Tag Archives: Ukraine

Alekxandr Zabaro – 13% VirusTotal Detection Rate

digital signature

Hi there! Just a quick post on a publisher called Alekxandr Zabaro that I found while running some tests for the upcoming FreeFixer release. The suspicious file is named Download.exe.

Alekxandr Zabaro file

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Alekxandr Zabaro certificate.

Alekxandr Zabaro cert

After uploading the Alekxandr Zabaro file – Download.exe – to VirusTotal, it was clear that it’s probably better to delete the file than running it. The detection rate was 13% and some of the detection names were: Win32:MultiPlug-AAE [PUP], a variant of Win32/Adware.MultiPlug.MO and Unwanted-Program ( 0040f9681 ).

Alekxandr Zabaro anti virus report

Did you also find a Alekxandr Zabaro file? Do you remember where you downloaded it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

SERGEY NIKITIN – Detected as MultiPlug, Graftor, Qudamah etc

digital signature, , ,

Hello! Just a short post on a publisher called SERGEY NIKITIN. I just found a download named Download.exe that was digitally signed by this publisher, and it turns out that it is detected by some anti-virus programs.

SERGEY NIKITIN publisher

You can also look at the SERGEY NIKITIN certificate and digital signature by looking under the Digital Signatures tab on the file’s properties. According to the certificate, SERGEY NIKITIN is located in Zaporizhia, Zaporizhska in Ukraine.

SERGEY NIKITIN certificate

The VirusTotal report shows that the SERGEY NIKITIN file should be avoided, since Download.exe is detected as Gen:Variant.Adware.Graftor.198034 by BitDefender, PUP.Optional.MultiPlug by Malwarebytes, Suspicious.Cloud.5 by Symantec and Trojan.Win32.Qudamah.Gen.4 by Tencent.

SERGEY NIKITIN virus report

Did you also find a SERGEY NIKITIN file?

Thanks for reading.

Danil Vlasov – 40% Detection at VirusTotal

digital signature

Hi there! Just a quick post on a file named Moborobo.exe signed by Danil Vlasov.

Danil Vlasov publisher

It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Danil Vlasov certificate.

Danil Vlasov certificate

The reason I’m writing this blog post is that the Danil Vlasov file is detected by many of the anti-malwares at VirusTotal. Avira reports Moborobo.exe as TR/Crypt.XPACK.Gen, BitDefender detects it as Gen:Variant.Strictor.88461, Fortinet detects it as Riskware/Generic.AC.4386 and Sophos detects it as MultiPlug.

Danil Vlasov virustotal report

Did you also find a Danil Vlasov file?

Thank you for reading.

Kiril Semyakov – 46% Detection Rate – Adware.Agent.PQH / Win32:FakeDownload-F

digital signature,

Hello readers! Just a quick post today, since I’m busy working with the next release of FreeFixer. Did you see a file on your system digitally signed by Kiril Semyakov? Then read on..

Kiril Semyakov publisher

Windows will display Kiril Semyakov as the publisher when running the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Kiril Semyakov certificate.

Kiril Semyakov cert

According to this, Kiril is located in Ukraine.

The reason I’m writing this blog post is that the Kiril Semyakov file is detected by many of the anti-malwares at VirusTotal. Avast classifies the fileĀ as Win32:FakeDownload-F [PUP], F-Secure reports Adware.Agent.PQH, Ikarus detects it as PUA.Win32.InstalleRex, McAfee-GW-Edition detects it as MultiPlug-FYT and Sophos reports MultiPlug.

Kiril Semyakov anti-virus report

Did you also find a Kiril Semyakov file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thank you for reading.

Arseniy Petrov – 39% Detection Rate – MultiPlug / InstalleRex / Qudamah

digital signature, ,

Hello readers! Sorry for the lack of posts during last week. I’ve been having a few days off.

This morning I playing around and testing some downloads when I found a file signed by Arseniy Petrov.

Arseniy Petrov publisher

Windows will display Arseniy Petrov as the publisher when running the file. It is also possible to check a digital signature by looking at a file’s properties. Here’s a screenshot of the Arseniy Petrov certificate.

Arseniy Petrov certificate

Arseniy Petrov is located in Ukraine according to the cert.

