Author Topic: New Rogue AV:PC PROTECT 2010 (Read 4120 times)

Left123 · « **on:** September 09, 2010, 11:01:48 PM »

Another imported rogue, PC Protect 2010's trojan hijacks your browser, and doesn't allow you to browse some sites, including Google and antivirus companies.

just wanted to inform you

YoKenny · « **Reply #1 on:** September 09, 2010, 11:24:02 PM »

Another malware clone:
http://forums.malwarebytes.org/index.php?showtopic=61656
http://forums.malwarebytes.org/index.php?showtopic=61583
http://forums.malwarebytes.org/index.php?showtopic=59402

Left123 · « **Reply #2 on:** September 09, 2010, 11:30:01 PM »

Quote from: YoKenny on September 09, 2010, 11:24:02 PM

Another malware clone:
http://forums.malwarebytes.org/index.php?showtopic=61656
http://forums.malwarebytes.org/index.php?showtopic=61583
http://forums.malwarebytes.org/index.php?showtopic=59402

thank you for information

the last rogue the chinese one is so "lame" ^^

polonus · « **Reply #3 on:** September 09, 2010, 11:49:32 PM »

Hi Left123,

This is probably one of the malcreants, the man behind the creating the fake AV apps: http://ddanchev.blogspot.com/2009/12/diverse-portfolio-of-fake-security.html
also write about this Dutchman.
Several of those domains are registered to "Garritt Kooken" with Netherlands email address gkookATcheckjemail.nl, who strangely uses the Chinese telephone number +86.592257788 despite having a street address in India.

Mr. Kooken really likes to make fake AV product websites, and hosts many of them on Ecatel in the Netherlands, such as:

best-pc-defender.net
cleanupantivirus.com (94.102.63.64)
cleanviron-mypc.net
dopc-checkprotect.in
exodus130.com
fast-guardcleaneronpc.net
fastscanandcleansoft.com
fastzone-guard.com
holduponyourpc.com
hotcleanof-yourpc.net
lastcheckonmy-zone.net
new-system-defender.net
on-guardzone.com
paymentsafety.net (94.102.63.61)
pcliveguard.com (94.102.63.65)
pcregrtuy.com
safeantivirus.net
safetypcprotection.net
save-secure.com
search4vir.net
securityantivirus.net (94.102.63.67)
seekviron-mypc.net
systemmdefender.com (94.102.63.61)
systemmguard.com
systemonlinepayment.com
thebestcleanofpc.net
windowsadditionalguard.net
winguard-pro.com
xmopolit67re.com
your-securepayment.com (94.102.63.61)
your-staffdefender.com
yourzone-best-defender.com

Looking at some IP Neighbors for computers our infected lab machine connected to, we find:

Looking at some "IP Neighbors":

Ecatel of the Netherlands (AS29073)
-----------------------------------
safety-payment.net - 94.102.63.62
safetypayment.net - 94.102.63.62
secures-guard.com - 94.102.63.64
systemmguard.com - 94.102.63.64
cleanupantivirus.com - 94.102.63.64
windowspc-defender.com 94.102.63.65
windowsguard-pro.com - 94.102.63.68
safeantivirus.net = 94.102.63.69
paymentsecurity.net = 94.102.63.69
secure.greywall.net = 94.102.63.69

on Vital Teknoloji in Turkey (AS44565)
------------------------------
update1.winsystemupdate.xorg.pl - 188.124.7.155
securemyfield.com - 188.124.7.156
newsystem-guard.com - 188.124.7.156
update1.winsystemupdates.com - 188.124.7.156
savecompnow.com - 188.124.7.156
newsystem-guard.net - 188.124.7.156
secure1.safetypayment.xorg.pl - 188.124.7.158
newsystemshield.net - 188.124.7.158

on Vline Ltd in Moscow (AS39150)
-----------------------------
www3.tr-leech-kl.xorg.pl - 109.196.132.41
update2.sysupdate-n2.xorg.pl - 109.196.132.41
update2.sysupdt-n2.xorg.pl - 109.196.132.41
report1.stat-mx.xorgl.pl - 109.196.132.41
www1.free-scan-offer-nl.xorg.pl - 109.196.132.40
update1.sysupdate-n3.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-k24.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-nihob.xorg.pl - 109.196.132.40

Unfortunately this is just a drop in the sea. This malcreant has 1800 domain names to his registration.

Our friend Dancho Danchev mentioned gkook in his series A Diverse Portfolio of Fake Security Software back in December last year.

A search at the excellent MalwareURL.com shows that this email address has been associated with this type of malware since at least October 9th, when "windows-pcdefender.com" was being reported.

