Archive for October 29th, 2008

29
Oct

Real Antivirus | Many Files Added – 1 Domain Added (2/36)

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

We found a new site pushing RealAV today.  The download link pushes more than one binary. This is NOT  a real Antivirus product!  Do not download or install it!

Real Antivirus

Site: http://real-antivirus.com  – http://real-antivirus.org
Download: hxxp://real-antivirus.com/cgi-bin/download.pl?code=00000000
File: RealAV.exe
VirusTotal: Result: 2/36 (5.56%)
Additional information
File size: 1954304 bytes
MD5…: aaa18c5564891bad2636e98c60c11842
SHA1..: 61ba85670781d513cd5166e50fc9b642295592db
SHA256: 642594b433ec6421764e58d8b556d9d3ead16254bacad50f49b3a9da239d89f3
SHA512: 9e131ef300832706bc823b8fdd3466f5bbd795a6a08c7611a1420bd309af4ce9
3d5cfb1b28a583a84a19914d17c342c0b0a05723cbef6f4c656b69c0f3a4532e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×5dc6b4
timedatestamp…..: 0×47d00775 (Thu Mar 06 15:02:13 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1dbfaa 0×1dc000 8.00 0149aea4dcfc5237618a57aec6faa4f8
.data 0×1dd000 0xaa3 0xa00 4.98 9a9e7d8c4e76cbfbef3957499f3edab3
.rsrc 0×1de000 0×398 0×400 3.07 abfcff94d64f4e80fd119ac67c89283a

ThreatExpert:

File System Modifications
  • The following files were created in the system:
# Filename(s) File Size File MD5
1 %DesktopDir%\RealAV.lnk 620 bytes 0xE9A1298101E75059D6B2B2DAF50FD6D5
2 %Temp%\stylrit0.tmp 567,416 bytes 0xC8F83A8327B280A6E33CF667904C9607
3 %Programs%\RealAV\RealAV.lnk 632 bytes 0xC93690825D178EB769AD4473A5230818
4 %ProgramFiles%\RealAV\RealAV.exe
[file and pathname of the sample #1]		 1,954,304 bytes 0xAAA18C5564891BAD2636E98C60C11842
5 %ProgramFiles%\RealAV\vscan.tsi 10,073 bytes 0×5BC533CD757B5BC635EB6E7FAB5E1C8E
6 %ProgramFiles%\RealAV\zlib.dll 196,608 bytes 0×4D60C419FB5BB06D30B6F6AD5607E480
  • The following directories were created:
    • %Programs%\RealAV
    • %ProgramFiles%\RealAV
    • %ProgramFiles%\RealAV\Infected
    • %ProgramFiles%\RealAV\Suspicious
    Registry Modifications
  • The following Registry Key was created:
    • HKEY_CURRENT_USER\Software\RealAV
  • The newly created Registry Values are:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • RealAV.exe = “%ProgramFiles%\RealAV\RealAV.exe”

      • so that RealAV.exe runs every time Windows starts

    • [HKEY_CURRENT_USER\Software\RealAV]
      • Autorun = 0×00000001
      • RegisterShellExtension = 0×00000001
      • CheckForUpdates = 0×00000000
      • QuickScanAtStartup = 0×00000001
      • StartMinimized = 0×00000001
      • ID = 0×00000001
      • ScanArchives = 0×00000001
      • ScanFiles = 0×00000001
      • ScanMail = 0×00000001
      • ScanProcesses = 0×00000001
      • ScanRegistry = 0×00000001
      • BasesVersion = 0×00000001
      • CoreVersion = 0×00000001
      • TotalScans = 0×00000001
      • lastScanDate = 0×130A07D8
      • lastScanTime = 0×122D003B
      • lastUpdateDate = 0×00000000
      • lastUpdateTime = 0×00000001


 

October 2008
M T W T F S S
« Sep   Nov »
 12345
6789101112
13141516171819
20212223242526
2728293031