Tag Archive for 'database-update'

06
Nov

Antispyware 2008 Rogue Served Through Download.com Ads

By lithium Comment
Categories: Database Update

A few months ago we warned of Google sponsored results pointing to rogue anti-malware applications  (read: Sponsored Result != Safe) and more recently we talked about malicious ad content being displayed through pop-up ads hosted by Motigo’s free analytic services (read: Antivirus 2009…brought to you by Motigo).  Today we received word from a fellow security researcher, mwdisector, that a rogue anti-malware application was being served via ads in the bottom right corner of the Download.com website.

In our previous post regarding a related incident where Motigo served Antivirus 2009 rogue pop-up ads we told website Owners to  make sure they fully understand the all of the risks involved in implementing third party tools, ads, or services.

It’s obvious that the ad companies are not doing a good enough job at making sure their links are safe.  For this very reason, you do not see Google Adsense or similar types of advertisements on Malware Database. It would result in our viewers being infected and that is something we cannot have.  MalwareBytes and Panda Security are two companies that we stand by and those are the only type of ads you will see here, ads that we can guarantee not to lead to infections.

Download.com does have an initiative for malware free downloads but they state nothing about making sure their text based and image advertisements are malware free.  We are hoping the people at Download.com read this and take a stand against current and future threats promoted through their sponsored ads!

Rogue sponsored link served via download.com

Antispyware 2008 ad

Points to the Antispyware 2008 Rogue

*Do not attempt to visit this site or download the software*

Antispyware 2008

What it looks like

Antispyware 2008

File: setupxv.exe
VirusTotal: Result: 12/36 (33.33%)
File size: 5620057 bytes
MD5…: 15134735aff21a9162bef607684b9ca4
SHA1..: 72eff32a2187c339115e6842f80f6aa2273c48be
SHA256: f438f8c9b9f04fb4ee4fbbd2b215abbffb863c99e4a7f28012b0b45c8fe628ed
SHA512: f1e6b742c32c2931697d3ac9c06010d91bb4014d87d5d3a7ac8b6f667e5a08d0
f52ab7bb7864d87ad1ee7d9e1f664713b2c59f529869719294f0b380d27f4e44
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x412c8f
timedatestamp…..: 0x4466b13c (Sun May 14 04:25:32 2006)
machinetype…….: 0x14c (I386)

Removal Information:Need assistance removing this malware?
Click here for more information about malware removal.
Don’t forget to ask for help in our user forums!

03
Nov

Antivirus Pro 2009 – Exploiting Human Weakness for Money

By lithium Comments
Categories: Database Update, Malicious Domains, Rogue Security Software and Rogue Software

Note: Thie sites we talk about in this post distribute Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Almost everyday our viewers ask us about Rogue anti-malware software.  Out of all of the questions we receive, the most common is “When will these attacks stop?”  The sad truth is that we cannot see an end to this problem in near sight.  As long as the malicious individuals are able to trick or force users into downloading, installing, and eventually paying for their fake “Rogue” anti-malware products, they will continue to develop and push the envelope.

AntivirusPro 2009

Antivirus Pro 2009

The user will be prompted with the following message in the event that the browser blocks the download.  When the user clicks on “Click here to get full advanced real-time protection and continue browsing”, it will automatically forward them to the payment gateway page.

“Insecure Internet Activity. Threat of Virus Attack!  Due to the insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes”

Antivirus Pro 2009 Browser Warning

Installer:

There are three possible options to the Antivirus Pro 2009 Installer. Continue, Terms of Service and Cancel.

Antivirus Pro 2009

Canceling the Installation:

When attempting to exit the installer via the cancel button, the setting defaults to “Continue with installing and running free scanner.”

Antivirus Pro 2009 Cancel Install

Terms of Service:

Antivirus Pro 2009 Terms of Service

Interface:

The interface may look convincing to unsuspecting victims.

Antivirus Pro 2009 Interface

Scare Messages:

Victims are presented with various scare messages to entice a purchase.

“WARNING! Antivirus Pro 2009 has found 27 useless and UNWANTED files on your computer!”

