Tag Archives: Tel Aviv

Alpha Apps (Fried Cookie Ltd.) – 14% Detection Rate – InstallCore

January 4, 2015digital signatureIsrael, Tel AvivRoger Karlsson

Hi there! Just wanted to give you the heads up on a file called Skype_Setup.exe that’s digitally signed by Alpha Apps (Fried Cookie Ltd.).

Here how Alpha Apps (Fried Cookie Ltd.) appears in the UAC dialog when running Skype_Setup.exe as admin:

The Alpha Apps (Fried Cookie Ltd.) certificate shows that the publisher is located in Tel-Aviv, Israel.

What caught my attention was that the download was called Skype_Setup.exe. This might look like an official Skype download, but it is not. If it was an official download, it would be digitally signed by Skype Software Sarl. Here’s how the authentic Skype looks like when you double click on it. Notice that the “Verified publisher” says “Skype Software Sarl”.

The problem with the Alpha Apps (Fried Cookie Ltd.) file is that it is detected by some of the antimalware scanners. Here are some of the detection names: Trojan.InstallCore.39, a variant of Win32/InstallCore.SX, Unwanted-Program ( 004b2d871 ) and InstallCore (fs).

Did you also find a Alpha Apps (Fried Cookie Ltd.) file?

Thanks for reading.

Tweaks App (Fried Cookie Ltd.) – 11% Detection Rate – InstallCore

December 11, 2014digital signatureInstallCore, Israel, Tel AvivRoger Karlsson

Hi there! If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called Tweaks App (Fried Cookie Ltd.).

The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that Tweaks App (Fried Cookie Ltd.) is located in Tel Aviv, Israel and that the certificate is issued by COMODO Code Signing CA 2.

So, why did I put up this blog post? Well, the thing is that the Tweaks App (Fried Cookie Ltd.) file is detected by some of the anti-virus scanners, according to VirusTotal. AVG reports FlvPlayerSetup.exe as Generic.411, ESET-NOD32 detects it as a variant of Win32/InstallCore.SS and VIPRE calls it InstallCore (fs)

Did you also find a Tweaks App (Fried Cookie Ltd.) file? What kind of download was it? If you remember the download link, please post it in the comments below.

Hope this blog post helped you avoid some unwanted software on your machine.

Thanks for reading.

IMALI – N.I. MEDIA TD – Detection Rate: 1/54 – Legit or malware?

December 5, 2014digital signatureIsrael, Ramat Gan, Tel AvivRoger Karlsson

Hi there! Just a quick post this Friday evening. Did you see a file, such as setup.exe, on your system signed by IMALI – N.I. MEDIA TD? Then read on..

You can see who the signer is when double-clicking on an executable file. IMALI – N.I. MEDIA TD appears in the publisher field in the dialog that pops up.

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the IMALI – N.I. MEDIA TD certificate.

The detection rate is only 1/54, that is 2%. The setup.exe file is detected as suspected of Trojan.Downloader.gen.h by VBA32. What do you think, is it a false positive or should the other anti-virus programs detect it?

Did you also find a IMALI – N.I. MEDIA TD file? Do you remember where you downloaded it?

Thank you for reading.

Update 2015-01-28: Found another file signed by IMALI – N.I. MEDIA TD. It’s called ESy1Avb1ax.exe and it is detected by 7 of the 57 anti-virus programs at VirusTotal:

Update 2015-02-16: Found another file, with a slightly different publisher name: “IMALI – N.I. MEDIA LTD“. The publisher is located in Ramat Gan, Israel according to the certificate. These are the detections (8/57):

Avira TR/Dldr.Agent.443648
AVware Trojan.Win32.Generic!BT
GData Win32.Trojan.Agent.W8AUB8
Ikarus Trojan-Downloader.Agent
Qihoo-360 HEUR/QVM10.1.Malware.Gen
Symantec Infostealer.Limitail
TrendMicro-HouseCall Suspicious_GEN.F47V0210
VIPRE Trojan.Win32.Generic!BT

CoolMirage Ltd. – 28 % Detection Rate – DefaultTab / OneClickDownloader / MultiToolbar

November 27, 2014digital signatureDefaultTab, Israel, MultiToolbar, OneClickDownloader, SweetIM, Tel AvivRoger Karlsson

Hello! Here’s a short blog post from a foggy Stockholm. If you’ve been following me for the last year you know that I’ve been examining many software publishers that put a digital signature on their downloads. Today I found another publisher called CoolMirage Ltd. which appears to have been around for some time.

The file is named in a way which can make some users think they are downloading a movie, rather than an executable file.

Typically you’d see the CoolMirage Ltd. publisher name appear when double-clicking on the downloaded file: Viewing the certificate information is also possible by looking under the digital signature tab for the file. Here the certificate says that CoolMirage Ltd. is located in Tel Aviv, Israel.

The issue with the CoolMirage Ltd. file is that it is detected by many of the anti-malware scanners. Here are some of the detection names: Gen:Application.Bundler.DefaultTab.1, PUP.Optional.OneClickDownloader.A, Adware-SweetIM, PUP/MultiToolbar.A and CoolMirage.

Did you also find a CoolMirage Ltd. file? Do you remember the download link? Please post it in the comments below and I’ll upload it to VirusTotal to see if that one is also detected.

Thanks for reading.

SITE ON SPOT Ltd – Detected by 20 of the 51 anti-virus programs

July 10, 2014digital signatureIsrael, Tel AvivRoger Karlsson

Just a short post on the SITE ON SPOT Ltd. publisher. I found a download called “FlvPlayer”, digitally signed by SITE ON SPOT Ltd. this morning. After uploading the file to VirusTotal, it is clear why it’s a good idea to be careful. 20 of the 54 anti-virus programs detects the SITE ON SPOT Ltd. file:

The SITE ON SPOT Ltd. publisher will appear when double-clicking on the file:

The certificate information can also be viewed from Windows Explorer. The certificate shows that SITE IN SPOT is located in Tel Aviv, Israel.

Did you also find a file signed by SITE ON SPOT Ltd.? What kind of download was it and where did you find it?

Update 2015-02-19: Found another file, signed by “Site on Spot Limited“. I guess it could be from the same publisher.