Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
Site:
http://antivirus-premiumscan.com
http://antivirus-scan-online.com/
Files: None yet
Shared NS (ns1.freefastdns.com and ns2.freefastdns.com):
antivir2009on.com
antivirus-consulting.com
antivirus-freescan.com
antivirus-pcscan.com
antivirusfree-scan.com
antiviruspctest.com
antvirushelp.com
defendyourpc.com
dexterupdate.com
expressdataupdate.com
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
We found a new site pushing RealAV today. The download link pushes more than one binary. This is NOT a real Antivirus product! Do not download or install it!
Site: http://real-antivirus.com – http://real-antivirus.org
Download: hxxp://real-antivirus.com/cgi-bin/download.pl?code=00000000
File: RealAV.exe
VirusTotal: Result: 2/36 (5.56%)
Additional information
File size: 1954304 bytes
MD5…: aaa18c5564891bad2636e98c60c11842
SHA1..: 61ba85670781d513cd5166e50fc9b642295592db
SHA256: 642594b433ec6421764e58d8b556d9d3ead16254bacad50f49b3a9da239d89f3
SHA512: 9e131ef300832706bc823b8fdd3466f5bbd795a6a08c7611a1420bd309af4ce9
3d5cfb1b28a583a84a19914d17c342c0b0a05723cbef6f4c656b69c0f3a4532e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x5dc6b4
timedatestamp…..: 0x47d00775 (Thu Mar 06 15:02:13 2008)
machinetype…….: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0x1dbfaa 0x1dc000 8.00 0149aea4dcfc5237618a57aec6faa4f8
.data 0x1dd000 0xaa3 0xa00 4.98 9a9e7d8c4e76cbfbef3957499f3edab3
.rsrc 0x1de000 0×398 0×400 3.07 abfcff94d64f4e80fd119ac67c89283a
 |
File System Modifications |
| # | Filename(s) | File Size | File MD5 |
| 1 | %DesktopDir%\RealAV.lnk | 620 bytes | 0xE9A1298101E75059D6B2B2DAF50FD6D5 |
| 2 | %Temp%\stylrit0.tmp | 567,416 bytes | 0xC8F83A8327B280A6E33CF667904C9607 |
| 3 | %Programs%\RealAV\RealAV.lnk | 632 bytes | 0xC93690825D178EB769AD4473A5230818 |
| 4 | %ProgramFiles%\RealAV\RealAV.exe [file and pathname of the sample #1] |
1,954,304 bytes | 0xAAA18C5564891BAD2636E98C60C11842 |
| 5 | %ProgramFiles%\RealAV\vscan.tsi | 10,073 bytes | 0x5BC533CD757B5BC635EB6E7FAB5E1C8E |
| 6 | %ProgramFiles%\RealAV\zlib.dll |
196,608 bytes | 0x4D60C419FB5BB06D30B6F6AD5607E480 |
 |
Registry Modifications |
so that RealAV.exe runs every time Windows starts
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
This one has a low rate of detection.
site: hxxp://save-my-pc-now.com/2009/download/trial/A9installer_770522166818.exe
File: A9installer_770522166818.exe
VirusTotal: Result 2/36 (5.56%)
File size: 145408 bytes
MD5…: 447297e7d1f38a237160b43061385c0b
SHA1..: 33e6cb95f59a5bfc7fbfd246280c4dce1e7ab22d
SHA256: 16604592a2465b1c5c08aa3630ac5f20d7b8599e012c16837395e535903a668e
SHA512: e7188f53aebba558b49d5872ca8421f4051b2e0b95e46ab1f14ca6f1255a39c1
5e9b3def1628f0c21885a9e1048392940433084dab1f4ec677958bac392438df
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
Site: hxxp://scanner.rapidantivirus.com/40/?advid=710&ref=&p=1010000000
File: install_710_MHw0MHwxMDEwMDAwMDAwf.exe
Result: 14/35 (40%)
File size: 711944 bytes
MD5…: 80cc203140f95e3575854ceb85c81dcd
SHA1..: b5640c0d913cdfc10ed8a46730c4bac799d5185f
SHA256: d37fb4f0069cbca1a4d2414b148280ca0bb1b00051f4fdbca8ae8371fbe4f9a1
SHA512: 96ed729592afb3e658689319434d4f255a24eff870f6936b4f817186dc13d284
0b6364206b7836d2d95da8312da3390d3b576c92be1e8597e8840c904d2707bd
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (38.5%)
Win32 EXE Yoda’s Crypter (33.4%)
Win32 Executable Generic (10.7%)
Win32 Dynamic Link Library (generic) (9.5%)
Win16/32 Executable Delphi generic (2.6%)
Found another phishing/malware distribution scheme this time using Ocean Bank. Just as the ones we’ve seen in the past, it pushes a file to download that they say is a SSL certificate needed for security purposes. As you’ll see below there are quite a few URL’s pushing this malware and the ones listed are just a fraction of the total number. Once the file is run, it installs a rootkit to the system. The sample is available in /pnuemo-malware/.