Info Source: http://garwarner.blogspot.com/2010/04/fake-av-in-news.html

polonus

Left123 · « **Reply #4 on:** September 09, 2010, 11:59:16 PM »

Quote from: polonus on September 09, 2010, 11:49:32 PM

Hi Left123,

This is probably one of the malcreants, the man behind the creating the fake AV apps: http://ddanchev.blogspot.com/2009/12/diverse-portfolio-of-fake-security.html
also write about this Dutchman.
Several of those domains are registered to "Garritt Kooken" with Netherlands email address gkookATcheckjemail.nl, who strangely uses the Chinese telephone number +86.592257788 despite having a street address in India.

Mr. Kooken really likes to make fake AV product websites, and hosts many of them on Ecatel in the Netherlands, such as:

best-pc-defender.net
cleanupantivirus.com (94.102.63.64)
cleanviron-mypc.net
dopc-checkprotect.in
exodus130.com
fast-guardcleaneronpc.net
fastscanandcleansoft.com
fastzone-guard.com
holduponyourpc.com
hotcleanof-yourpc.net
lastcheckonmy-zone.net
new-system-defender.net
on-guardzone.com
paymentsafety.net (94.102.63.61)
pcliveguard.com (94.102.63.65)
pcregrtuy.com
safeantivirus.net
safetypcprotection.net
save-secure.com
search4vir.net
securityantivirus.net (94.102.63.67)
seekviron-mypc.net
systemmdefender.com (94.102.63.61)
systemmguard.com
systemonlinepayment.com
thebestcleanofpc.net
windowsadditionalguard.net
winguard-pro.com
xmopolit67re.com
your-securepayment.com (94.102.63.61)
your-staffdefender.com
yourzone-best-defender.com

Looking at some IP Neighbors for computers our infected lab machine connected to, we find:

Looking at some "IP Neighbors":

Ecatel of the Netherlands (AS29073)
-----------------------------------
safety-payment.net - 94.102.63.62
safetypayment.net - 94.102.63.62
secures-guard.com - 94.102.63.64
systemmguard.com - 94.102.63.64
cleanupantivirus.com - 94.102.63.64
windowspc-defender.com 94.102.63.65
windowsguard-pro.com - 94.102.63.68
safeantivirus.net = 94.102.63.69
paymentsecurity.net = 94.102.63.69
secure.greywall.net = 94.102.63.69

on Vital Teknoloji in Turkey (AS44565)
------------------------------
update1.winsystemupdate.xorg.pl - 188.124.7.155
securemyfield.com - 188.124.7.156
newsystem-guard.com - 188.124.7.156
update1.winsystemupdates.com - 188.124.7.156
savecompnow.com - 188.124.7.156
newsystem-guard.net - 188.124.7.156
secure1.safetypayment.xorg.pl - 188.124.7.158
newsystemshield.net - 188.124.7.158

on Vline Ltd in Moscow (AS39150)
-----------------------------
www3.tr-leech-kl.xorg.pl - 109.196.132.41
update2.sysupdate-n2.xorg.pl - 109.196.132.41
update2.sysupdt-n2.xorg.pl - 109.196.132.41
report1.stat-mx.xorgl.pl - 109.196.132.41
www1.free-scan-offer-nl.xorg.pl - 109.196.132.40
update1.sysupdate-n3.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-k24.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-nihob.xorg.pl - 109.196.132.40

Unfortunately this is just a drop in the sea. This malcreant has 1800 domain names to his registration.

Our friend Dancho Danchev mentioned gkook in his series A Diverse Portfolio of Fake Security Software back in December last year.

A search at the excellent MalwareURL.com shows that this email address has been associated with this type of malware since at least October 9th, when "windows-pcdefender.com" was being reported.

Info Source: http://garwarner.blogspot.com/2010/04/fake-av-in-news.html

polonus

investigation complete,very interesting,thank you

Left123 · « **Reply #5 on:** September 10, 2010, 02:03:17 PM »

i didn't want to make a new topic so i post here,AV DEFENDER 2011 new rogue av,be aware of this fake av

Author Topic: New Rogue AV:PC PROTECT 2010 (Read 4120 times)

Left123

New Rogue AV:PC PROTECT 2010

YoKenny

Re: New Rogue AV:PC PROTECT 2010

Left123

Re: New Rogue AV:PC PROTECT 2010

polonus

Re: New Rogue AV:PC PROTECT 2010

Left123

Re: New Rogue AV:PC PROTECT 2010

Left123

Re: New Rogue AV:PC PROTECT 2010