Malware Database

PandaLabs reports that a new Rogue Antivirus program called Total Defender appeared over the weekend.

_{The following data is included for informational purposes only. Please do not attempt to view or download files from the website.}

Domain: Total-Defender. com
IP: 94.247.2.41
Country: Latvia
Host: DATORU EXPRESS SERVISS Ltd.
Organization: ZlKon

File: total-defender-setup.exe

Connects to:

0    200    HTTP    94.247.2.41    /ck.php    21
1    200    HTTP    94.247.2.41    /tdd.php?i=1
2    200    HTTP    94.247.2.41    /ck.php
3    301    HTTP    94.247.2.41    /tdp.php?ak=24DIGITHASH
4    200    HTTP    CONNECT    pp-pay.net:443
5    200    HTTP    CONNECT    pp-pay.net:443
6    200    HTTP    CONNECT    pp-pay.net:443
7    200    HTTP    CONNECT    bill-support.com:443

Additional Info:

An interesting thing we noticed is that the Rogue did not attempt to scare us into purchasing it, rather telling us that the computer was secure after the scan.  The Rogue authors are probably doing this to keep a high amount of Rogue installations active for the purposes of data theft or for hire services.

A few months ago we warned of Google sponsored results pointing to rogue anti-malware applications  (read: Sponsored Result != Safe) and more recently we talked about malicious ad content being displayed through pop-up ads hosted by Motigo’s free analytic services (read: Antivirus 2009…brought to you by Motigo).  Today we received word from a fellow security researcher, mwdisector, that a rogue anti-malware application was being served via ads in the bottom right corner of the Download.com website.

In our previous post regarding a related incident where Motigo served Antivirus 2009 rogue pop-up ads we told website Owners to  make sure they fully understand the all of the risks involved in implementing third party tools, ads, or services.

It’s obvious that the ad companies are not doing a good enough job at making sure their links are safe.  For this very reason, you do not see Google Adsense or similar types of advertisements on Malware Database. It would result in our viewers being infected and that is something we cannot have.  MalwareBytes and Panda Security are two companies that we stand by and those are the only type of ads you will see here, ads that we can guarantee not to lead to infections.

Download.com does have an initiative for malware free downloads but they state nothing about making sure their text based and image advertisements are malware free.  We are hoping the people at Download.com read this and take a stand against current and future threats promoted through their sponsored ads!

Rogue sponsored link served via download.com

Points to the Antispyware 2008 Rogue

*Do not attempt to visit this site or download the software*

What it looks like

File: setupxv.exe
VirusTotal: Result: 12/36 (33.33%)
File size: 5620057 bytes
MD5…: 15134735aff21a9162bef607684b9ca4
SHA1..: 72eff32a2187c339115e6842f80f6aa2273c48be
SHA256: f438f8c9b9f04fb4ee4fbbd2b215abbffb863c99e4a7f28012b0b45c8fe628ed
SHA512: f1e6b742c32c2931697d3ac9c06010d91bb4014d87d5d3a7ac8b6f667e5a08d0
f52ab7bb7864d87ad1ee7d9e1f664713b2c59f529869719294f0b380d27f4e44
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×412c8f
timedatestamp…..: 0×4466b13c (Sun May 14 04:25:32 2006)
machinetype…….: 0×14c (I386)

Removal Information:Need assistance removing this malware?
Click here for more information about malware removal.
Don’t forget to ask for help in our user forums!

Please do not visit the sites below.  The data discussed here is for informational purposes only!

I was doing my normal malware searching rounds tonight and came across a file called ProdigyAntivirus.exe.  The installer (ProdigyAntivirus.exe) drops 4 files inside of %windir% and is currently being hosted on a RapidShare account.

