhnLab-V3, Trojan/Win32.TSGeneric by Antiy-AVL, DownloadAdmin (fs) by AVware, Win.Adware.Downloadadmin by ClamAV, W32/S-92ce39bf!Eldorado by F-Prot, PUP.Optional.DownloadAdmin by Malwarebytes and DownloadAdmin (fs) by VIPRE.

Did you also find a Broken Spoke Digital file? Do you remember where you downloaded it?

Thanks for reading.

SVAN TRANS LLC – 25% Detection Rate

November 14, 2014digital signatureAmonetize, Downware, JaikRoger Karlsson

Hi there! Just wanted to give you the heads-up on suspicious file I found right now before having my lunch. The file is named FlashPlayer__6741_i1404957756_il13.exe and digitally signed by SVAN TRANS LLC.

You can also see the SVAN TRANS LLC certificate by looking under the Digital Signature tab on the file’s properties. According to the certificate, SVAN TRANS LLC is located in Kiev, Ukraine.

The issue is that FlashPlayer__6741_i1404957756_il13.exe is not an official Flash Player download. If it was, it would be digitally signed by Adobe Systems Incorporated, and not by some unknown company from Ukraine.

25% of the scanners detected the file. The FlashPlayer__6741_i1404957756_il13.exe file is detected as PUA.Amonetize! by Agnitum, Gen:Variant.Application.Jaik by F-Secure and PUP.Optional.Amonetize by Malwarebytes. Thanks to VirusTotal for the scan report.

Since some of the anti-virus programs detected the SVAN TRANS LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, Salus Net Protector, RocketTab and My Start Search were disclosed.

Did you also find an SVAN TRANS LLC? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

Shetef Solutions & Consulting (1998) Ltd. – 25% Detection Rate

October 27, 2014digital signatureAmonetize, Downware, GraftorRoger Karlsson

Good evening! Lately I’ve been looking on the digital signatures on those files that push various types of unwanted programs. Right now I found a new file called FlashPlayer__6741_i1387048386_il2537.exe, digitally signed by Shetef Solutions & Consulting (1998) Ltd..

You can also look at the Shetef Solutions & Consulting (1998) Ltd. certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Shetef Solutions & Consulting (1998) Ltd. is located in Rannana, Israel. The certificate appears to relatively new. Its validity began on the 13th of October.

The issue here is that if FlashPlayer__6741_i1387048386_il2537.exe really was an installer file for Flash Player, it should have been digitally signed by Adobe System Incorporated and not by some unknown company. This looks suspicious.

The VirusTotal report shows that the Shetef Solutions & Consulting (1998) Ltd. file should be avoided, since FlashPlayer__6741_i1387048386_il2537.exe is detected as Adware.Downware.8876 by DrWeb, Gen:Variant.Graftor.161610 by F-Secure and PUP.Optional.Amonetize by Malwarebytes.

Since the download was detected I decided to give it a try to see what it installed. During my test I could see Wajam, Salus – Net Protector and My Start Search install on my lab machine.

Did you also find a file digitally signed by Shetef Solutions & Consulting (1998) Ltd.? What kind of download was it and where did you find it?

Thanks for reading.

DOZ-DEKORUM LLC – 17% Detection Rate at VirusTotal

October 17, 2014digital signatureAmonetize, DownwareRoger Karlsson

Hello! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file, such as FlashPlayer_6741_i1375671586_il280.exe, on your system signed by DOZ-DEKORUM LLC? Then read on..

Typically you’d see the DOZ-DEKORUM LLC publisher name appear when double-clicking on the FlashPlayer_6741_i1375671586_il280.exe file:

It’s possible to view additional information about the embedded certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that DOZ-DEKORUM LLC is located in Kiev in Ukraine and that the certificate is issued by Thawte Code Signing CA – G2.

The problem here is that if FlashPlayer_6741_i1375671586_il280.exe really was an installer file for Flash Player, it should have been signed by Adobe Inc. and not by some unknown company. I think this looks suspicious.

So, what does the anti-virus programs say about the DOZ-DEKORUM LLC file? No problem, I just uploaded the file to VirusTotal and it turned out that some (17%) of the anti-virus programs detects the DOZ-DEKORUM LLC file, with names such as Generic.AF5, Adware.Downware.8818 and PUP.Optional.Amonetize.

Since some of the anti-virus programs detected the DOZ-DEKORUM LLC file, I got curious and decided to test it to see what it installed. After stepping though the installer, RegClean Pro and Wajam appeared on my computer. Did you also find a file digitally signed by DOZ-DEKORUM LLC? What kind of download was it and where did you find it?

Thanks for reading.