New Antivirus XP 2008 (VIDEO)

This morning we detected two new sites promoting a new version of the Antivirus XP 2008 rogue. We have captured a video of our encounter for your viewing. The file has been added to the Malware Database under /Malware/lithium-malware.

Sites hosting the rogue software: *proceed at your own risk*
hxxp://antivirusxp-08.com
hxxp://antivirusxp-2008.com

JoeBox Sandbox Report: here

The Camtasia Studio video content presented here requires JavaScript to be enabled and the latest version of the Macromedia Flash Player. If you are you using a browser with JavaScript disabled please enable it now. Otherwise, please update your version of the free Flash Player by downloading here.

Removal:

Remove this threat with MalwareBytes!

VirusTotal:
File AntivirusXP2008Installer.exe received on 07.26.2008 19:56:35 (CET)
Result: 7/35 (20.00%)

File size: 1399061 bytes

MD5…: e979fb2eb504972ed87ad3c825ec6c2c

SHA1..: 7a927cfa6d413f66da1ae05f668ce85b3547aaf2

SHA256: 9d45ae1d8d3749efbe72b24bc20142e8c55b88a0733a45e5fe8579cf24981f33

SHA512: df1b55bff5fdee03cd77d59befe5ccfef555100605f7e9782e0a90e21ad6f67c
92bdf925e2844d042c9da48e1c05eb4970460683aebbec2bf5a3f9cf6341bee6

PEiD..: -

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×403225
timedatestamp…..: 0×47acc8b2 (Fri Feb 08 21:25:06 2008)
machinetype…….: 0×14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×5934 0×5a00 6.46 663546ac41801daf2dc51f560ec05a56
.rdata 0×7000 0×1190 0×1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0×9000 0×1af98 0×400 4.70 f0511f18783910813a0de0de02bc1206
.ndata 0×24000 0xb000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×2f000 0×1b58 0×1c00 3.57 cb651807c2efbaffbd00e8c2e09bc37f

6 Responses to “New Antivirus XP 2008 (VIDEO)”

Feed for this Entry Trackback Address View blog reactions

1 Tam Jul 26th, 2008 at 6:51 pm

Oh my god. That is the most realistic fake anti-virus software I have ever seen.

Are there any risks with using a VM machine to test for malware?
2 lithium Jul 26th, 2008 at 7:13 pm

It is pretty realistic looking! Hopefully not too many people fall for it… That’s exactly why we created this video. Even though the Antivirus XP 2008 trademark has been known to be rogue for quite some time, hopefully we can raise some more awareness about it. Regarding your question about malware testing on a VM. There have been some recent directory traversal exploits if you use shared folders but other than that it is *relatively* safe.
3 montag Jul 26th, 2008 at 8:05 pm

Cool stuff. It’s interesting that users have been trained (by legitimate AV) to react to intrusive security software by just clicking through to website and giving credit card number to make the bad news go away.

Has anyone traced the source of these fake AVs? Built with kits for sale or part of some big network of scam artists?

Re: Vmware - *fairly* safe. But a good portion of malware is “vmware-aware” and you may get different behaviors in virtual vs. real machines.
4 lithium Jul 26th, 2008 at 8:16 pm

I have not looked into the origin yet but the payment gateway is the same old server in Ukraine. Re: VMWare –> Yes, you are correct. Most malware have simple vmware detection mechanisms but they are not too hard to get around. (I.e. Most just detect presence of vmware tools)
5 GoingLikeSixty Jul 29th, 2008 at 9:17 am

Yeah, I fell for it HARD. Details on my blog with screen shots. PCillin didn’t even flinch. I think I cleaned it up with SuperAntiSpyware.
The site it came from was a knitting site!
6 lithium Jul 29th, 2008 at 10:07 am

GoingLikeSixty: Back in the day you got infected if you were visiting obviously bad websites. These days you get infected after searching for common things like “free baby blanket knitting pattern”. Sad, just sad.

Malware Database