Rogue - Fake AV

[doomrainer]

Seems to be random php files (not an expert on this behavior)

http://173[.]212[.]228[.]196/8_82ed2e[.]php

http://safeweb.norton.com/report/show?url=173.212.228.196&x=0&y=0
http://www.siteadvisor.com/sites/173.212.228.196
http://www.google.com/safebrowsing/diagnostic?site=173.212.228.196
http://www.virustotal.com/analisis/65f7802a4f319de8fa0a95416767d434116a2291e7a32710f229d18833ae79dd-1266942593
http://anubis.iseclab.org/?action=result&task_id=12a0eb71a94750034edc9704cc1fda73d&format=html

File size: 1,049,600 Bytes
MD5: 8dd1b89ff6cd0a9853dc2865dc0290ef 
Detected as: Trojan.Win32.FakeAV

Enjoy!

[SysAdMini]

Seems to be random php files (not an expert on this behavior)

http://173[.]212[.]228[.]196/8_82ed2e[.]php

attached decoded sample.

pw: infected

[doomrainer]

Active and detected as Trojan.FakeAV

http://195[.]5[.]161[.]120/download/Setup_295[.]exe

File size: 239616 bytes
MD5   : 1e3ffe4faf4e3f0246db2f8eefdd317f

http://wepawet.cs.ucsb.edu/view.php?hash=63ab520c2ac5acd2584c6749704af6c5&t=1267104573&type=js
http://www.virustotal.com/analisis/b1283d768f77795bffce6b909f10422818ae1bd7be277b43adbee98bef123205-1267099055
   

[S!Ri]

Virus Protector pr0n + setup

http://tubess.twilightparadox.com/land/?n=teen&id=1
http://tubess.twilightparadox.com/land/adobe-91633/adobeflashplayerv10.0.45.2.exe

[S!Ri]

Personal Security
http://c3872131.time-defender9.com/download/Setup_28.exe

[S!Ri]

Antivirus 7
http://91.212.127.3/download/ASetup_2009.exe

Edit: May be old... but still working

[S!Ri]

CleanUpAntivirus

http://fuko17ro5.xorg.pl/build6_287.php?cmd=sendFile&counter=1&p=p52dcWpsb1%2FCj8bYbnOCdVik12qYVp%2FZatrau4FdlJ%2FJnsWYe3lvWqyopHbCXsmaaGaRbWtqyFPVpJHaotahlFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1nV2QZGCUZJuSmGpdpJvLnomtpXFqZm5tbGuYYZqcV6SgZm9plmObZGKdYZmaiZSab3y3

[S!Ri]

Your Protection (Trojan Downloader: downloads rogue + TDSS):
http://booty.crabdance.com/land/adobe-40584/adobeflashplayerv10.0.45.2.exe

[S!Ri]

Script Kiddie Fake AV:
http://user-av2010.tk/
http://userantivirus2010pro.yolasite.com/

[S!Ri]

Rogue-Downloader:
http://rustubexxs.twilightparadox.com/land/adobe-41148/adobeflashplayerv10.0.45.2.exe

downloads: Your Protection rogues +TDSS
http://www.hooksearchup.org/up3/setup
http://findernos.org/up3/install01

[S!Ri]

Your protection + TDSS

http://www.securityletters.com/up3/setup
http://www.securityletters.com/up3/install01

[SysAdMini]

list of Rogue AV sites registered today

http://pastebin.com/pMqv0WT7

[SpiderLover]

Installs a variant of the XP Antispyware 2010/XP Security Tool family I believe.

Code: [Select]

http://bitnoora.com/hh/installer_70108.exe

[SpiderLover]

Looks like another site hosting an installer for the XP AntiMalware 2010 family...

Code: [Select]

http://teendoos.com/hh/installer_70108.exe

[Curson]

Rogue-Downloader named "virii cleaner setup"
hxxp://ettmiss.com/download/0bffb6b280da25f431e0568837e0716a/f85b7b377112c272bc87f3e73f10508d/4

Download: Virus Protector
hxxp://www.bestantiv.com/lol_aocsjerbt_aocsjerbt.phtml?get=20ec449778858d3062592f457c0c4d4f