Tag Archives: Israel

Install Path Ltd – 25% Detection Rate – Strictor, Amonetize

digital signature, , ,

Hi there! Sorry for the silence for the last days. I’ve been having a few days off.  Anyway, I’m back on the blog again.

Did you just download something to your system digitally signed by Install Path Ltd? Then read on..

Install Path LTD comodo

By examining the embedded certificate, we can see that Install Path Ltd is located in Israel. The certificate is issued by COMODO RSA Code Signing CA. The certificate appears to be quite new.

Install Path Ltd certificate

So, why did I put up this blog post? Well, the thing is that the Install Path Ltd file is detected by many of the scanners, according to VirusTotal. Avast detects Setup__6741_i1454683454_il235.exe as Win32:Rootkit-gen [Rtk], AVG calls it InstallPath.7F5 , Avira detects it as ADWARE/Adware.Gen2, BitDefender calls it Gen:Variant.Adware.Strictor.75886, ESET-NOD32 classifies it as a variant of Win32/Amonetize.CX, Malwarebytes classifies it as PUP.Optional.Bundle and Panda calls it PUP/MultiToolbar.A.

Install Path Ltd virustotal

Did you also find an Install Path Ltd? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thank you for reading.

Update 2015-03-03: Found another Install Path file. The detection was almost the same: 28%.

Dove Source (Fried Cooke Ltd.) – 4% Detection Rate – InstallCore

digital signature, ,

Hello readers! Short on time today this weekend, but I just wanted to give you the heads up on a publisher called Dove Source (Fried Cooke Ltd.). The signed file was named Skype_Setup.exe.Dove Source Fried Cooke LTD cert

 

The certificate is rather new. It is valid from the 5th of January 2015. According to the cert, the company is located in Tel Aviv, Israel.

The problem here is that if Skype_Setup.exe really was an installer for Skype, it should be digitally signed by Skype Software Sarl and not by some unknown company. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.

Skype Software Sarl publisher

The issue with the Dove Source (Fried Cooke Ltd.) file, in addition to using Skype’s name, is that it is detected by a few of the anti-malware scanners. Here are some of the detection names: ADWARE/InstallCore.Gen9 and a variant of Win32/InstallCore.UN.

Dove Source (Fried Cooke Ltd.) virustotal

Did you also find a Dove Source (Fried Cooke Ltd.) file? What kind of download was it?

Thanks for reading.

Dove Delivery (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

adware, digital signature, ,

Hi there! Was looking for some downloads to play around with and found one, signed by Dove Delivery (Fried Cookie Ltd.). The file is named FlvPlayerSetup.exe.

You can look at the Dove Delivery (Fried Cookie Ltd.) certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, Dove Delivery (Fried Cookie Ltd.) is located in Tel Aviv in Israel.Dove Delivery Fried Cookie Ltd

So, why did I put up this blog post? Well, the thing is that the Dove Delivery (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. Avira reports FlvPlayerSetup.exe as ADWARE/InstallCore.Gen, DrWeb reports Trojan.Packed.29923, ESET-NOD32 detects it as a variant of Win32/InstallCore.UQ and VIPRE reports InstallCore (fs).

Dove Delivery (Fried Cookie Ltd.) virustotal

Did you also find a Dove Delivery (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

Alpha Apps (Fried Cookie Ltd.) – 14% Detection Rate – InstallCore

digital signature,

Hi there! Just wanted to give you the heads up on a file called Skype_Setup.exe that’s digitally signed by Alpha Apps (Fried Cookie Ltd.).

Here how Alpha Apps (Fried Cookie Ltd.) appears in the UAC dialog when running Skype_Setup.exe as admin:

Alpha Apps Fried Cookie LTD

The Alpha Apps (Fried Cookie Ltd.) certificate shows that the publisher is located in Tel-Aviv, Israel.

Alpha Apps certificate

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.
Skype Software Sarl publisher

The problem with the Alpha Apps (Fried Cookie Ltd.) file is that it is detected by some of the antimalware scanners. Here are some of the detection names: Trojan.InstallCore.39, a variant of Win32/InstallCore.SX, Unwanted-Program ( 004b2d871 ) and InstallCore (fs).

alpha apps virustotal

Did you also find a Alpha Apps (Fried Cookie Ltd.) file?

Thanks for reading.

Tweaks App (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

digital signature, ,

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Tweaks App (Fried Cookie Ltd.).

Tweaks App Fried Cookie Ltd. publisher

The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that Tweaks App (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

Tweaks App Fried Cookie Ltd. cert

So, why did I put up this blog post? Well, the thing is that the Tweaks App (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. AVG reports FlvPlayerSetup.exe as Generic.411, ESET-NOD32 detects it as a variant of Win32/InstallCore.SS and VIPRE calls it InstallCore (fs)

Tweaks apps virustotal

Did you also find a Tweaks App (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

IMALI – N.I. MEDIA TD – Detection Rate: 1/54 – Legit or malware?

digital signature, ,

Hi there! Just a quick post this Friday evening. Did you see a file, such as setup.exe, on your system signed by IMALI – N.I. MEDIA TD? Then read on..

