Tag Archives: InstallCore

Max Source (After Download Ltd.) – 9% Detection Rate – InstallCore

Hello readers! Just a short post on a publisher called Max Source (After Download Ltd.) that I found while downloading “FileZilla” from SourceForge. Big thanks to Peter for letting me know about this download.

This is how Max Source (After Download Ltd.) appears when running the file:

Max Source After Download  Ltd in the User Account Control dialog

To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the certificate we can see that Max Source (After Download Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

Max Source After Download  Ltd certificate

It turns out that SourceForge.net has been into bundling for quite some time. Here’s a blog post dated July 2013 which describes the DevShare bundling program.

The reason I’m writing this blog post is that the Max Source (After Download Ltd.) file is detected by some of the anti-malware software at VirusTotal. Avira detects FileZilla_3.10.1.1_win32-setup.exe as Adware/InstallCore.765232, DrWeb classifies it as Trojan.InstallCore.52, ESET-NOD32 reports a variant of Win32/InstallCore.WI potentially unwanted, K7AntiVirus calls it Trojan ( 004b52261 ) and K7GW calls it Trojan ( 004b52261 ).

Max Source anti-virus report

Did you also find a file digitally signed by Max Source (After Download Ltd.)? Where did you find it and are the anti-virus programs detecting it? Please share in the comments below.

Here’s how the download screen looks like for FileZilla at sourceforge.net. It hints that something will be bundled by saying “provide you some options during the installation process…”

sourceforge downloader

Thanks for reading.

Leading Funnel (Fried Cookie Ltd.) – 16% Detection Rate – InstallCore

Heya! I was playing around and testing some downloads last night and found a file digitally signed by Leading Funnel (Fried Cookie Ltd.).

Leading Funnel Fried Cookie Ltd certificate

To view more information about the certificate you can right-click on the file, then choose Properties and then select the Digital Signatures tab. According to the certificate we can see that Leading Funnel (Fried Cookie Ltd.) appears to be located in Tel Aviv and that the certificate is issued by GlobalSign CodeSigning CA – G2.

When I uploaded the file to VirusTotal – as I usually do when I find something that looks suspicious – 16% of the antivirus scanners detected the file. The file is detected as Application.Win32.FriedCookie.CIRK by Comodo, Trojan.InstallCore.53 by DrWeb, a variant of Win32/InstallCore.VM potentially unwanted by ESET-NOD32 and InstallCore (fs) by VIPRE.

Leading Funnel Fried Cookie Ltd. virustotal

Did you also find a Leading Funnel (Fried Cookie Ltd.) file? Do you remember where you downloaded it?

Thanks for reading.

World Setup (New Media Holdings Ltd.) – 11% Detection Rate – InstallCore

Hello readers! Just wanted to give you heads-up on suspicious file I found right now. The file is named ChromeSetup.exe and digitally signed by World Setup (New Media Holdings Ltd.).

It’s possible to view additional information about the certificate by right-clicking on the file, choosing properties and then clicking on the Digital Signatures tab. According to the certificate we can see that World Setup (New Media Holdings Ltd.) appears to be located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2.

World Setup (New Media Holdings Ltd.) certificate

The problem is that ChromeSetup.exe is not an official Google Chrome download. If it was, it would be digitally signed by Google Inc.. Here’s how the authentic Google Chrome looks like when you double click on it. Notice that the “Verified publisher” says “Google Inc”.
Chrome Google Inc publisher

After uploading the World Setup (New Media Holdings Ltd.) file – ChromeSetup.exe – to VirusTotal, it was clear that it’s probably better to stay away from file than running it. The detection rate was 11% and some of the detection names were: ADWARE/InstallCore.Gen, Application.Win32.InstallCore.DR and InstallCore (fs).

Since you probably came here after finding a download that was digitally signed by World Setup (New Media Holdings Ltd.), please share what kind of download it was and if it was detected by the antimalware scanners at VirusTotal.

Thanks for reading.

Dove Source (Fried Cooke Ltd.) – 4% Detection Rate – InstallCore

Hello readers! Short on time today this weekend, but I just wanted to give you the heads up on a publisher called Dove Source (Fried Cooke Ltd.). The signed file was named Skype_Setup.exe.Dove Source Fried Cooke LTD cert

 

The certificate is rather new. It is valid from the 5th of January 2015. According to the cert, the company is located in Tel Aviv, Israel.

The problem here is that if Skype_Setup.exe really was an installer for Skype, it should be digitally signed by Skype Software Sarl and not by some unknown company. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.

Skype Software Sarl publisher

The issue with the Dove Source (Fried Cooke Ltd.) file, in addition to using Skype’s name, is that it is detected by a few of the anti-malware scanners. Here are some of the detection names: ADWARE/InstallCore.Gen9 and a variant of Win32/InstallCore.UN.

Dove Source (Fried Cooke Ltd.) virustotal

Did you also find a Dove Source (Fried Cooke Ltd.) file? What kind of download was it?

Thanks for reading.

Dove Delivery (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

Hi there! Was looking for some downloads to play around with and found one, signed by Dove Delivery (Fried Cookie Ltd.). The file is named FlvPlayerSetup.exe.