Session Summary:

#   Result    Protocol    Host    URL    Body    Caching
0   302  HTTP   prodigy-antivirus.com /179
1   302  HTTP   rapidshare.com /files/160002556/ProdigyAntivirus.ex[e]
2   200  HTTP   rs317tl2.rapidshare.com/files/160002556/ProdigyAntivirus.ex[e]

Installing:

Files Dropped:

c:\windows\csrss.exe –> 6b4ec82b2ca24014a14a955d7f957eeb
c:\windows\alg.exe –> 8822188d4c681fc23804bbccb457136d
c:\windows\lsass.exe –> ee26d966411103783e6371543b843719
c:\windows\msinet.ocx –> 40d81470a19269d88bf44e766be7f84a

VirusTotal: 6/36 (16.67%)

ThreatExpert: 5fd5bb1f-1df6-4a26-a992-96b167c5a40d

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

We found a new site pushing RealAV today.  The download link pushes more than one binary. This is NOT  a real Antivirus product!  Do not download or install it!

Site: http://real-antivirus.com  – http://real-antivirus.org
Download: hxxp://real-antivirus.com/cgi-bin/download.pl?code=00000000
File: RealAV.exe
VirusTotal: Result: 2/36 (5.56%)
Additional information
File size: 1954304 bytes
MD5…: aaa18c5564891bad2636e98c60c11842
SHA1..: 61ba85670781d513cd5166e50fc9b642295592db
SHA256: 642594b433ec6421764e58d8b556d9d3ead16254bacad50f49b3a9da239d89f3
SHA512: 9e131ef300832706bc823b8fdd3466f5bbd795a6a08c7611a1420bd309af4ce9
3d5cfb1b28a583a84a19914d17c342c0b0a05723cbef6f4c656b69c0f3a4532e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×5dc6b4
timedatestamp…..: 0×47d00775 (Thu Mar 06 15:02:13 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1dbfaa 0×1dc000 8.00 0149aea4dcfc5237618a57aec6faa4f8
.data 0×1dd000 0xaa3 0xa00 4.98 9a9e7d8c4e76cbfbef3957499f3edab3
.rsrc 0×1de000 0×398 0×400 3.07 abfcff94d64f4e80fd119ac67c89283a

ThreatExpert:

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File MD5
1	%DesktopDir%\RealAV.lnk	620 bytes	0xE9A1298101E75059D6B2B2DAF50FD6D5
2	%Temp%\stylrit0.tmp	567,416 bytes	0xC8F83A8327B280A6E33CF667904C9607
3	%Programs%\RealAV\RealAV.lnk	632 bytes	0xC93690825D178EB769AD4473A5230818
4	%ProgramFiles%\RealAV\RealAV.exe [file and pathname of the sample #1]	1,954,304 bytes	0xAAA18C5564891BAD2636E98C60C11842
5	%ProgramFiles%\RealAV\vscan.tsi	10,073 bytes	0×5BC533CD757B5BC635EB6E7FAB5E1C8E
6	%ProgramFiles%\RealAV\zlib.dll	196,608 bytes	0×4D60C419FB5BB06D30B6F6AD5607E480

• The following directories were created:
  • %Programs%\RealAV
  • %ProgramFiles%\RealAV
  • %ProgramFiles%\RealAV\Infected
  • %ProgramFiles%\RealAV\Suspicious

  Registry Modifications

• The following Registry Key was created:
  • HKEY_CURRENT_USER\Software\RealAV

• The newly created Registry Values are:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • RealAV.exe = “%ProgramFiles%\RealAV\RealAV.exe”

  so that RealAV.exe runs every time Windows starts

  • [HKEY_CURRENT_USER\Software\RealAV]
    • Autorun = 0×00000001
    • RegisterShellExtension = 0×00000001
    • CheckForUpdates = 0×00000000
    • QuickScanAtStartup = 0×00000001
    • StartMinimized = 0×00000001
    • ID = 0×00000001
    • ScanArchives = 0×00000001
    • ScanFiles = 0×00000001
    • ScanMail = 0×00000001
    • ScanProcesses = 0×00000001
    • ScanRegistry = 0×00000001
    • BasesVersion = 0×00000001
    • CoreVersion = 0×00000001
    • TotalScans = 0×00000001
    • lastScanDate = 0×130A07D8
    • lastScanTime = 0×122D003B
    • lastUpdateDate = 0×00000000
    • lastUpdateTime = 0×00000001