Archive for the 'Antivirus 2009' Category

20
Nov

Antivirus 2009

By stingner Comments
Categories: Antivirus 2009 and Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Very low detection.
Site:
hxxp://antivirus-premium-scan.com/2009/1/en/_freescan.php?nu=77025304

File: A9installertest_77025304.exe
Virustotal: Result 1/36 (2.78%)

Additional information
File size: 163840 bytes
MD5…: ccdfcdcea179cf0ecf12035d5ee8b821
SHA1..: e85dd4eebb5ae4d61f36385281922637712a56bd
SHA256: 6ffe5e74108fce512aa3c2de39e13ea9aebdda9606a7966d424254282679c03c
SHA512: 4de947fd4bf09f6ac2ef6dc34fafdf471555fe6e37dc0f8722cd4e726b5d6dc5
3c76a98f2786df5af5527f0356715bf5787f2b6b44a15eeffea5ff7aed4b6d37
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)

15
Nov

Database Update - 19 Files (Low Detection)

By djpnuemo Comments
Categories: Antivirus 2009, Codec, Database Update, Low Detection, Malicious Domains and Malware

Quite a few files added to the database today. As you can see below, these aren’t detected by many AV’s out there.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

A9installer_77024202.exe
Result: 0/36 (0%)
MD5: fd6c1b0cec99796c72213ee330eb7b58
VirusTotal
ThreatExpert Analysis
hxxp://allinone-scanner.com/2009

av_2009.exe
Result: 1/36 (2.78%)
MD5: 4c68e58e317f7111ac147d5279ef23e0
VirusTotal
ThreatExpert Analysis

zcodec.1482.exe
Result: 3/36 (8.34%)
MD5: 9acea07175a11ae690263f9be7828467
VirusTotal
ThreatExpert Analysis
hxxp://codecdownload.pc-storesoft.com

doc.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://chanchoi.cn

default.exe
Result: 13/36 (36.12%)
MD5: 58e3a60289854bb435570a14ac3c616e
VirusTotal
ThreatExpert Analysis
hxxp://chanchoi.cn

kryostm.dll
Result: 21/36 (58.34%)
MD5: b8d72237913a95b597583f8f91181ed8
VirusTotal
ThreatExpert Analysis

kryo2.sys & pavtpk.sys
Result: 20/36 (55.56%)
MD5: abbce53fa9411adbd8a870ae9c27a92e
VirusTotal
ThreatExpert Analysis

test.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://onlinestat.cn

file1.exe & U.exe
Result: 4/36 (11.12%)
MD5: 0fe5b393bef43d95f5e86c820097491e
VirusTotal
ThreatExpert Analysis
hxxp://onlinestat.cn

ntos.exe
Result: 4/36 (11.12%)
MD5: fbe5869d3f03108296e10a81e9b7d160
VirusTotal
ThreatExpert Analysis

After multiple runs through a sandbox, these different binaries were downloaded

ntos.exe
Result: 4/36 (11.12%)
MD5: df4f605f59823324cceaf359d46a5d27
VirusTotal
ThreatExpert Analysis

ntos.exe
Result: 5/36 (13.89%)
MD5: fa736d7136176eebfcefd109b33f2e90
VirusTotal
ThreatExpert Analysis

soft.exe
Result: 9/36 (25%)
MD5: dcdd783dd8f84ef8b9a0c8233d152540
VirusTotal
ThreatExpert Analysis

csrss7.dll
Result: 3/36 (8.34%)
MD5: e87c0ab9c96b000f86199118d38539c1
VirusTotal
ThreatExpert Analysis

This also modified the hosts file to block international search engines (AOL, Google, & MSN)

doc.pdf
Result: 12/36 (33.34%)
MD5: 9b3822a11c9e94763150282f0c9b1d01
VirusTotal

default.exe & ~.exe
Result: 8/36 (22.23%)
MD5: 4dcc389638a9cf14972752df79ed0dd6
VirusTotal
ThreatExpert Analysis

nvaux32.exe
Result: 8/36 (22.23%)
MD5: 94d724d0740a3f6a26b624051950b053
VirusTotal
ThreatExpert Analysis

user32.dll
Result: 8/35 (22.86%)
MD5: 5f24060f06fd415314485a66a0be8726
VirusTotal
ThreatExpert Analysis

flash_update.exe (Koobface Facebook Worm)
Result: 7/36 (19.45%)
MD5: f47a95dc8003bb0f206d836b757fa9f3
VirusTotal
ThreatExpert Analysis
hxxp://youtube-cam.com