You can see who the signer is when double-clicking on an executable file. IMALI – N.I. MEDIA TD appears in the publisher field in the dialog that pops up.

IMALI - N.I. MEDIA TD publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the IMALI – N.I. MEDIA TD certificate.

IMALI - N.I. MEDIA TD certificate

The detection rate is only 1/54, that is 2%. The setup.exe file is detected as suspected of Trojan.Downloader.gen.h by VBA32. What do you think, is it a false positive or should the other anti-virus programs detect it?

IMALI - N.I. MEDIA TD virustotal

Did you also find a IMALI – N.I. MEDIA TD file? Do you remember where you downloaded it?

Thank you for reading.

Update 2015-01-28: Found another file signed by IMALI – N.I. MEDIA TD. It’s called ESy1Avb1ax.exe and it is detected by 7 of the 57 anti-virus programs at VirusTotal:

IMALI - N.I. MEDIA TD virus total detections

 

Update 2015-02-16: Found another file, with a slightly different publisher name: “IMALI – N.I. MEDIA LTD“. The publisher is located in Ramat Gan, Israel according to the certificate. These are the detections (8/57):

  • Avira TR/Dldr.Agent.443648
  • AVware Trojan.Win32.Generic!BT
  • GData Win32.Trojan.Agent.W8AUB8
  • Ikarus Trojan-Downloader.Agent
  • Qihoo-360 HEUR/QVM10.1.Malware.Gen
  • Symantec Infostealer.Limitail
  • TrendMicro-HouseCall Suspicious_GEN.F47V0210
  • VIPRE Trojan.Win32.Generic!BT

IMALI – N.I. MEDIA LTD anti-virus report - 14% Detection Rate

One Floor App LTD – 27% Detection Rate – Widdit / FirstFloor / SimplyInstaller

digital signature, , , ,

Hello! Just wanted to give you the heads up on a file called 1Convert.exe that’s digitally signed by One Floor App LTD. You will also see One Floor App LTD listed as the verified publisher in the User Account Control dialog that pops up if you try to run the file:

One Floor App LTD

Information about a digital signature and the certificate can also be found under the Digital Signature tab.. The screenshot below shows the One Floor App LTD certificate. From the certificate info we can see that One Floor App LTD appears to be located in Bnei Brak in Israel.

One Floor App LTD cert

ESET-NOD32 classifies 1Convert.exe as a variant of Win32/Toolbar.Widdit.A, Kaspersky detects it as not-a-virus:WebToolbar.Win32.FirstFloor.a and Malwarebytes detects it as PUP.Optional.SimplyInstaller.

One Floor App LTD virustotal

Did you also find a download that was signed by One Floor App LTD? What kind of download was it and was it detected by the anti-virus software at VirusTotal? Please share by posting a comment.

Thanks for reading.

CoolMirage Ltd. – 28 % Detection Rate – DefaultTab / OneClickDownloader / MultiToolbar

digital signature, , , , ,

Hello! Here’s a short blog post from a foggy Stockholm. If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called CoolMirage Ltd. which appears to have been around for some time.

CoolMirage Ltd. publisher in the UAC dialog

 

The file is named in a way which can make some users think they are downloading a movie, rather than an executable file.

Typically you’d see the CoolMirage Ltd. publisher name appear when double-clicking on the downloaded file: Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that CoolMirage Ltd. is located in Tel Aviv, Israel.

The CoolMirage Ltd. certificate

The issue with the CoolMirage Ltd. file is that it is detected by many of the anti-malware scanners. Here are some of the detection names: Gen:Application.Bundler.DefaultTab.1, PUP.Optional.OneClickDownloader.A, Adware-SweetIM, PUP/MultiToolbar.A and CoolMirage.

CoolMirage Ltd. virustotal scan report

Did you also find a CoolMirage Ltd. file? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

SITE ON SPOT Ltd – Detected by 20 of the 51 anti-virus programs

digital signature,

Just a short post on the SITE ON SPOT Ltd. publisher. I found a download called “FlvPlayer”, digitally signed by  SITE ON SPOT Ltd. this morning. After uploading the file to VirusTotal, it is clear why it’s a good idea to be careful. 20 of the 54 anti-virus programs detects the SITE ON SPOT Ltd. file:

SITE ON SPOT Ltd virustotal

The SITE ON SPOT Ltd. publisher will appear when double-clicking on the file:

SITE ON SPOT Ltd publisher

The certificate information can also be viewed from Windows Explorer. The certificate shows that SITE IN SPOT is located in Tel Aviv, Israel.

SITE ON SPOT Ltd certificate

Did you also find a file signed by SITE ON SPOT Ltd.? What kind of download was it and where did you find it?

Update 2015-02-19: Found another file, signed by “Site on Spot Limited“. I guess it could be from the same publisher.