Personal data at the reach of anyone’s hand

Internet history records available

Compromising and adult material stored on your system

Chat sessions’ logs and personal Emails easily reachable

Antivirus Pro 2009 Scare Tactics

Payment Gateway:

hxxps://secure.soft-payments.com via AS20495 (WEDARE We Dare BV Autonomous System)

secure.soft-payments.com

Antivirus Pro 2009 Payment Gatweay

SharedNS:

Antivirus Pro 2009 Shared NS

VirusTotal:

7/36 (19.44%) –>hxxp://www.av-pro-2009.com

7/36 (19.44%) –> hxxp://xp-as-2009.com

11/36 (30.56%) –>hxxp://xpas-2009.com

16/36 (44.44%)–> hxxp://av-pro2009.com

16/36 (44.44%)–>hxxp://avpro-2009.com

16/36 (44.44%)–>hxxp://avpro2009.com/

Removal Information:Need help removing this malware?
Click here for more information on the removal process.

Don’t forget to ask for help in our user forums!

03
Nov

Prodigy Antivirus – 5 files added – 1 domain added [Low Detection]

By lithium Comments
Categories: Database Update

Please do not visit the sites below.  The data discussed here is for informational purposes only!

I was doing my normal malware searching rounds tonight and came across a file called ProdigyAntivirus.exe.  The installer (ProdigyAntivirus.exe) drops 4 files inside of %windir% and is currently being hosted on a RapidShare account.

Session Summary:

#   Result    Protocol    Host    URL    Body    Caching
0   302  HTTP   prodigy-antivirus.com /179
1   302  HTTP   rapidshare.com /files/160002556/ProdigyAntivirus.ex[e]
2   200  HTTP   rs317tl2.rapidshare.com/files/160002556/ProdigyAntivirus.ex[e]

Installing:

Prodigy Antivirus

Files Dropped:

c:\windows\csrss.exe –> 6b4ec82b2ca24014a14a955d7f957eeb
c:\windows\alg.exe –> 8822188d4c681fc23804bbccb457136d
c:\windows\lsass.exe –> ee26d966411103783e6371543b843719
c:\windows\msinet.ocx –> 40d81470a19269d88bf44e766be7f84a

VirusTotal: 6/36 (16.67%)

ThreatExpert: 5fd5bb1f-1df6-4a26-a992-96b167c5a40d

29
Oct

Real Antivirus | Many Files Added – 1 Domain Added (2/36)

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

We found a new site pushing RealAV today.  The download link pushes more than one binary. This is NOT  a real Antivirus product!  Do not download or install it!

Real Antivirus

Site: http://real-antivirus.com  – http://real-antivirus.org
Download: hxxp://real-antivirus.com/cgi-bin/download.pl?code=00000000
File: RealAV.exe
VirusTotal: Result: 2/36 (5.56%)
Additional information
File size: 1954304 bytes
MD5…: aaa18c5564891bad2636e98c60c11842
SHA1..: 61ba85670781d513cd5166e50fc9b642295592db
SHA256: 642594b433ec6421764e58d8b556d9d3ead16254bacad50f49b3a9da239d89f3
SHA512: 9e131ef300832706bc823b8fdd3466f5bbd795a6a08c7611a1420bd309af4ce9
3d5cfb1b28a583a84a19914d17c342c0b0a05723cbef6f4c656b69c0f3a4532e
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5dc6b4
timedatestamp…..: 0x47d00775 (Thu Mar 06 15:02:13 2008)
machinetype…….: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0x1dbfaa 0x1dc000 8.00 0149aea4dcfc5237618a57aec6faa4f8
.data 0x1dd000 0xaa3 0xa00 4.98 9a9e7d8c4e76cbfbef3957499f3edab3
.rsrc 0x1de000 0×398 0×400 3.07 abfcff94d64f4e80fd119ac67c89283a

ThreatExpert:

File System Modifications
  • The following files were created in the system:
# Filename(s) File Size File MD5
1 %DesktopDir%\RealAV.lnk 620 bytes 0xE9A1298101E75059D6B2B2DAF50FD6D5
2 %Temp%\stylrit0.tmp 567,416 bytes 0xC8F83A8327B280A6E33CF667904C9607
3 %Programs%\RealAV\RealAV.lnk 632 bytes 0xC93690825D178EB769AD4473A5230818
4 %ProgramFiles%\RealAV\RealAV.exe
[file and pathname of the sample #1]		 1,954,304 bytes 0xAAA18C5564891BAD2636E98C60C11842
5 %ProgramFiles%\RealAV\vscan.tsi 10,073 bytes 0x5BC533CD757B5BC635EB6E7FAB5E1C8E
6 %ProgramFiles%\RealAV\zlib.dll 196,608 bytes 0x4D60C419FB5BB06D30B6F6AD5607E480
  • The following directories were created:
    • %Programs%\RealAV
    • %ProgramFiles%\RealAV
    • %ProgramFiles%\RealAV\Infected
    • %ProgramFiles%\RealAV\Suspicious
    Registry Modifications
  • The following Registry Key was created:
    • HKEY_CURRENT_USER\Software\RealAV
  • The newly created Registry Values are:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • RealAV.exe = “%ProgramFiles%\RealAV\RealAV.exe”