22 of the anti-virus scanners detected the file. Avira names Download Uc Browser V Handler Zip.exe as TR/Crypt.XPACK.Gen, BitDefender reports Gen:Variant.Adware.Mplug.45, Malwarebytes detects it as PUP.Optional.MultiPlug, Microsoft detects it as SoftwareBundler:Win32/InstalleRex, Sophos reports MultiPlug and Tencent reports Trojan.Win32.Qudamah.Gen.2.

Arseniy Petrov anti-virus report

Did you also find a Arseniy Petrov file? Do you remember where you downloaded it?

Thank you for reading.

Rodion Veresev – 33% Anti-Virus Detection Rate – MultiPlug

digital signature

Hi there! Was looking for some downloads to play around with and found one, digitally signed by Rodion Veresev.

Rodion Veresev cert

You can see who the signer is when double-clicking on an executable file. Rodion Veresev appears in the publisher field in the dialog that pops up. According to the cert, he is located in Ukraine. The certificate is issued by Certum Code Signing CA.

The reason for posting about Rodion Veresev is that the file is detected by many of the anti-virus programs. Avira reports Download Uc Browser V Handler Zip.exe as TR/Crypt.XPACK.Gen, DrWeb calls it Trojan.Crossrider1.25958, Sophos detects it as MultiPlug and Tencent reports Trojan.Win32.Qudamah.Gen.6.

Rodion Veresev virus report

Did you also find a Rodion Veresev file? What kind of download was it?

Hope this blog post helped you avoid some unwanted software on your machine.

Thank you for reading.

LLC BK UKRBUDMONTAZH – 11% Anti-Virus Detection – Amonetize

digital signature, ,

Welcome! Short on time today, but I just wanted to give you the heads up on a publisher called LLC BK UKRBUDMONTAZH.

LLC BK UKRBUDMONTAZH publisher

If you have a LLC BK UKRBUDMONTAZH file on your machine you may have noticed that LLC BK UKRBUDMONTAZH is displayed as the publisher in the UAC dialog when double-clicking on the file. The certificate information can also be viewed from Windows Explorer. According to the certificate we can see that LLC BK UKRBUDMONTAZH seems to be located in Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

LLC BK UKRBUDMONTAZH cert

When I uploaded the LLC BK UKRBUDMONTAZH file to VirusTotal, it came up with a 11% detection rate. The file is detected as Trojan/Win32.TGeneric by Antiy-AVL, Amonetize (fs) by AVware, Trojan.Amonetize.2350 by DrWeb, a variant of Win32/Amonetize.EF potentially unwanted by ESET-NOD32 and Amonetize (fs) by VIPRE.

LLC BK UKRBUDMONTAZH virus report

Since you probably came here after finding a download that was digitally signed by LLC BK UKRBUDMONTAZH, please share what kind of download it was and if it was detected by the anti-malwares at VirusTotal.

Thanks for reading.

LLC “HALKON PLYUS” – 4% Anti-Virus Detection Rate

digital signature,

Hello! If you’ve been following my recent posts here on the FreeFixer blog, you know that I’ve been looking at files that have a valid digital signature and bundle various types of potentially unwanted programs. A few days ago I found another publisher named LLC “HALKON PLYUS”.

LLC HALKON PLYUS

If you have a LLC HALKON PLYUS file on your computer you may have noticed that LLC HALKON PLYUS pops up as the publisher in the User Account Control dialog when running the file. To get more details on the publisher, you can view the certificate by right-clicking on the file, and looking under the Digital Signatures tab. According to the embedded certificate we can see that LLC “HALKON PLYUS” is located in Ternopil, Ukraine and that the certificate is issued by COMODO RSA Code Signing CA.

LLC HALKON PLYUS certificate

The reason for posting about LLC “HALKON PLYUS” is that the file is detected by a few of the anti-virus programs. Avast classifies MediaPlayer__6741_i1484416138_il59937.exe as Win32:Malware-gen and Avira detects it as ADWARE/Adware.Gen4.

LLC HALKON PLYUS anti-virus report

To see more in details what changes the LLC “HALKON PLYUS” file would do on a user’s computer I decided to run the file on my lab machine. The installer bundled some additional software such as Wajam, PriceLess, TabNav and AnySend.

Did you also find a download that was signed by LLC “HALKON PLYUS”? What kind of download was it and was it detected by the anti-malwares at VirusTotal? Please share in posting comments below.

Thanks for reading.