BE ADVISED: These URL’s may still be active. Proceed at your own risk.
Oceanmultissl.exe (Downloads or Creates: s.exe)
Result: 21/34 (61.77%)
MD5: c4906f64d0ea19dab7a9e7626ee40781
VirusTotal
ThreatExpert Analysis
s.exe & 9129837.exe (Downloads or Creates: 9129837.exe & new_drv.sys)
Result: 18/36 (50%)
MD5: d951f3a8e3485c3c150ba17c0f53db86
VirusTotal
ThreatExpert Analysis
new_drv.sys
Result: 34/36 (94.45%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis
ns1.domensinter.com
ns2.domensinter.com
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.verification.0wylzehgk.edfrkti.com/103541.html?/renewmirror/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.demystifying.1vzohkwd0.edfrkti.com/103541.html?/ptcontrol/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.procedure.gnyit07m8.edfrkti.com/103541.html?/onlineupdate/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.jdv6kcukz.ceuewys.com/103541.html?/comreportid/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.ifzsgwhsm.edfrkti.com/103541.html?/customerlogin/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.bankonenet.9sxkghaq8.gineehg.com/103541.html?/viewcontent/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.renewmirror.mnskscirl.ceuewys.com/103541.html?/sitesurvey/encrypted
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.ptcontrol.jcpptbgdz.ceuewys.com/103541.html?/procedure/actionvalidate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.carehtmlclient.lg3qhifus.ceuewys.com/103541.html?/memberverify/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.bankonenet.aldz11d6n.gineehg.com/103541.html?/bankonenet/bankonline
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.rnalid.gyomouftr.reueys.com/103541.html?/securitychallenge/memberverify
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.portalserver.fkquawuv8.ceuewys.com/103541.html?/verification/exacttrget
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.selfservice.servletdologin.jgu801sal.edfrkti.com/103541.html?/servletdologin/bankonenet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.securitychallenge.certificateupdate.dpf29qakc.edfrkti.com/103541.html?/bankonline/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.portalserver.rczkjzpmm.reuybso.com/103541.html?/memberverify/procedure
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.onlineupdatemirror.pqwzbc38r.reueys.com/103541.html?/communitypage/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.slapiservlet.kjlxlurym.gineehg.com/103541.html?/certificateUpdate/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.demystifying.kululslhk.edfrkti.com/103541.html?/cfmasternbank/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.comreportid.0hbfmxry5.reueys.com/103541.html?/configlogin/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.bankonenet.jrbks5mu1.reueys.com/103541.html?/demystifying/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.sessionervlet.zsbtlddf1.gineehg.com/103541.html?/doexte/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.ptcontrol.e9s82vmjo.edfrkti.com/103541.html?/ptcontrol/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.productsremote.uj8mqt7af.edfrkti.com/103541.html?/carehtmlclient/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.portalserver.uhdirryyz.edfrkti.com/103541.html?/services/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.bankonline.xfadkkfg9.reueys.com/103541.html?/services/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.onlineupdatemirror.hia3rhicq.edfrkti.com/103541.html?/linkbrowse/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.exacttrget.sl1iyagjp.reueys.com/103541.html?/comservlet/communitypage
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.demystifying.ebulerhz1.reuybso.com/103541.html?/linkbrowse/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.carehtmlclient.m0fz6fjtp.reuybso.com/103541.html?/customerlogin/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.renewmirror.e4s0uhfhb.edfrkti.com/103541.html?/communitypage/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.exacttrget.mkcxdf604.reueys.com/103541.html?/onlineupdatemirror/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.communitypage.f3lg1sydw.edfrkti.com/103541.html?/carehtmlclient/demystifying
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.onlineupdate.services.bodkqha20.edfrkti.com/103541.html?/communitypage/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.memberverify.certificateupdate.h5sfn919q.gineehg.com/103541.html?/exacttrget/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.linkbrowse.privatelogin.ehe2hxod6.edfrkti.com/103541.html?/privatelogin/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.exacttrget.demystifying.djzxt6l3z.edfrkti.com/103541.html?/bankonenet/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.encrypted.siteminderagent.oit17c3jq.edfrkti.com/103541.html?/sessionervlet/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.rnalid.p7jzbwnji.gineehg.com/103541.html?/renewmirror/sitesurvey
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.ptcontrol.utqnl5dg0.ceuewys.com/103541.html?/exacttrget/privatelogin
Here is an update of files from this past week. These files are available in /pnuemo-malware/ in our repository. PLEASE READ UPDATED README.TXT!
BE ADVISED: These URL’s may still be active. Proceed at your own risk.
certificado-3.15.exe
Result: 12/36 (33.34%)
MD5: b249760cd0c1a3b21df8993604efe36b
VirusTotal
ThreatExpert
hxxp://212.98.9.4/Bradesco.com.br/
Flash_Player_9.exe (Downloads or Creates: winexec32.exe & wsys33.exe)
Result: 18/36 (50%)
MD5: f6d3cc53df4a70ee53a9a0a5288834da
VirusTotal
ThreatExpert
hxxp://www.momocortes.com/blog/media/2/
wsys33.exe
Result: 10/36 (27.78%)
MD5: fa0f6781e99d1d78c0d24417cb7b88fd
VirusTotal
Sunbelt Sandbox
exe.exe (Downloads or Creates: vhosts.exe)
Result: 24/36 (66.67%)
MD5: c28f755cdf4863de48659d84c68efab7
VirusTotal
ThreatExpert
hxxp://verynicejob.info/sxe/load.php
02.exe
Result: 8/36 (22.23%)
MD5: 166da263d55d3a06b0bac738ceea769a
VirusTotal
ThreatExpert
hxxp://regect.mobi/
item.gif (Downloads or creates: msxml71.dll)
Result: 7/35 (20%)
MD5: 0a5b198090739429b0e939078517c4d8
VirusTotal
ThreatExpert
hxxp://nessotr-help.com/images/
msxml71.dll
Result: 8/36 (22.23%)
MD5: 46b14c6da49eba5ab1a07bd63b001057
VirusTotal
ThreatExpert
skash.exe (Downloads or creates: figaro.sys, beep.sys, & brastk.exe)
Result: 17/36 (47.23%)
MD5: df565df07afc10489c4b419b1f252158
VirusTotal
ThreatExpert
hxxp://destinationsurfersparadise.com.au/lsi/
beep.sys & figaro.sys
Result: 31/36 (86.12%)
MD5: 14054908c961bb3af74f08fc9dbddeac
VirusTotal
brastk.exe
Result: 17/36 (47.23%)
MD5: 18bc3ea8f0ec094e5a8bacf19e4413b0
VirusTotal
ThreatExpert
serce.php
Result: 7/36 (19.45%)
MD5: 0f3d0ea3905df454581e0c59595f72a6
VirusTotal
ThreatExpert
ex002.exe
Result: 11/36 (30.56%)
