Rogue Security Software | Malware Database

Archive for the 'Rogue Security Software' Category

Nov

Fake antivirus site features drive-by install of PDF exploits

By mwdisector 0 Comments

Categories: Malicious Domains and Rogue Security Software

Here’s a fake antivirus site that has a special *gift* for you when you visit: PDF exploits! When visiting site it will attempt a drive-by install using a exploit-embedded PDF file.

Bad Site:
hxxp://2008-noadware-antivirus.com (68.180.151.74)
AS36752 | 68.180.151.74 | YAHOO-SP1 - Yahoo

Goes to:
hxxp://abb192.cn/exp/index.php
hxxp://abb192.cn/exp/load.php?id=2926
abb192.cn (82.192.88.2)
AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS

Launches a process called AcroRd32.exe (Acrobat Reader) and slows your machine down to a crawl.

Pulls down a PDF file. VT coverage is 10/37.
http://www.virustotal.com/analisis/28d3a59…f1ac43bd00fe253

Found a load.exe file from hxxp://abb192.cn/exp/load.php?id=2926
VT coverage is low 4/37.
http://www.virustotal.com/analisis/e22e2de…830413b3d949441

See a connection to:
hxxp://sp2.information.com/?epl=03220029R1UMXGYWVlEFDVFTDVBfA1MMUgBFUVgMAFxb
VllZVFgHBFIBWAtHXRdZEBZLSwVcDBIBWAxqRQQHUEddSglZEUFEWBcWVwMEWFEMF1ETD0EUR0hU
DFgYRxFaRU1WUFQXCFsEXh8BVkcIVww8UQFbB1MSFl8CRlJcDVpUXB5XUBFQUw1KQFhUUQ9VEApb
QwpcAlUKaAtaQhNcABNbV0FfEUdNX21yQ11bFW8AD1cGDVYFCVcRBlNRBAJBXE5da10EW1MXWV4A
DlEPFgM8UQFbB1AGXwdFVEIVDkFQS0xrXhVBXQ1WZgxXCVQAWlcBXV4GVg

abb192.cn was registered on 10/29 and hosted on a Leaseweb box in Amsterdam.
Other domains on that IP 82.192.88.2:
abbcp.cn
abc801.cn
bmanager.shadypart.net
shadypart.net

-mwdisector

Nov

New fake security software called Micro Antivirus 2008

By mwdisector 0 Comments

Categories: Database Update and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

Product named 2008 yet website is 2009. I see that microav2008.com is available, maybe they should register that too.

Fake Product Name:
Micro Antivirus 2008

Site: microav2009.com

IP: 91.208.0.223
Location: Russia
Registration:
ICANN Registrar: IN

TERNET.BS CORP.
Created: 2008-09-24

File:
MicroAVSetup.exe
VirusTotal coverage: 27/37
http://www.virustotal.com/analisis

/38e2f2bc89e9803b8d313424f21957cd

Nov

Database Update - 16 Files (Low-Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Infection, Low Detection, Malicious Domains, Malicious Links, Malware, Malware Distribution, Rogue Anti-Malware, Rogue Security Software, Rogue Software and Rootkit

Another update for tonight. Should have more over the weekend. Find them in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

services.exe
Result: 19/36 (52.78%)
MD5: c629db60a9a5d7303419b5153d3e9b0b
VirusTotal
ThreatExpert Analysis

nd82m0.dll
Result: 5/36 (13.89%)
MD5: d6f2135dc562c7d4992cf2cea2166707
VirusTotal
ThreatExpert Analysis
hxxp://85.17.166.182

kb600179.dll
Result: 5/36 (13.89%)
MD5: f946f8c3de445d45c7eb34591bee037b
VirusTotal
ThreatExpert Analysis
hxxp://89.188.16.30

setup_457_6777_.exe
Result: 1/36 (2.78%)
MD5: e9339f9045368947789ec70739de4b21
VirusTotal
ThreatExpert Analysis
hxxp://files.download-antispyware.com

scanner_457_6777_.exe
Result: 16/36 (44.44%)
MD5: e0f855c6c5fc93f0a8ed1fe9e702e492
VirusTotal
ThreatExpert Analysis
hxxp://dl.storage-antispyware.com/get/

42.exe
Result: 4/36 (11.12%)
MD5: f5201b9e77b7b31443b4e0e6190e219f
VirusTotal
ThreatExpert Analysis
hxxp://85.92.157.141/mxlivemedia/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

mvnzivtlmzhxi.dll
Result: 7/36 (19.45%)
MD5: 7614e7448f1983b9641e9699f67576a4
VirusTotal
ThreatExpert Analysis

pdf.pdf
Result: 6/36 (16.67%)
MD5: a3f83503a165a19c4b01328463175cd7
VirusTotal
hxxp://activision.cc/1/spl

twext.exe
Result: 11/36 (30.56%)
MD5: 5767c816cb20753976df2edb60eaf448
VirusTotal
ThreatExpert Analysis

load.exe
Result: 12/36 (33.34%)
MD5: 9b467bdc6dd1b3e68651b7039cd373c8
VirusTotal
ThreatExpert Analysis
hxxp://activision.cc/1/

xcvb.pdf
Result: 4/36 (11.12%)
MD5: e3b86145de00ebfab3e3159d24b81104
VirusTotal
hxxp://91.203.92.137/xcv/

install.exe
Result: 16/36 (44.45%)
MD5: 0869881865032bd1b3b08d82e5e4f404
VirusTotal
ThreatExpert Analysis
hxxp://91.203.92.137/xcv/

beep.sys & figaro.sys
Result: 29/36 (80.56%)
MD5: c4618f889863b5aa357f5f5ba8f353d6
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 14/36 (38.89%)
MD5: 0d63a88fdb4259de8280f8bb7d78ec35
VirusTotal
ThreatExpert Analysis

KB908268.exe
Result: 7/36 (19.45%)
MD5: 504eb66e741186a61792862f0a83ff82
VirusTotal
ThreatExpert Analysis
hxxp://76.74.239.143/weruoiq/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

Nov

Antivirus Pro 2009 - Exploiting Human Weakness for Money

By lithium 0 Comments

Categories: Antivirus Pro 2009, Database Update, Malicious Domains, Malware Removal, Rogue Security Software and Rogue Software

Note: Thie sites we talk about in this post distribute Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

Almost everyday our viewers ask us about Rogue anti-malware software. Out of all of the questions we receive, the most common is “When will these attacks stop?” The sad truth is that we cannot see an end to this problem in near sight. As long as the malicious individuals are able to trick or force users into downloading, installing, and eventually paying for their fake “Rogue” anti-malware products, they will continue to develop and push the envelope.

AntivirusPro 2009

The user will be prompted with the following message in the event that the browser blocks the download. When the user clicks on “Click here to get full advanced real-time protection and continue browsing”, it will automatically forward them to the payment gateway page.

“Insecure Internet Activity. Threat of Virus Attack! Due to the insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes”

Installer:

There are three possible options to the Antivirus Pro 2009 Installer. Continue, Terms of Service and Cancel.

Canceling the Installation:

When attempting to exit the installer via the cancel button, the setting defaults to “Continue with installing and running free scanner.”

Terms of Service:

Interface:

The interface may look convincing to unsuspecting victims.

Scare Messages:

Victims are presented with various scare messages to entice a purchase.

“WARNING! Antivirus Pro 2009 has found 27 useless and UNWANTED files on your computer!”

Personal data at the reach of anyone’s hand

Internet history records available

Compromising and adult material stored on your system

Chat sessions’ logs and personal Emails easily reachable

Payment Gateway:

hxxps://secure.soft-payments.com via AS20495 (WEDARE We Dare BV Autonomous System)

SharedNS:

VirusTotal:

7/36 (19.44%) –>hxxp://www.av-pro-2009.com

7/36 (19.44%) –> hxxp://xp-as-2009.com

11/36 (30.56%) –>hxxp://xpas-2009.com

16/36 (44.44%)–> hxxp://av-pro2009.com

16/36 (44.44%)–>hxxp://avpro-2009.com

16/36 (44.44%)–>hxxp://avpro2009.com/

Removal Information:Need help removing this malware?
Click here for more information on the removal process.

Don’t forget to ask for help in our user forums!

Oct

Database Update - 28 Files (Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Rogue, Rogue Security Software, Rogue Software and XP AntiSpyware 2009

Here is an update of files from this past week. These files are available in /pnuemo-malware/ in our repository. PLEASE READ UPDATED README.TXT!

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

certificado-3.15.exe
Result: 12/36 (33.34%)
MD5: b249760cd0c1a3b21df8993604efe36b
VirusTotal
ThreatExpert
hxxp://212.98.9.4/Bradesco.com.br/

Flash_Player_9.exe (Downloads or Creates: winexec32.exe & wsys33.exe)
Result: 18/36 (50%)
MD5: f6d3cc53df4a70ee53a9a0a5288834da
VirusTotal
ThreatExpert
hxxp://www.momocortes.com/blog/media/2/

wsys33.exe
Result: 10/36 (27.78%)
MD5: fa0f6781e99d1d78c0d24417cb7b88fd
VirusTotal
Sunbelt Sandbox

exe.exe (Downloads or Creates: vhosts.exe)
Result: 24/36 (66.67%)
MD5: c28f755cdf4863de48659d84c68efab7
VirusTotal
ThreatExpert
hxxp://verynicejob.info/sxe/load.php

02.exe
Result: 8/36 (22.23%)
MD5: 166da263d55d3a06b0bac738ceea769a
VirusTotal
ThreatExpert
hxxp://regect.mobi/

item.gif (Downloads or creates: msxml71.dll)
Result: 7/35 (20%)
MD5: 0a5b198090739429b0e939078517c4d8
VirusTotal
ThreatExpert
hxxp://nessotr-help.com/images/

msxml71.dll
Result: 8/36 (22.23%)
MD5: 46b14c6da49eba5ab1a07bd63b001057
VirusTotal
ThreatExpert

skash.exe (Downloads or creates: figaro.sys, beep.sys, & brastk.exe)
Result: 17/36 (47.23%)
MD5: df565df07afc10489c4b419b1f252158
VirusTotal
ThreatExpert
hxxp://destinationsurfersparadise.com.au/lsi/

beep.sys & figaro.sys
Result: 31/36 (86.12%)
MD5: 14054908c961bb3af74f08fc9dbddeac
VirusTotal

brastk.exe
Result: 17/36 (47.23%)
MD5: 18bc3ea8f0ec094e5a8bacf19e4413b0
VirusTotal
ThreatExpert

serce.php
Result: 7/36 (19.45%)
MD5: 0f3d0ea3905df454581e0c59595f72a6
VirusTotal
ThreatExpert

ex002.exe
Result: 11/36 (30.56%)
MD5: 6f6b2be08feb03f26c84100a24b4891e
VirusTotal
ThreatExpert
hxxp://traff.loadmore.eu/t/l/

setup_1_1_.exe (Installs Pro Antispyware 2009)
Result: 1/36 (2.78%)
MD5: d62c9998be552d4a7189f4c656501e81
VirusTotal
ThreatExpert
hxxp://files.proas2009dl.com/load/

pdf.pdf
Result: 7/36 (19.45%)
MD5: 746f87f5fcf309bc0c5bc422007f3740
VirusTotal
hxxp://svinushka.net/forum/spl/

video20798.cfg
Result: 11/36 (30.56%)
MD5: 1b06e026fdb1fe6e42e66472bae3cc74
VirusTotal
hxxp://lyox-lib.com/addon/

9llCJ4amiU.exe
Result: 10/36 (27.78%)
MD5: 0662482dea0f312e1ed7bfdab7cf86b1
VirusTotal
ThreatExpert
hxxp://78.157.143.225/EX/

video.cfg
Result: 8/36 (22.23%)
MD5: 75dfc5f4c4cbc9367a830d216dec62a4
VirusTotal
hxxp://69.46.24.95/addon/

DivXCodecPKG.7.exe
Result: 2/36 (5.56%)
MD5: f6b635b62fe9a91e9bc0eb01ee827f67
VirusTotal
ThreatExpert
hxxp://softawe-download-forpc.com/

7-v3av.exe (Downloads or Creates: beep.sys, figaro.sys, & brastk.exe)
Result: 12/36 (33.34%)
MD5: aed0e8cb43f48862d89daf441fd844da
VirusTotal
ThreatExpert
hxxp://91.203.92.121/7-v3av.exe

beep.sys & figaro.sys
Result: 30/36 (83.34%)
MD5: b01ed4cec7f0aa6232d49202a71e3a5c
VirusTotal

brastk.exe
Result: 11/36 (30.56%)
MD5: faa1dfd63f02675c4e717c01a476e1f8
VirusTotal
ThreatExpert

setup.exe (Downloads or Creates: getsn32.dll, smwin32.dll, & uesiuqcr.exe)
Result: 11/36 (30.56%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert
hxxp://kb960830-sp2-x86.enu.v6.updates.cab.windowupdate.micros0ft.com.microsofred.cn/

getsn32.dll
Result: 5/36 (13.89%)
MD5: a33aa3d2d4f3a78aa51b3bafb9ce34e1
VirusTotal
ThreatExpert

smwin32.dll
Result: 2/36 (5.56%)
MD5: 39f89f98990a946bc31cb0271b2d3e19
VirusTotal
ThreatExpert

uesiuqcr.exe
Result: 12/36 (33.34%)
MD5: d2e8f5095dcd62f912fd233c4e2e5459
VirusTotal
ThreatExpert

b156.exe
Result: 18/36 (50%)
MD5: 05411d4f5b6a3b430dcd30bea1731362
VirusTotal
ThreatExpert
hxxp://dl2.bundlext.com:8080/get.php

Removal:
Remove this threat with MalwareBytes!

Oct

Antivirus XP 2008 morphs to MS Antivirus to Antivirus VIP

By lithium 0 Comments

Categories: Antivirus VIP, Antivirus XP 2008, Database Update, MS Antivirus and Rogue Security Software

It’s no surprise that rogue security software authors have to get creative when trying to infect as many people as possible. Especially when we work very hard to keep them exposed. Among many techniques, they use mutilated domain naming schemes, affiliate system abuse, redirection and almost always the last ditch attempt at improving their infection ratio is morphing. Remember when we talked about XP Antivirus 2008 morphing to MS Antivirus? Today we detected a new morph in the XP Antivirus series. Antivirus XP 2008 morphed to MS Antivirus on August 21st and today it morphed to Antivirus VIP.

Site: http://antivirus-vip.com
File: Not Available Yet

Server Data

IP Address:	216.32.76.87
IP Location	- Texas - Plano - Layered Technologies Inc
Response Code:	200
SSL Cert:	www.antimalware-pro.com expires in 332 days.
Domain Status:	Registered And Active Website

Oct

e-card.exe threat (Braviax + XP AntiSpyware 2009)

By lithium 2 Comments

Categories: Database Update, Rogue Security Software, XP AntiSpyware 2009 and e-card

A new wave of e-card malspam is going out. The e-mail arrives spoofed as 123greetings.com and installs XP Antivirus 2009 once on the computer.

E-mail Body:

Good day.

You have received an eCard
To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

hxxp://ospetroglifos.com/e-card.exe

Your card will be available for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!
We hope you enjoy you eCard.
Thank You!

File Details:

File Name: e-card.exe

MD5: 51c2c1e82bc8c89dd831494689341147

SHA-1: 4e8e072659d6762dd41fc66b4f8c606e46d4b013

File Size: 44544 Bytes

Registry Values Modified:

Location: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Key name: braviax

Value: C:\WINDOWS\system32\braviax.exe

Location: HKLM\System\CurrentControlSet\Control\Session Manager

Key name: Pending FileRenameOperations

Value: 0×5c003f003f005c0043003a005c00570049004e0044004f00570053005c00

File Modifications:

Creates:

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\system32\dllcache\beep.sys

C:\WINDOWS\system32\dllcache\figaro.sys

C:\WINDOWS\system32\drivers\beep.sys (26k) <– this file prevents most anti-malware products from working correctly.

C:\exec\delself.bat

ariw.pif
beep.sys
brastk.exe
braviax.exe
dodyjuku.pif
dysigajy._sy
e-card.exe
hynury.vbs
karna.dat
osyji.exe
unofa.sys
wini10581.exe
xyqa.vbs

Modifies:

C:\WINDOWS\system32\braviax.exe

C:\WINDOWS\system32\dllcache\beep.sys

C:\WINDOWS\system32\dllcache\figaro.sys

C:\WINDOWS\system32\drivers\beep.sys

C:\exec\delself.bat

PIPE\SfcApi

Connects to:

hxxp://do-scan-progress.com/?wmid=1058&l=33&it=2&s=1

1 200 HTTP www.xp-antispyware2009.com/binary/Binaries1.cab
2 200 HTTP www.xp-antispyware2009.com/binary/Binaries2.cab
3 200 HTTP www.xp-antispyware2009.com/binary/Binaries3.cab
4 200 HTTP do-monster-scan.com/update_inst.php?wmid=1058&subid={ID}&pid=33&lid=2&hs={ID}

Downloads to:

%System%\wini10581.exe (8A5B2A376AFD54E9B04599A4BC43AA07)

Installer:

Removal:

Remove this threat with MalwareBytes!

Thanks to hevnsnt for the information!

Oct

Virus Response Lab 2009

By stingner 0 Comments

Categories: E-mail, Micro Antivirus 2009, Rogue Security Software and Uncategorized

Virus Response Lab 2009 malware sites. File is available in our repository under /stingner-malware/.

BE ADVISED: These sites may still be live. Proceed at your own risk.

Site:

hxxp://virus-labs2009.com/

hxxp://virus-response.com/

hxxp://virusresplab.com/

hxxp://virusresponse2009.com/

File virlab_install.exe
Result: 12/36 (33.34%)

Virustotal

Removal:

Remove this threat with MalwareBytes!

Malware link:

hxxp://virus-labs2009.com/download.php

hxxp://virusresponse2009.com/download.php

hxxp://virus-response.com/download.php

hxxp://virusresplab.com/download.php

Oct

Antivirus 2009 - 1 domain added - 1 old file (30/36) + Plimus payment gateway

By lithium 0 Comments

Categories: Antivirus 2009, Database Update, Malicious Domains, Plimus and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

Site: hxxp://www.antivirus-2009-pro.net/

IP Address:	217.20.175.44
IP Location	- Ukraine - W Net Isp
Response Code:	200
Domain Status:	Registered And Active Website

Payment Gateway

Site: http://antivirus-2009-pro.net/buy.php > https://www.plimus.com/jsp/buynow.jsp?contractId=2016190&additionalCharge2016190_0=21344&custom1=

Plimus Corporation
Worldwide Corporate Headquarter
3830 Valley Centre Dr.
Suite 705-294
San Diego, CA 92130
Site Advisor: http://www.siteadvisor.com/sites/plimus.com

Oct

Antivirus 2009 - 3 domains added - 8 files added (0/36)

By lithium 0 Comments

Categories: Antivirus 2009, Database Update and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.

We came across a fully undetected Antivirus 2009 installer today. All of the files have been made available inside of /lithium-malware/.

Site:

hxxp://85.17.166.170/go/?cmp=nm_ron2&uid=f8a0d9628fbb11dd95e4166350cfffff&rid=gl2vmclr&guid=5b20e5c3232d4440b6234368749a6d3a&affid=166350&lid=http&url=http:%2F%2Fwww.google.com%2F&v=1145&m=an2g
- hxxp://freeonlinescanner9.com/_download.php?aid=77052204&dlth=19
  - hxxp://vassariumbig.com/download/av_2009.exe

Files:

[download] A9installer_77052204.exe
%windir%\system32\ieexplorer32.exe
- CONNECT to hxxp://securedownloadcenter.com and downloads /zsa09/winsystems.dll (321,536)
%windir%\system32\ieupdates.exe
%windir%\system32\scui.cpl
%windir%\system32\winsrc.dll
%programfiles%\Antivirus 2009\av2009.exe [D9B3AC01AF64F35EE3519021418384DB]
- CONNECT to hxxp://securedownloadcenter.com and downloads /zsa09/zs880000.exe
- CONNECT to hxxp://tdsvassarium.com/firstrun.php?product=AV9&aff=77052204&update=2508/av2009&time=removed