Today I came across a new Antivirus 2009 binary with a 1 out of 36 detection ratio on VirusTotal. The session starts at antivirus-best.com and that page is reduced to a pop-up message, as usual. Then we are briefly taken to voodoorevenue.com where the affilliate information for the malware creators is sent and then redirected to the point of download, protection-overview.com.
Screenshot:
Removal Information:
We successfully tested MalwareBytes to remove this threat.
Click here for more information on the removal process.
Session Summary
# Result Protocol Host URL Body
538 200 HTTP antivirus-best.com /
539 200 HTTP antivirus-best.com /window.js
540 200 HTTP CONNECT urs.microsoft.com:443
541 200 HTTP antivirus-best.com /_freescan.php?id=
542 200 HTTP antivirus-best.com /fileslist.js
543 200 HTTP antivirus-best.com /progressbar2.js
544 200 HTTP antivirus-best.com /common.js
545 200 HTTP antivirus-best.com /hat1.jpg
546 200 HTTP antivirus-best.com /pixel_trans.gif
547 200 HTTP antivirus-best.com /bgleft.gif
548 200 HTTP antivirus-best.com /disks.gif
549 200 HTTP antivirus-best.com /bgtop1.gif
550 200 HTTP antivirus-best.com /warning.jpg
551 200 HTTP antivirus-best.com /pbbg2.gif
552 200 HTTP antivirus-best.com /table1.gif
553 200 HTTP antivirus-best.com /footer.gif
554 200 HTTP antivirus-best.com /bgright.gif
555 200 HTTP antivirus-best.com /popup4.gif
556 200 HTTP antivirus-best.com /pbbg.gif
557 200 HTTP antivirus-best.com /closebutton.gif
558 404 HTTP antivirus-best.com /favicon.ico
559 200 HTTP antivirus-best.com /warning2.jpg
560 200 HTTP antivirus-best.com /table2.gif
561 302 HTTP voodoorevenue.com /soft.php?aid=0777&d=100&product=XPA&refer=c79bfd2d5
562 302 HTTP protection-overview.com /2009/100/freescan.php?id=880777
563 200 HTTP protection-overview.com /2009/download/trial/A9installer_880777.exe
After Install
780 200 HTTP secureupdateserver.com/download/av_2009.exe > called by: a9installer_880777:1580
781 206 HTTP secureupdateserver.com/download/av_2009.exe > called by: a9installer_880777:1580
782 200 HTTP secureupdateserver.com/download/av_2009.exe > called by:a9installer_880777:1580
783 200 HTTP secureupdateservice.com/firstrun.php?product=AV9&aff=880777&update=2409av9nv&time=00:00:00 > by: av2009:732
Files:
DownloadPath\$$$$$$$$$.bat (deletes the installer)
%ProgramFiles%\Antivirus 2009\av2009.exe
%SystemRoot%\System32\scui.cpl
Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: 66878074513444726827872864318771
Value: C:\Program Files\Antivirus 2009\av2009.exe
File: A9installer_880777.exe
VirusTotal: 1/36 (2.78%)
| Additional information |
|---|
| File size: 139776 bytes |
| MD5…: b0674e8e6c99de286a62b2fde5358110 |
| SHA1..: ee50b8901e011e56ff9b0ddaa045e8e54500426f |
| SHA256: cef3a6aae1291b1e2335cd034953ff1936bb38c1e2406256700266ee7269adc9 |
| SHA512: 06fd1e8ad4b39f04f0862a7b8eadd4a00eaa7c99cd7e3c3e547326728cae8b35 023030034e4c3809d61976c63ce6ab337e480d59076b6a942cff8303b8550c41 |
File: av2009.exe
VirusTotal: 3/36 (8.33%)
| Additional information |
|---|
| File size: 1265152 bytes |
| MD5…: dd624cacbcf3b1a0e39f2724fc7eca54 |
| SHA1..: 99e1a1219ef624dafb3faa3e02d7addf8fc4203f |
| SHA256: a1c7724a05a37d7a842be34acf0c42fc37f019c6f5b49cd2e00d48baa14d7a91 |
| SHA512: 9623e0d41c42a69621e601eb893ab4bf2d0e0f8660a52698c4e6d3035f609baf 8546279aa40eca1c2f9cde767c0e17dacbc9f26ef6dfb54bbb7c496441b6f50a |
0 Responses to “Antivirus 2009 – 2 files added – 5 domains added (Low Detection) 1/36”
Leave a Reply
You must login to post a comment.