[SOLVED] Fake AV/Rogue (avastfrance.com)

[Asyn]

Reported by an user in the German section. (hxxp://wxw.avastfrance.com/)
The site distributes a fake AV (Rogue), using avast's name...!!!

Report    2011-03-16 13:15:53 (GMT 1)
Website    avastfrance.com
Domain Hash    4d6e81c523fad80972e4e15ff80ec385
IP Address    174.123.72.226 [SCAN]
IP Hostname    e2.48.7bae.static.theplanet.com
IP Country    US (United States)
AS Number    21844
AS Name    THEPLANET-AS - ThePlanet.com Internet Service...
Detections    7 / 18 (39 %)
Status    DANGEROUS

[Left123]

Avast already detect the executuble but not the site,i reported this site in one of my posts but no1 seemed to see it,anyway.

[YoKenny]

Already in hpHosts detection:
http://hosts-file.net/?s=avastfrance.com&x=35&y=9

[Pondus]

http://forum.avast.com/index.php?topic=73785.0

[Asyn]

Avast already detect the executuble but not the site,i reported this site in one of my posts but no1 seemed to see it,anyway.

Well, the site should be blocked, asap...!!!
asyn

[Left123]

Avast already detect the executuble but not the site,i reported this site in one of my posts but no1 seemed to see it,anyway.

Well, the site should be blocked, asap...!!!
asyn

Of course!!

[YoKenny]

Well, the site should be blocked, asap...!!!

It is by MBAM as well:
IP-BLOCK 174.123.72.226 (Type: outgoing, Port: 52612, Process: avastsvc.exe)

[Asyn]

Well, the site should be blocked, asap...!!!

It is by MBAM as well:
IP-BLOCK 174.123.72.226 (Type: outgoing, Port: 52612, Process: avastsvc.exe)

Thanks for the info about hpHosts and Mbam, Kenny..!
Still, we want avast to block it, too.
asyn

[polonus]

Hi Asyn,

Send a mail to avast that the following links should be detected:
So called Bad Anchor link here: hxtp://www.avastfrance.com/
See: http://www.virustotal.com/file-scan/report.html?id=9b8fbd43137dd84905e1b8b37e05de58b00484470c429127ba86fbd2c4d9221f-1300284565
0/ 43 (0.0%)
and PremiumSMSScan, here: htxp://www.avastfrance.com/dl/Avast-antivirus-francais.exe ,detected as NSIS:FakeInst-L by avast
See: http://xylibox.blogspot.com/2011/03/hoaxsms-fake-installer-avast-avast.html
Site should be flagged: http://deletemalware.blogspot.com/2011/03/fake-avast-antivirus-avast-antivirus.html
It is also in here: http://malc0de.com/database/
Reported on March 13th:
011/03/13_19:26   www. avastfrance.com/dl/Avast-antivirus-francais.exe   174. 123. 72. 226   e2. 48. 7bae.static.theplanet.com.   fake av   Whois Privacy Protection Service, Inc. / xfwryksrx AT whoisprivacyprotect.com   21844   
I do not know whether it is still alive? These issues are sometimes rather short-lived as soon as they are being found up,

polonus

[Asyn]

Thanks, pol..!!
asyn

[Left123]

Still undetected? ???huh

[doktornotor]

Still undetected? ???huh

Contact avast! however there's no option to report false negatives 

[DavidR]

Yes and that is something which needs to be included in the list.

Though you could try and misuse the report false alert on a website, by reporting in the text input 'Your Message' window that it is a malicious site which isn't detected by either the network or web shields.

I tend to send an email to the usual virus (at) avast (dot) com address, with 'Undetected Malware - Network Shield' in the subject and details in the email body, no need for a sample.

[Asyn]

Site gets blocked now, so I put this to solved.
asyn