28
Oct

Antivirus 2009

By stingner Comments
Categories: Antivirus 2009 and Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

This one has a low rate of detection.

site: hxxp://save-my-pc-now.com/2009/download/trial/A9installer_770522166818.exe

File: A9installer_770522166818.exe
VirusTotal: Result 2/36 (5.56%)

File size: 145408 bytes
MD5…: 447297e7d1f38a237160b43061385c0b
SHA1..: 33e6cb95f59a5bfc7fbfd246280c4dce1e7ab22d
SHA256: 16604592a2465b1c5c08aa3630ac5f20d7b8599e012c16837395e535903a668e
SHA512: e7188f53aebba558b49d5872ca8421f4051b2e0b95e46ab1f14ca6f1255a39c1
5e9b3def1628f0c21885a9e1048392940433084dab1f4ec677958bac392438df
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)

23
Oct

Antivirus 2009

By stingner Comments
Categories: Antivirus 2009 and Database Updates

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

new-antivirusxp-2009

Site: hxxp://prosecurity-audit.com/2009/1/_freescan.php?id=880293

File A9installer_880293.exe

Result: 2/36 (5.56%)

File size: 140800 bytes
MD5…: eece53fa0335a7c925288e6e5b59e382
SHA1..: c25c745f60e3880ea7dd85960e56a9f7f7b2d87e
SHA256: 88ab4c6b492c2f8c953f344e8593c6686f68df72c5946eb0ad1ea2efde4492f4
SHA512: 6218d158441533991bcf2004873ea6ad1598ed01138c3f78953affb0feef1e81
31b4583d0a6fd9876908b751ef6f1f142a2b9c01b4eeda6396a1933c3b1591d2
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.5%)
DOS Executable Generic (49.5%)
VXD Driver (0.7%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

23
Oct

Antivirus 2009 - 2 files added - 5 domains added (Low Detection) 1/36

By lithium Comments
Categories: Antivirus 2009, Database Update, Infection, Low Detection, Malicious Domains, Malware Removal and MalwareBytes

Today I came across a new Antivirus 2009 binary with a 1 out of 36 detection ratio on VirusTotal.  The session starts at antivirus-best.com and that page is reduced to a pop-up message, as usual.  Then we are briefly taken to voodoorevenue.com where the affilliate information for the malware creators is sent and then redirected to the point of download, protection-overview.com.

Screenshot:

Antivirus 2009

Removal Information:

We successfully tested MalwareBytes to remove this threat. 
Click here for more information on the removal process.

Malware Bytes

Session Summary

#    Result    Protocol    Host    URL    Body
538    200    HTTP    antivirus-best.com    /
539    200    HTTP    antivirus-best.com    /window.js
540    200    HTTP    CONNECT    urs.microsoft.com:443
541    200    HTTP    antivirus-best.com    /_freescan.php?id=
542    200    HTTP    antivirus-best.com    /fileslist.js
543    200    HTTP    antivirus-best.com    /progressbar2.js
544    200    HTTP    antivirus-best.com    /common.js
545    200    HTTP    antivirus-best.com    /hat1.jpg
546    200    HTTP    antivirus-best.com    /pixel_trans.gif
547    200    HTTP    antivirus-best.com    /bgleft.gif
548    200    HTTP    antivirus-best.com    /disks.gif
549    200    HTTP    antivirus-best.com    /bgtop1.gif
550    200    HTTP    antivirus-best.com    /warning.jpg
551    200    HTTP    antivirus-best.com    /pbbg2.gif
552    200    HTTP    antivirus-best.com    /table1.gif
553    200    HTTP    antivirus-best.com    /footer.gif
554    200    HTTP    antivirus-best.com    /bgright.gif
555    200    HTTP    antivirus-best.com    /popup4.gif
556    200    HTTP    antivirus-best.com    /pbbg.gif
557    200    HTTP    antivirus-best.com    /closebutton.gif
558    404    HTTP    antivirus-best.com    /favicon.ico
559    200    HTTP    antivirus-best.com    /warning2.jpg
560    200    HTTP    antivirus-best.com    /table2.gif
561    302    HTTP    voodoorevenue.com    /soft.php?aid=0777&d=100&product=XPA&refer=c79bfd2d5
562    302    HTTP    protection-overview.com    /2009/100/freescan.php?id=880777
563    200    HTTP    protection-overview.com    /2009/download/trial/A9installer_880777.exe

