Hi Left123,
This is probably one of the malcreants, the man behind the creating the fake AV apps:
http://ddanchev.blogspot.com/2009/12/diverse-portfolio-of-fake-security.htmlalso write about this Dutchman.
Several of those domains are registered to "Garritt Kooken" with Netherlands email address gkookATcheckjemail.nl, who strangely uses the Chinese telephone number +86.592257788 despite having a street address in India.
Mr. Kooken really likes to make fake AV product websites, and hosts many of them on Ecatel in the Netherlands, such as:
best-pc-defender.net
cleanupantivirus.com (94.102.63.64)
cleanviron-mypc.net
dopc-checkprotect.in
exodus130.com
fast-guardcleaneronpc.net
fastscanandcleansoft.com
fastzone-guard.com
holduponyourpc.com
hotcleanof-yourpc.net
lastcheckonmy-zone.net
new-system-defender.net
on-guardzone.com
paymentsafety.net (94.102.63.61)
pcliveguard.com (94.102.63.65)
pcregrtuy.com
safeantivirus.net
safetypcprotection.net
save-secure.com
search4vir.net
securityantivirus.net (94.102.63.67)
seekviron-mypc.net
systemmdefender.com (94.102.63.61)
systemmguard.com
systemonlinepayment.com
thebestcleanofpc.net
windowsadditionalguard.net
winguard-pro.com
xmopolit67re.com
your-securepayment.com (94.102.63.61)
your-staffdefender.com
yourzone-best-defender.com
Looking at some IP Neighbors for computers our infected lab machine connected to, we find:
Looking at some "IP Neighbors":
Ecatel of the Netherlands (AS29073)
-----------------------------------
safety-payment.net - 94.102.63.62
safetypayment.net - 94.102.63.62
secures-guard.com - 94.102.63.64
systemmguard.com - 94.102.63.64
cleanupantivirus.com - 94.102.63.64
windowspc-defender.com 94.102.63.65
windowsguard-pro.com - 94.102.63.68
safeantivirus.net = 94.102.63.69
paymentsecurity.net = 94.102.63.69
secure.greywall.net = 94.102.63.69
on Vital Teknoloji in Turkey (AS44565)
------------------------------
update1.winsystemupdate.xorg.pl - 188.124.7.155
securemyfield.com - 188.124.7.156
newsystem-guard.com - 188.124.7.156
update1.winsystemupdates.com - 188.124.7.156
savecompnow.com - 188.124.7.156
newsystem-guard.net - 188.124.7.156
secure1.safetypayment.xorg.pl - 188.124.7.158
newsystemshield.net - 188.124.7.158
on Vline Ltd in Moscow (AS39150)
-----------------------------
www3.tr-leech-kl.xorg.pl - 109.196.132.41
update2.sysupdate-n2.xorg.pl - 109.196.132.41
update2.sysupdt-n2.xorg.pl - 109.196.132.41
report1.stat-mx.xorgl.pl - 109.196.132.41
www1.free-scan-offer-nl.xorg.pl - 109.196.132.40
update1.sysupdate-n3.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-k24.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-nihob.xorg.pl - 109.196.132.40
Unfortunately this is just a drop in the sea. This malcreant has 1800 domain names to his registration.
Our friend Dancho Danchev mentioned gkook in his series A Diverse Portfolio of Fake Security Software back in December last year.
A search at the excellent MalwareURL.com shows that this email address has been associated with this type of malware since at least October 9th, when "windows-pcdefender.com" was being reported.
Info Source:
http://garwarner.blogspot.com/2010/04/fake-av-in-news.htmlpolonus