Author Topic: hs.2-215.zlkon.lv -(94.247.2.215)  (Read 24876 times)

0 Members and 1 Guest are viewing this topic.

March 29, 2009, 02:35:11 pm
Read 24876 times

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
AV Fraud,all on the same IP: 94.247.2.215

Code: [Select]
http://downloadantivirusplus.com/setup.exe
http://av-plus-support.com/registration.html
http://Bestinternetexamine.com
http://safeyouthnet.com
http://theantivirusplus.com/setup.exe
http://downloadantivirusplus.com/setup.exe
http://linkcanpro.com
http://yournetascertain.com
http://websmartcheck.com
http://websportscheck.com
http://websecurecheck.com
http://internethomecheck.com
http://easywebscanlive.com
http://yourwebscanlive.com
http://linkcanlive.com
http://myinternetexamine.com
http://yourinternetexamine.com
http://easywebexamine.com
http://bestwebexamine.com
http://yourwebexamine.com
http://easynetcheckonline.com
http://bestnetcheckonline.com
http://yournetcheckonline.com
Mal-Aware

March 29, 2009, 04:05:49 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 03, 2009, 06:31:48 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 03, 2009, 07:33:58 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
AV Fraud,all on the same IP: 94.247.2.215

Code: [Select]
http://downloadantivirusplus.com/setup.exe
http://av-plus-support.com/registration.html
http://Bestinternetexamine.com
http://safeyouthnet.com
http://theantivirusplus.com/setup.exe
http://downloadantivirusplus.com/setup.exe
http://linkcanpro.com
http://yournetascertain.com
http://websmartcheck.com
http://websportscheck.com
http://websecurecheck.com
http://internethomecheck.com
http://easywebscanlive.com
http://yourwebscanlive.com
http://linkcanlive.com
http://myinternetexamine.com
http://yourinternetexamine.com
http://easywebexamine.com
http://bestwebexamine.com
http://yourwebexamine.com
http://easynetcheckonline.com
http://bestnetcheckonline.com
http://yournetcheckonline.com

All dead.
Ruining the bad guy's day

April 03, 2009, 10:31:18 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 05, 2009, 02:51:07 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
easypersonalprotection.cn
freedefenseforyou.cn
mycheckdiseasepro.cn
mycheckdiseasestore.cn
mydefense4u.cn
mydefense4you.cn
myguardforyou.cn
newguard4u.cn
newguard4you.cn
refugepro.cn
yourguard4you.cn
yourguardforyou.cn
yourguardonline.cn
yourguardpro.cn

easyincomeprotection.cn/installer_90001.exe
easyaddedantivirus.com/setup.exe
yourcountedantivirus.com/setup.exe
Ruining the bad guy's day

April 08, 2009, 12:56:49 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
more Fake AV
Code: [Select]
addedantiviruslive.com/redirect.php
addedantiviruslive.com/se.exe
addedantiviruslive.com/setup.exe
addedantiviruslive.com/install/AntivirusPlus.exe
addedantiviruslive.com/install/InternetExplorer.dll
bigprotectionlive.cn/installer.exe
easybestprotection.cn/installer.exe
Ruining the bad guy's day

April 09, 2009, 12:03:23 pm
Reply #7

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
Code: [Select]
http://myascertainpoison.cn/?wm=70101
http://myascertainpoison.cn/installer_70101.exe

April 11, 2009, 12:02:43 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
redirects to Fake AV
Code: [Select]
examineillnesslive.cnFake AV
Code: [Select]
easycheckpoisonpro.cn/?
easydefenseonline.cn
bigdefense2u.cn
Ruining the bad guy's day

April 12, 2009, 12:58:37 am
Reply #9

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
FakeAV AntivirusPlus

Code: [Select]
hxxp://addedantivirusstore.com/setup.exe
hxxp://addedantivirusstore.com/se.exe
hxxp://myplusantiviruspro.com/setup.exe
hxxp://myplusantiviruspro.com/se.exe
hxxp://realantivirusplus.com/setup.exe
hxxp://realantivirusplus.com/se.exe
hxxp://yourguardstore.cn/setup.exe
hxxp://yourguardstore.cn/se.exe

setup.exe - VirusTotal: AntivirusPlus 23/40 (57.5%)
se.exe - VirusTotal 23/40 (57.5%)
se.exe - Anubis

Second download - setup.exe Anubis

Code: [Select]
hxxp://addedantiviruslive.com/install/AntivirusPlus_ba.exe
hxxp://addedantivirusstore.com/install/AntivirusPlus_ba.exe
hxxp://myplusantiviruspro.com/install/AntivirusPlus_ba.exe
hxxp://realantivirusplus.com/install/AntivirusPlus_ba.exe
hxxp://yourguardstore.cn/AntivirusPlus_ba.exe

AntivirusPlus_ba.exe VirusTotal: AntivirusPlus 20/40 (50%) - Anubis

Fake Error Page (redirect to hxxp://addedantiviruslive.com/buy.php?id=)

