Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
We came across a fully undetected Antivirus 2009 installer today. All of the files have been made available inside of /lithium-malware/.
Site:
- hxxp://85.17.166.170/go/?cmp=nm_ron2&uid=f8a0d9628fbb11dd95e4166350cfffff&rid=gl2vmclr&guid=5b20e5c3232d4440b6234368749a6d3a&affid=166350&lid=http&url=http:%2F%2Fwww.google.com%2F&v=1145&m=an2g
- hxxp://freeonlinescanner9.com/_download.php?aid=77052204&dlth=19
- hxxp://vassariumbig.com/download/av_2009.exe
- hxxp://freeonlinescanner9.com/_download.php?aid=77052204&dlth=19
Files:
- [download] A9installer_77052204.exe
- %windir%\system32\ieexplorer32.exe
- CONNECT to hxxp://securedownloadcenter.com and downloads /zsa09/winsystems.dll (321,536)
- %windir%\system32\ieupdates.exe
- %windir%\system32\scui.cpl
- %windir%\system32\winsrc.dll
- %programfiles%\Antivirus 2009\av2009.exe [D9B3AC01AF64F35EE3519021418384DB]
- CONNECT to hxxp://securedownloadcenter.com and downloads /zsa09/zs880000.exe
- CONNECT to hxxp://tdsvassarium.com/firstrun.php?product=AV9&aff=77052204&update=2508/av2009&time=removed
VirusTotal: Result: 0/36 (0.00%)
Payment Gateway Trace:
1. RESULT 200 www.google-analytics.com Account: UA-2403830-2
2. RESULT 302 hxxp://tdsvassarium.com/order_xp.php?ver=77052204
Final Destination
3. RESULT 200 hxxp://digipayments-soft.com/order_xp.php?ver=77052204
Payment Server Data
IP Address: 216.240.134.211
IP Location: 
California – Irvine – Go2online Corp
0 Responses to “Antivirus 2009 – 3 domains added – 8 files added (0/36)”
Leave a Reply
You must login to post a comment.