Fake Anti-Malware Applications

[iRonzel]

Hi, I just want to help avast! in the detection of Rogues. This is a undetected Rogue by avast! called Spyware Cease. At the moment avast! is not detecting it.

This is my shared account from MediaFire where I uploaded it (and upcoming threats relate to this topic), because it size is about 27MB. All my reports will take place here.

Information and password are included in the archive (only the executable  has password).   

http://www.mediafire.com/?ezi3f2n0ii0

I hope an avast! Researcher attend this topic. Thanks


Sincerely,



iRanzel

[nmb]

Hi,

You can also upload it to ftp.avast.com/incoming . Name the compressed file as fakeav or something similar to that. Put a readme in that stating this topic, password and your name(userrname).

nmb

[polonus]

Hi iRanzel,

Do not put live links to possible malcode out here, make them non-click-through by putting hxtp or wXw.
finjan says malicious behavior detected, the file you requested contains malicious code..
Status "suspicious" here as well: http://wepawet.iseclab.org/view.php?hash=1470bb9af7b084c93e17c4963db2fed5&t=1277556752&type=js
and consider this: htxp://jsunpack.jeek.org/dec/go?report=d7271afcf77b40d8f9fce316a1e5565511fc4f1e

polonus

[iRonzel]

Hi polonus!

Dont worry about it. The exe. file is compressed with password. So to execute the FakeAV need to be decrypted with the password provided.

Note: This link is from my MediaFire Account. So, It not malicious. The link is provided to download the zip-folder. Also, this part of my account is private and not for sharing purpose. Thanks

You are malware fighter? help this topic and me. Report all Fake antimalware here please. Thanks


Sincerely,



iRanzel

[polonus]

Hi iRanzel,

Coming up, here: http://wepawet.iseclab.org/domain.php?hash=3941b630b9ede4f050d0dfe287cfe0b7&type=js

And read here, the new domains registered for fake AV: http://www.malwaredomainlist.com/forums/index.php?topic=2729.120

We keep them coming to be detected,

polonus

[polonus]

Hi just scanned this link, here is the Wepawet report: http://wepawet.iseclab.org/view.php?hash=1902a51c465399559da5fd98e15a91a8&t=1278611355&type=js

polonus

[iRonzel]

Ummm! I was searching for a book online that I need for Spanish class (I am college student) and found this sites that allegedly they are selling the book that I am looking for. But the site is a FAKE AV.

Check this, the is:

wXw.secureforservers.com/libreriainterponce/bookstorelist.php

and this: 

hXXp://www1.zangievsoft11pd.in/?p=p52dcWpla2yHjsbIo216h4Ve0KCfYWCdU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1eZWVsnWWUZJGeZInX15Krp6mikomqb1qtnaygnXaHk83Slm1Tqpud22qImaCjZJWSmGFlZWuTkpxuWKaemnVarKyeXpaeY2leamdtmVPWo2KjXpWclWpoaGualomclXGJhl6roZ2eZZmW


Virutotal results:

http://www.virustotal.com/file-scan/report.html?id=9036b0d6aed67c0e72f2a6841161c130a7481dd693c6366a3c15da647b4e36d0-1282917430

Note: The problem here is only with Internet Explorer, because Crhome and Firefox is blocking the site. Also with Chrome the first site that I posted, is working fine. This is the ISBN of the book that I am searching: 1-56328-243-7
The second and third site are hosting the malware. Google the ISBN and you can see the sites.

[polonus]

Hi iRanzel,

Good alert you gave us: http://www.google.ru/safebrowsing/diagnostic?site=secureforservers.com/


polonus

[Sirmer]

Hello,
thanks for informations.
I put these urls in black list.It will be catched in next VPS.
Best regards
Jan sirmer

[iRonzel]

Hello,
thanks for informations.
I put these urls in black list.It will be catched in next VPS.
Best regards
Jan sirmer

Thanks! avast! is now detecting it. I will continue reporting this type of malware here. According to continue finding more specimens.

[iRonzel]

Three more:

 abodeflash-vol51.co.cc/se/flash_plugin.exe
 scaner-acer.cz.cc/installer_m_93.exe
 188.65.74.162/fuckemall_dfljgsdhfog.exe

[iRonzel]

Here:

htxp://cardscannerwinprotection.com/index.php?06abQDY3QUWfUWuqry413pb5fD1uNSJne10II339BlpUZcd0FCuFftY70F4kis1WF3Y=#DB452FNGM452HGFG452DGFH452GJK452

[Pondus]

Sample sendt avast   

[iRonzel]

Sample sendt avast   

Thanks! 

http://www.virustotal.com/file-scan/report.html?id=e20248541197e1507780fb232f56189b18a3e9e87a305c77ab9b061ae2654646-1303516907

[Krelnadi]

Got re-directed to another fake AV site, this one was for E-Set, asked to install a file called Setup.exe after the fake scan

htxp://859f3.n2l4.net/vguard/?db5a4956=wgwabmg&496f81e=mmxslashsf&04f0799=mlglsgshxa&a94f56e41=3

However i got redirected to a site IP before i went to that site:

htxp://174.36.165.28/7583/74