Code: [Select]
hxxp://myplusantiviruslive.com

April 12, 2009, 01:58:03 am
Reply #10

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Redirs if you've got Javascript enabled, from nickad.selfip.com (IP: 82.197.130.134) to;

http://yourfriskviruspro.cn/?wm=70127&l=1
IP: 94.247.2.215

Which downloads;

http://yourfriskviruspro.cn/installer_70127.exe

SWF (not checked it yet) at;

yourfriskviruspro.cn/6/images/errsnd.swf

/edit

Wepawet analysis of the SWF;

http://wepawet.cs.ucsb.edu/view.php?hash=4db493ad19020803168e4cd15c30dd23&type=swf

/edit 2

Results for the original wm= URL;

http://wepawet.cs.ucsb.edu/view.php?hash=16b84598f9b75c0657dbf4cd5a564aa5&t=1239501884&type=js

/edit 3

NOD detected the installer as Win32/Statik when I tried downloading it ..... gonna get a smoke and coffee and snag it with NOD disabled so I can VT it.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 13, 2009, 05:13:22 am
Reply #11

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Trojan downloader for AntivirusPlus

Code: [Select]
hxxp://bigcoverlive.cn/installer_1.exe
VirusTotal: Trojan FakePlus 20/39 (51.29%)

htaccess trick?

Code: [Select]
hxxp://bigcoverlive.cn/what_ever_you_want.exe
hxxp://bigcoverlive.cn/what/ever/you/want.exe

Anubis Analysis - installer_1.exe

From ANUBIS:1032 to 94.247.2.215:80 - [addedantiviruslive.com] 
Request: GET /cb/real.php?id= 
Response: 200 "OK" 
Request: GET /install/AntivirusPlus.exe 
Response: 200 "OK" 
Request: GET /cfg/dmns.cfg 
Response: 200 "OK" 
Request: GET /install/InternetExplorer.dll 
Response: 200 "OK" 

April 13, 2009, 03:21:22 pm
Reply #12

Mr Clean

  • Special Members
  • Hero Member

  • Offline
  • *

  • 331
Code: [Select]
http://bestfriskviruslive.cn/installer_90001.exe

$ dig bestfriskviruslive.cn +short
94.247.2.215

http://www.virustotal.com/analisis/8a32a4491b9f853e0ccdba6d3fb665e7  10/39


http://www.bfk.de/bfk_dnslogger.html?query=94.247.2.215#result

Code: [Select]
ns1.pubilcnameserver7.com A 94.247.2.215
addedantiviruslive.com A 94.247.2.215
searchrizotto.com A 94.247.2.215
easyaddedantivirus.com A 94.247.2.215
yourcountedantivirus.com A 94.247.2.215
av-plus-support.com A 94.247.2.215
yourguardonline.cn A 94.247.2.215
easydefenseonline.cn A 94.247.2.215
bestprotectiononline.cn A 94.247.2.215
yourguardstore.cn A 94.247.2.215
examinepoisonstore.cn A 94.247.2.215
freecoverstore.cn A 94.247.2.215
myexaminevirusstore.cn A 94.247.2.215
bestexaminedisease.cn A 94.247.2.215
yourfriskdisease.cn A 94.247.2.215
friskdiseaselive.cn A 94.247.2.215
bestdefenselive.cn A 94.247.2.215
bigprotectionlive.cn A 94.247.2.215
bigcoverlive.cn A 94.247.2.215
easyserviceprotection.cn A 94.247.2.215
easypersonalprotection.cn A 94.247.2.215
myascertainpoison.cn A 94.247.2.215
yourguardpro.cn A 94.247.2.215
refugepro.cn A 94.247.2.215
mycheckdiseasepro.cn A 94.247.2.215
yourcheckpoisonpro.cn A 94.247.2.215
bigdefense2u.cn A 94.247.2.215
newguard4u.cn A 94.247.2.215
mydefense4u.cn A 94.247.2.215
bestcover4u.cn A 94.247.2.215
freedefenseforyou.cn A 94.247.2.215
topfeed.biz A 94.247.2.215


http://www.threatexpert.com/report.aspx?md5=d3d76dd609947235df31c92881ada188

Code: [Select]
* The data identified by the following URLs was then requested from the remote web server:
http://addedantiviruspro.com/cb/real.php?id=1
http://addedantiviruspro.com/cb/installs.php?id=1

recommend adding ->    addedantiviruspro.com


April 13, 2009, 10:17:06 pm
Reply #13

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Code: [Select]
hxxp://addedantiviruspro.com/setup.exe
hxxp://addedantiviruspro.com/se.exe

VirusTotal: Fake Antivirus 12/40 (30%)
VirusTotal: Trojan 10/40 (25%)

April 13, 2009, 10:24:39 pm
Reply #14

Malware-Web-Threats

  • Special Members
  • Hero Member

  • Offline
  • *

  • 354
    • MalwareURL
Following the Anubis report for setup.exe on addedantiviruspro.com

second download:
Code: [Select]
hxxp://addedantiviruspro.com/install/AntivirusPlus_ba.exe

Anubis Report

VirusTotal: Fake Antivirus 5/40 (12.83%)