MD5: 6f6b2be08feb03f26c84100a24b4891e
VirusTotal
ThreatExpert
hxxp://traff.loadmore.eu/t/l/
setup_1_1_.exe (Installs Pro Antispyware 2009)
Result: 1/36 (2.78%)
MD5: d62c9998be552d4a7189f4c656501e81
VirusTotal
ThreatExpert
hxxp://files.proas2009dl.com/load/
pdf.pdf
Result: 7/36 (19.45%)
MD5: 746f87f5fcf309bc0c5bc422007f3740
VirusTotal
hxxp://svinushka.net/forum/spl/
video20798.cfg
Result: 11/36 (30.56%)
MD5: 1b06e026fdb1fe6e42e66472bae3cc74
VirusTotal
hxxp://lyox-lib.com/addon/
9llCJ4amiU.exe
Result: 10/36 (27.78%)
MD5: 0662482dea0f312e1ed7bfdab7cf86b1
VirusTotal
ThreatExpert
hxxp://78.157.143.225/EX/
video.cfg
Result: 8/36 (22.23%)
MD5: 75dfc5f4c4cbc9367a830d216dec62a4
VirusTotal
hxxp://69.46.24.95/addon/
DivXCodecPKG.7.exe
Result: 2/36 (5.56%)
MD5: f6b635b62fe9a91e9bc0eb01ee827f67
VirusTotal
ThreatExpert
hxxp://softawe-download-forpc.com/
7-v3av.exe (Downloads or Creates: beep.sys, figaro.sys, & brastk.exe)
Result: 12/36 (33.34%)
MD5: aed0e8cb43f48862d89daf441fd844da
VirusTotal
ThreatExpert
hxxp://91.203.92.121/7-v3av.exe
beep.sys & figaro.sys
Result: 30/36 (83.34%)
MD5: b01ed4cec7f0aa6232d49202a71e3a5c
VirusTotal
brastk.exe
Result: 11/36 (30.56%)
MD5: faa1dfd63f02675c4e717c01a476e1f8
VirusTotal
ThreatExpert
setup.exe (Downloads or Creates: getsn32.dll, smwin32.dll, & uesiuqcr.exe)
Result: 11/36 (30.56%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert
hxxp://kb960830-sp2-x86.enu.v6.updates.cab.windowupdate.micros0ft.com.microsofred.cn/
getsn32.dll
Result: 5/36 (13.89%)
MD5: a33aa3d2d4f3a78aa51b3bafb9ce34e1
VirusTotal
ThreatExpert
smwin32.dll
Result: 2/36 (5.56%)
MD5: 39f89f98990a946bc31cb0271b2d3e19
VirusTotal
ThreatExpert
uesiuqcr.exe
Result: 12/36 (33.34%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert
b156.exe
Result: 18/36 (50%)
MD5: 05411d4f5b6a3b430dcd30bea1731362
VirusTotal
ThreatExpert
hxxp://dl2.bundlext.com:8080/get.php
It’s no surprise that rogue security software authors have to get creative when trying to infect as many people as possible. Especially when we work very hard to keep them exposed. Among many techniques, they use mutilated domain naming schemes, affiliate system abuse, redirection and almost always the last ditch attempt at improving their infection ratio is morphing. Remember when we talked about XP Antivirus 2008 morphing to MS Antivirus? Today we detected a new morph in the XP Antivirus series. Antivirus XP 2008 morphed to MS Antivirus on August 21st and today it morphed to Antivirus VIP.
Site: http://antivirus-vip.com
File: Not Available Yet
| IP Address: | 216.32.76.87      |
| IP Location |  – Texas – Plano – Layered Technologies Inc |
| Response Code: | 200 |
| SSL Cert: | www.antimalware-pro.com expires in 332 days. |
| Domain Status: | Registered And Active Website |
Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
Site: hxxp://prosecurity-audit.com/2009/1/_freescan.php?id=880293
File A9installer_880293.exe
Result: 2/36 (5.56%)
File size: 140800 bytes
MD5…: eece53fa0335a7c925288e6e5b59e382
SHA1..: c25c745f60e3880ea7dd85960e56a9f7f7b2d87e
SHA256: 88ab4c6b492c2f8c953f344e8593c6686f68df72c5946eb0ad1ea2efde4492f4
SHA512: 6218d158441533991bcf2004873ea6ad1598ed01138c3f78953affb0feef1e81
31b4583d0a6fd9876908b751ef6f1f142a2b9c01b4eeda6396a1933c3b1591d2
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.5%)
DOS Executable Generic (49.5%)
VXD Driver (0.7%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