      • so that RealAV.exe runs every time Windows starts

    • [HKEY_CURRENT_USER\Software\RealAV]
      • Autorun = 0×00000001
      • RegisterShellExtension = 0×00000001
      • CheckForUpdates = 0×00000000
      • QuickScanAtStartup = 0×00000001
      • StartMinimized = 0×00000001
      • ID = 0×00000001
      • ScanArchives = 0×00000001
      • ScanFiles = 0×00000001
      • ScanMail = 0×00000001
      • ScanProcesses = 0×00000001
      • ScanRegistry = 0×00000001
      • BasesVersion = 0×00000001
      • CoreVersion = 0×00000001
      • TotalScans = 0×00000001
      • lastScanDate = 0x130A07D8
      • lastScanTime = 0x122D003B
      • lastUpdateDate = 0×00000000
      • lastUpdateTime = 0×00000001
21
Oct

XP AntiSpyware 2009 – 1 site added – 1 file added

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.  See how to remove XP AntiSpyware 2009 below.

We came across yet another XP AntiSpyware 2009 page today.  The layouts have been getting even more professional looking and of course they are still stealing design elements from the Microsoft web site and product lines.

Related: http://malwaredatabase.net/blog/index.php/2008/10/09/e-cardexe-threat-braviax-xp-antispyware-2009/

XP AntiSpyware 2009

Site: http://xpas-2009.com
File: Install.exe
Virus Total: Result: 22/36 (61.12%)
File size: 83892 bytes
MD5…: 0d21323b462dc15ddab0bc7012421ed6
SHA1..: bf9f58afb9bc96e95e0295d4b21ca945bf2ebe8f
SHA256: 8c7c575730f0c5a77f0cf1756876fd4956a0b3b3a9d23f9e7462c19868fb6600
SHA512: 74d5122447f84a819c14dbb2948713f0eb2d4ef1332665d5341287cdfa5ba4d0
53faa4cc00544218ce6ae6176668e1828ee61ffde825bf95da3aaa820c564fdf

Removal:

Remove this threat with MalwareBytes!

20
Oct

Smart Antivirus 2009 – 1 Site Added – 1 File Added (0/36)

By lithium Comments
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.  See how to remove AntiMalware 2009 below.

Today we found an older Smart Antivirus domain distributing a newly undetected (0/36 on VirusTotal) rogue installer.

Smart Antivirus 2009

Site: http://s-avirus2009.com
File: setup.ver1_1000.0_.exe
VirusTotal: Result: 0/36 (0.00%)

File Size: 114688 bytes
MD5…: b55bc958eb37ae1e2c325d45857c22eb
SHA1..: 4dd883998504bd856b5fe343b2242e1f5eb49b97
SHA256: cbb56264d1abc9c77502f93b0ad7a4d1749f60dd3bf916e9fad41f7332b0b622
SHA512: b09ddceb8fe45b5e8e6053cb6f7223093b41f8a91cbb1bdaff7fb5270e22391d
58e49240924f4e8939fd35e34f372c96a6391b97438e76e9c5b99fa8db5f100a

Removal:

Remove this threat with MalwareBytes!

19
Oct

AntiMalware 2009 – 1 domain added – 1 file added (24/36)

By lithium Comment
Categories: Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.  See how to remove AntiMalware 2009 below.

We came across a new domain today pushing AntiMalware 2009 (Web Spy Shield).   The site automatically reduces to a popup and then goes directly to a fake scan.  This leads us to believe that this domain will be used in ad affiliate abuse similar to the motigo incident.

Site: http://www.online-antivirus.net/
Related: http://scanner-protection.com/

The site is reduced to the following popup:

Online-Antivirus.net Popup

Fake scan page:

AntiMalware 2009 Site

Shared NS:

Shared NS for Online-Antivirus.net

File: AntiMalware2009Installer.exe
VirusTotal: Result: 24/36 (66.67%)
File size: 185856 bytes
MD5…: 8034e6173dc96d06af86d40fd3b5210d
SHA1..: 7d01d523950bb9e574d46676597b15730f68ae09
SHA256: 440539c77605e1fbc8b4d62b7f552a9875d609b06860a0dbbf10bfb07db7c450
SHA512: 7086dc8f48469cbe8945b0123db77ea063cf74452476bf5221575a6675fe690e
ed2b3ddc68d378fe988030a6797dc494981068746a92323eff749d279725327e

Removal:

Remove this threat with MalwareBytes!