After Install

780    200    HTTP    secureupdateserver.com/download/av_2009.exe  > called by: a9installer_880777:1580
781    206    HTTP    secureupdateserver.com/download/av_2009.exe  > called by: a9installer_880777:1580
782    200    HTTP    secureupdateserver.com/download/av_2009.exe  > called by:a9installer_880777:1580
783    200    HTTP    secureupdateservice.com/firstrun.php?product=AV9&aff=880777&update=2409av9nv&time=00:00:00 > by:  av2009:732

Files:

DownloadPath\$$$$$$$$$.bat (deletes the installer)
%ProgramFiles%\Antivirus 2009\av2009.exe
%SystemRoot%\System32\scui.cpl

Registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: 66878074513444726827872864318771
Value: C:\Program Files\Antivirus 2009\av2009.exe

File: A9installer_880777.exe
VirusTotal: 1/36 (2.78%)

Additional information
File size: 139776 bytes
MD5…: b0674e8e6c99de286a62b2fde5358110
SHA1..: ee50b8901e011e56ff9b0ddaa045e8e54500426f
SHA256: cef3a6aae1291b1e2335cd034953ff1936bb38c1e2406256700266ee7269adc9
SHA512: 06fd1e8ad4b39f04f0862a7b8eadd4a00eaa7c99cd7e3c3e547326728cae8b35
023030034e4c3809d61976c63ce6ab337e480d59076b6a942cff8303b8550c41

File: av2009.exe
VirusTotal: 3/36 (8.33%)

Additional information
File size: 1265152 bytes
MD5…: dd624cacbcf3b1a0e39f2724fc7eca54
SHA1..: 99e1a1219ef624dafb3faa3e02d7addf8fc4203f
SHA256: a1c7724a05a37d7a842be34acf0c42fc37f019c6f5b49cd2e00d48baa14d7a91
SHA512: 9623e0d41c42a69621e601eb893ab4bf2d0e0f8660a52698c4e6d3035f609baf
8546279aa40eca1c2f9cde767c0e17dacbc9f26ef6dfb54bbb7c496441b6f50a

Removal:

Remove this threat with MalwareBytes!

03
Oct

Antivirus 2009 - 1 domain added - 1 old file (30/36) + Plimus payment gateway

By lithium Comments
Categories: Antivirus 2009, Database Update, Malicious Domains, Plimus and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Antivirus 2009

Site: hxxp://www.antivirus-2009-pro.net/

IP Address: 217.20.175.44
IP Location Ukraine - Ukraine - W Net Isp
Response Code: 200
Domain Status: Registered And Active Website

Payment Gateway

Site: http://antivirus-2009-pro.net/buy.php  > https://www.plimus.com/jsp/buynow.jsp?contractId=2016190&additionalCharge2016190_0=21344&custom1=

Plimus Corporation
Worldwide Corporate Headquarter
3830 Valley Centre Dr.
Suite 705-294
San Diego, CA 92130
Site Advisor: http://www.siteadvisor.com/sites/plimus.com

Plimus

01
Oct

Antivirus 2009 - 3 domains added - 8 files added (0/36)

By lithium Comments
Categories: Antivirus 2009, Database Update and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

We came across a fully undetected Antivirus 2009 installer today. All of the files have been made available inside of /lithium-malware/.

Antivirus 2009

Site:

  • hxxp://85.17.166.170/go/?cmp=nm_ron2&uid=f8a0d9628fbb11dd95e4166350cfffff&rid=gl2vmclr&guid=5b20e5c3232d4440b6234368749a6d3a&affid=166350&lid=http&url=http:%2F%2Fwww.google.com%2F&v=1145&m=an2g
    • hxxp://freeonlinescanner9.com/_download.php?aid=77052204&dlth=19
      • hxxp://vassariumbig.com/download/av_2009.exe

Files:

  • [download] A9installer_77052204.exe
  • %windir%\system32\ieexplorer32.exe
    • CONNECT to hxxp://securedownloadcenter.com and downloads /zsa09/winsystems.dll (321,536)
  • %windir%\system32\ieupdates.exe
  • %windir%\system32\scui.cpl
  • %windir%\system32\winsrc.dll
  • %programfiles%\Antivirus 2009\av2009.exe [D9B3AC01AF64F35EE3519021418384DB]

    • CONNECT to hxxp://securedownloadcenter.com and downloads /zsa09/zs880000.exe
    • CONNECT to hxxp://tdsvassarium.com/firstrun.php?product=AV9&aff=77052204&update=2508/av2009&time=removed

VirusTotal: Result: 0/36 (0.00%)

Payment Gateway Trace:

1. RESULT 200 www.google-analytics.com Account: UA-2403830-2
2. RESULT 302 hxxp://tdsvassarium.com/order_xp.php?ver=77052204

Final Destination
3. RESULT 200 hxxp://digipayments-soft.com/order_xp.php?ver=77052204

Payment Server Data
IP Address: 216.240.134.211
IP Location: United States California - Irvine - Go2online Corp


Removal:

Remove this threat with MalwareBytes!

25
Sep

Antivirus 2009 Protection

By stingner Comments
Categories: Antivirus 2009 and Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Antivirus 2009

Site:
hxxp://bestantivirusscan.com/

**Note**

They have made a mistake with the “Download” button. It’s pointing to hxxp://bestantivirusscan.com/2009/download/trial/A9installer_.exe, but the filename is called “A9installer_880221.exe”. It’s only a matter of time before they fix it.

File: A9installer_880221.exe
VirusTotal: Result 1/36 (2.78%)

File size: 139264 bytes
MD5…: deeec29fcbb71fd7ee6682156699cd72
SHA1..: ac7b76b8094518d6b3b7a895bc9828bcf8a75cae
SHA256: b2a7b8cb026cd19b66b071b834d0fecb455b91c29f1ac0f9e167fae03f294ed2
SHA512: 8b307ae0559bdc3c8a0195437924138e991b2c81ac453ca0f169c55bc0266d81
a681d97211c3e349625d0ce4d9509d3ef6b4d295bbbfa2723b194983fc85039a
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.5%)
DOS Executable Generic (49.5%)
VXD Driver (0.7%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

25
Sep

Scanner-Protection

By stingner Comment
Categories: Antivirus 2009 and Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Scanner-Protection

Site:
hxxp://scanner-protection.com
hxxp://virus-scan-online.com

File: AV2008install.exe
VirusTotal: Result 5/36 (13.89%)

File size: 186880 bytes
MD5…: 9ca4a84b7d9e074948fa3e3259695e1b
SHA1..: 52bf41bbc39daa7cc729cac49ebbbc4cc1068d79
SHA256: de2564f71fa018dd36b74dafdf7bef26ffc2c1006581b517d45709e364a1f0c8
SHA512: 47a8ab7d0c8567922d97e6d7183ed646a75ec9d42ba37d997fb77de237946ce2
c9c24c8abc1f0be87a39acf48d4e8be41df82303eac0a628832c9a282944af83
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (35.2%)
Win32 Dynamic Link Library (generic) (31.3%)
Win16/32 Executable Delphi generic (8.5%)
Clipper DOS Executable (8.3%)
Generic Win/DOS Executable (8.2%)

24
Sep

Antivirus 2009

By stingner Comments
Categories: Antivirus 2009 and Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

Antivirus2009

Site: hxxp://secureclick1.com/2009/1/_freescan.php?id=880135

File A9installer_77053505.exe
VirusTotal: Result: 2/36 (5.56%)

File size: 133632 bytes
MD5…: a8cf053106ea3f7e787a77c5ff8f6de5
SHA1..: 307fbd9274e57ce850b7dcc8d1cb124bf24ac1f0
SHA256: 69047c1ccfce2672314fe2717042504a7afefe754ac58cb13751def22c574b78
SHA512: 4ac2c23ee73aad87a4d523059fe1634694e7a37fde77b83da00b061115f5e959
089bec418e16c0d5e8a71151eedb07ee6695cdd6088eefcb8e76b79e9adb5dec
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.5%)
DOS Executable Generic (49.5%)
VXD Driver (0.7%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

Removal:

Remove this threat with MalwareBytes!

« Previous Entries

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit