Archive for September 17th, 2008

17
Sep

XP Antivirus 2008 Updating Itself

By lithium Comments
Categories: Database Update

Today we caught our pet XP Antivirus 2008 infection telling us that our application was expired and then proceeded to download and start a new Antivirus XP 2008 installation out of nowhere.

Antivirus XP 2008

File: .tt68.tmp.exe (982667C215DD45B95E61EFCD52BA5B2A)
VirusTotal: Result: 8/36 (22.22%)

Removal:

Remove this threat with MalwareBytes!

17
Sep

New Rogue – eAntivirusPro – 1 domain added – 1 file added (4/36)

By lithium Comments
Categories: Database Update and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Today we discovered a new rogue called eAntivirusPro.  After researching the new rogue we found that the template for the site was sold on a Russian Freelance site, which is one of the first templates we have seen contracted from a public freelance site.

eAntivirusPro

eAntivirusPro

SharedNS: Shared NS for eAntivirusPro

File: eAntivirusProInstaller.exe
Site: hxxp://eantivirus-payments.com
VirusTotal: Result: 4/36 (11.11%)
File size: 2006502 bytes
MD5…: 8c396fbdacce214de2e86354a77350d2
SHA1..: dba514af18c0ed0b190f16f8b9da2d137f47a219
SHA256: b59e1e75d9647357e686f077470054688d2b130e08dfc7ab9763ae22b83b2109
SHA512: 5b30016234a2e96088192568d2b623a8bf5b2d8d1c6c2c4a460af313ae8369c3
542528b8a69abe51f62c82493e953b7c010f064fff23508a033b39d595526f39

Analysis by ThreatExpert

Creates:

  • %CommonPrograms%\eAntivirusPro
  • %AppData%\whcc5dj0erc1
  • %ProgramFiles%\whcc5dj0erc1
  • %AppData%\whcc5dj0erc1\Quarantine
  • %AppData%\whcc5dj0erc1\Quarantine\Autorun
  • %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKCU
  • %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKCU\RunOnce
  • %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKLM
  • %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKLM\RunOnce
  • %AppData%\whcc5dj0erc1\Quarantine\Autorun\StartMenuAllUsers
  • %AppData%\whcc5dj0erc1\Quarantine\Autorun\StartMenuCurrentUser
  • %AppData%\whcc5dj0erc1\Quarantine\BrowserObjects
  • %AppData%\whcc5dj0erc1\Quarantine\Packages

Visible Processes:
whcc5dj0erc1.exe %ProgramFiles%\whcc5dj0erc1\whcc5dj0erc1.exe 12,242,944 bytes

Hidden Processes:
pphc35dj0erc1.e 110,592 bytes

Registry Modifications:

  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whcc5dj0erc1
    • HKEY_LOCAL_MACHINE\SOFTWARE\whcc5dj0erc1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
      • rhc75dj0erc1 = 5D DA D0 48
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
      • eAntivirusPro = “eAntivirusPro”
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • SMwhcc5dj0erc1 = “%ProgramFiles%\whcc5dj0erc1\whcc5dj0erc1.exe”

      • so that whcc5dj0erc1.exe runs every time Windows starts

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whcc5dj0erc1]
      • DisplayName = “eAntivirusPro”
      • UninstallString = “”%ProgramFiles%\whcc5dj0erc1\uninstall.exe”"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\whcc5dj0erc1]
      BuyUrl = “73D5DE49682F7BBE66152CF560A7F15AD41F5D634258A92ED6446D11E601A4D
      599B76A2DA60345982326DB8CE829FDB262BD60B9044C704E”
      BuyDiscUrl = “E1CB91E47B5E05E6766AFCAC8EA2CC2AD41F5D634258A92ED6446D11E601A4D
      599B76A2DA60345982326DB8CE829FDB262BD60AB04472109426E88B897″
      domain = “A67808E58B33E04B4C27F4EC7AB34B3AD90A47671101EF2BD4406E0
      4E616BDD981AA6B76B64158″

      • ADVid = “”
      • (Default) = “%ProgramFiles%\whcc5dj0erc1″
      • InstallDir = “%ProgramFiles%\whcc5dj0erc1″
      • SoftID = “eAntivirusPro”
      • DatabaseVersion = “2.1″
      • ProgramVersion = “2.1″
      • EngineVersion = “2.1″
      • GuiVersion = “2.1″
      • ProxyName = “”
      • ProxyPort = 0×00000000
      • ScanPriority = 0×00000001
      • DaysInterval = 0×00000007
      • ScanDepth = 0×00000002
      • ScanSystemOnStartup = 0×00000001
      • AutomaticallyUpdates = 0×00000001
      • MinimizeOnStart = 0×00000000
      • BackgroundScan = 0×00000001
      • BackgroundScanTimeout = 0×00000001
      • LastTimeStamp = 0×0000011F
17
Sep

Smart Antivirus 2009 – 1 file added (3/36) – 5 domains added

By lithium Comments
Categories: Database Update, Malicious Domains and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

Smart Antivirus 2009

File: setup.ver1_1000.0_.exe
Sites:

  • hxxp://smart-antivirus2009sqbuy.com
  • hxxp://smartantivirus-2009sqbuy.com
  • hxxp://smartantivirus2009sq-buy.com
  • hxxp://smartantivirus2009sq.com
  • hxxp://smartantivirussq.com
  • hxxp://internet-defenses.com/

VirusTotal: Result: 3/36 (8.33%)

File size: 110592 bytes
MD5…: 71b8cccd75b6b7a906c8343ed5abe1ef
SHA1..: 10b7431f1dc880d5ee8a4c64244be6c80b0bfb43
SHA256: 208e359c92a4567752dad16ad5d67ceb603609ac4dea1321b48dedafdead8057
SHA512: 2e27fb7ad3cfdb62d5522935c80320be679e32f8dd5338e83e3bc4878392a17b
d0ce52cf1d18c9a245992c55243f9f66aabd4a544a3acbe189bb6e5997c6ecd2
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)

Removal:

Remove this threat with MalwareBytes!



 

September 2008
M T W T F S S
« Aug   Oct »
1234567
891011121314
15161718192021
22232425262728
2930