18
Oct

Malware distributors give “flu shot” to prevent viruses!

By lithium Comments
Categories: Database Update

Today I came across a site (downloadmalware.com) and I initially thought that it was just an interesting title for a site similar to Malware Database. So anyway… I visit this site and what do I find?

I briefly skimmed through the page and found some super crazy story about how they want to stop viruses by injecting their malware into your system. HUH?! After reading this story in pure disgust I eventually came across a link to a live malware executable of the vundo family.

Read the excerpt from the site below. My comments are in red.

Everyone knows that it’s no fun getting a virus, and viruses can be obtained by doing basically anything on the internet. That’s why we created Malware, in order to finally put a stop to constant viral infections on your personal computer.

Malware to stop viruses, eh? That’s some class A BS right there!

We have many competitors, and they may be more popular than us, but at some point in this company’s career, we will surpass them.

Which point would that be?

It’s all about persistence and determination, and I would know because I just wrote an essay about that.

Our Approach: As stated on the main page, our methods of preventing viruses are very similar to how the common flu is prevented. We inject your computer with a small ‘virus‘ so that your computer can build up an immunity to all viruses in general.

A “flu shot” malware to prevent further infections? Just when you thought their bullshit scams were bad!! This is a whole new league of doucheness!

In the past, technology was incapable of developing a program like this, but thanks to new dreamweaver technology by adobe, millions of users around the world are now protected from the most deadly computer viruses.

Huh?

To, Delve into the Situation Further: Our malware program includes a packaged installer. This packaged installer contains two separate files. One of these files is full of little bits of viruses, and the other package contains the white blood cells of nanotechnology. After the virus is installed, the Wano Cells (White-Nano-Cells) are released into the computer’s data stream. The Wano’s are programmed to seek, analyze, and destroy any form of virus that your computer might have. This super advanced sense of analyzition is almost like human instinct, and is the future of virus prevention and removal!

Holy crap! You guys are fscking crazy! They also seem to think that their malware has Chuck Norris strength!

Chuck Norris

File: Malware.exe
Creates:

  • %Temp%\removalfile.bat
  • %System%\qoMgddCr.dll –> injected to explorer.exe
  • %System%\ssqQjJYq.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{420959A7-1B3F-49EE-848E-6DE631A39223}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{420959A7-1B3F-49EE-848E-6DE631A39223}\InprocServer32
    • (Default) = “%System%\qoMgddCr.dll”
    • ThreadingModel = “Both”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
    • Time = D0 AF 9A 53 FF 30 C9 01 00 00 00 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMgddCr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    • {420959A7-1B3F-49EE-848E-6DE631A39223} = “”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qoMgddCr]
    • Asynchronous = 0×00000001
    • DllName = “qoMgddCr.dll”
    • Impersonate = 0×00000000
    • Logon = “o”
    • Logoff = “f”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861]
    • (Default) = “8908679E25944863A713F954075BFF50&”
  • [HKEY_CURRENT_USER\Software\Microsoft\Installer]
    • (Default) = 16 55 C3 53 FF 30 C9 01

Modifies:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    • 1A10 = 0×00000000
    • {AEBA21FA-782A-4A90-978D-B72164C80120} = 1A 37 61 59 23 52 35 0C 7A 5F 20 17 2F 1E 1A 19 0E 2B 01 73 13 37 13 12 14 1A 15 2A
    • {A8A88C49-5EB2-4990-A1A2-0876022C854F} = 1A 37 61 59 23 52 35 0C 7A 5F 20 17 2F 1E 1A 19 0E 2B 01 73 13 37 13 12 14 1A 15 2A

VirusTotal: Result: 7/36 (19.44%)
File size: 50176 bytes
MD5…: fd877051a26132ccb53c06fe00ab1209
SHA1..: 635d5e20f27d52de168aa4c9ecbe233a88de8d88
SHA256: 0d91a0551e0727029775c67432895ac4b650275bfc4c165e6d2e9ebf9b6b3fa6
SHA512: 7ec31c6ca83d8fc7c79ab2b558768f5490a957da9e4318c2fb86f9d1d25fed28
4cb6b42460ce3fcc09986bf740165b429dc04119ccfb908868d82b082235dfe9

Removal:

Remove this threat with MalwareBytes!

« Previous Entries
SANDBOX

SANDBOX ANALYSIS PAGE




 

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930