You can look at the Dove Delivery (Fried Cookie Ltd.) certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Dove Delivery (Fried Cookie Ltd.) is located in Tel Aviv in Israel.Dove Delivery Fried Cookie Ltd

So, why did I put up this blog post? Well, the thing is that the Dove Delivery (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. Avira reports FlvPlayerSetup.exe as ADWARE/InstallCore.Gen, DrWeb reports Trojan.Packed.29923, ESET-NOD32 detects it as a variant of Win32/InstallCore.UQ and VIPRE reports InstallCore (fs).

Dove Delivery (Fried Cookie Ltd.) virustotal

Did you also find a Dove Delivery (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Tweaks App (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Tweaks App (Fried Cookie Ltd.).

Tweaks App Fried Cookie Ltd. publisher

The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that Tweaks App (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

Tweaks App Fried Cookie Ltd. cert

So, why did I put up this blog post? Well, the thing is that the Tweaks App (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. AVG reports FlvPlayerSetup.exe as Generic.411, ESET-NOD32 detects it as a variant of Win32/InstallCore.SS and VIPRE calls it InstallCore (fs)

Tweaks apps virustotal

Did you also find a Tweaks App (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

Prompt Distribution – 7% Detection Rate – InstallCore

Hello readers! Just a note on a publisher called Prompt Distribution (Fried Cookie Ltd.). The Prompt Distribution (Fried Cookie Ltd.) download – Skype_Setup.exe – was detected when I uploaded it to VirusTotal. Did you also find a download by Prompt Distribution (Fried Cookie Ltd.)? Was it also detected when you uploaded it to VirusTotal?

By examining the certificate, we can see that Prompt Distribution (Fried Cookie Ltd.) is located in Tel Aviv in Israel. The certificate is issued by GlobalSign CodeSigning CA – G2.

Prompt Distribution Fried Cookie cert

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it should have been signed by Skype Software Sarl.

These are the current VirusTotal detections for the file. Generic.48E, a variant of Win32/InstallCore.SC and InstallCore (fs) as a few of the detection names for the Skype_Setup.exe file.

Prompt Distribution - virustotal

Did you also find a file digitally signed by Prompt Distribution? What kind of download was it and where did you find it?

Thank you for reading.

OOO “Finans Servis” – 9% Detection Rate: InstallCore/CryptInno

Just wanted to give you the heads up on files digitally signed by OOO “Finans Servis”.

OOO Finans Servis publisher

The OOO “Finans Servis” certificate shows that the publisher is located in Moscow in Russia.

OOO Finans certificate

The problem here is that the OOO Finans Servis was promoted as an update for Adobe’s Flash Player. If adobe_flash_setup.exe really was a setup file for Adobe Flash Player, it should be digitally signed by Adobe Systems Incorporated and not by some unknown company located in Moscow.

9% of the anti-malware scanners detected the file. PUP.Optional.InstallCore and BehavesLike.Win32.CryptInno.bc were two of the detection names. I think we will see the other anti-virus programs add this one to the detection list soon.

OOO Finans Servis virustotal

Since you probably came here after finding a file that was digitally signed by OOO Finans Servis, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thanks for reading.

Astro Delivery (Fried Cookie Ltd.) – 4% Detection Rate

Welcome! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Astro Delivery (Fried Cookie Ltd.).

Astro Delivery Fried Cookie Ltd. publisher

You can also check the digital signature under the file’s properties. According to the certificate we can see that Astro Delivery (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by GlobalSign CodeSigning CA – G2. The certificate is pretty new: its validity period started yesterday, on the 21st of October.

Astro Delivery Fried Cookie Ltd certificate

One issue here, and this could perhaps be one of the reason why a few anti-virus programs have chosen to detect the file, is that Skype_Setup.exe is not an official Skype download. If it was, it would be digitally signed by Skype Software Sarl.

The scan result from VirusTotal below shows that only 4% of the antivirus programs detect the Astro Delivery (Fried Cookie Ltd.) file. It is detected under names such as a variant of Win32/InstallCore.QH and Riskware.Win32.InstallCore.dfgoti. It will be interesting to see if other anti-virus scanners choose to follow ESET and NANO.

astro delivery fried cookie ltd virustotal report

Did you also find a Astro Delivery (Fried Cookie Ltd.) file?

Thanks for reading.

STMSetup – 18% Detection Rate by VirusTotal

Hello readers! Just found yet another interesting file, this time signed by STMSetup. The following screenshot shows the User Account Control dialog when running the STMSetup file:

STMSetup for Skype_Setup.exe

You can also view the certificate by right-clicking on the file, and looking under the Digital Signature tab: According to the embedded certificate we can see that STMSetup appears to be located in Tel-Aviv in Israel and that the certificate is issued by COMODO Code Signing CA 2.

STMSetup certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the official Skype signature looks like:

Skype Software Sarl

So, what does VirusTotal say about Skype_Setup.exe? BehavesLike.Win32.CryptInno.bc, Install Core Click run software and InstallCore (fs) are some detection names:

STMSetup virustotal report

Did you also find a STMSetup file?

Thanks for reading.