Rogue - Fake AV

[Malware-Web-Threats]

All on the same IP - 66.197.154.199

Redirect to rogue websites

Code: [Select]

hxxp://gorayscan.com
hxxp://goscanlite.com
hxxp://goscanmini.com
hxxp://godatascan.com


[Malware-Web-Threats]

66.206.17.28

Code: [Select]

hxxp://step6scan.com/download/install.php

install.exe

File Size: 41472 Bytes
MD5: 260dc5b80c0dcaf57722e25fe9bf78d1

VirusTotal: Trojan - 9/40 (22.5%)
Anubis Report

66.206.17.29

Second download

Code: [Select]

hxxp://in6sd.com/download/file.exe
hxxp://in6sd.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS - 34/40 (85%)
VirusTotal: Fake Antivirus - 8/39 (20.52%)

Code: [Select]

hxxp://in6iq.com/download/file.exe
hxxp://in6iq.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS - 7/40 (17.5%)
VirusTotal: Trojan InternetAntivirusPro - 7/40 (17.5%)

[Malware-Web-Threats]

Rootkit TDSS variants

66.197.154.199

Code: [Select]

hxxp://any6scan.com/download/xp/install.php
hxxp://anyscan6.info/download/install.php
hxxp://scan6data.com/download/xp/install.php
hxxp://scan6base.info/download/install.php

File size: 40960 bytes
MD5: 93037e2f0ed5dd6ffcbef36cc3783537

Anubis Report

VirusTotal - 6/40 (15%)
VirusTotal - 6/40 (15%)
VirusTotal - 6/40 (15%)
VirusTotal - 6/40 (15%)

66.206.17.28

Code: [Select]

hxxp://scantrue6.com/download/install.php

File size: 40960 bytes
MD5: a6ae9b2378b16cc260012401449b0cf6

Anubis report

VirusTotal - 6/40 (15%)

63.146.2.92

Code: [Select]

hxxp://scanmix4.com/download/install.php

File size: 40960 bytes
MD5: 218f1314b96d1b5a475bf228f53da63c

Anubis report

VirusTotal - 14/38 (36.85%)

Redirectors:

66.197.154.199

Code: [Select]

hxxp://goscanfan.com
hxxp://gostarscan.com
hxxp://gominiscan.com


[Malware-Web-Threats]

209.44.126.14

Code: [Select]

hxxp://totalvirusdestroyer.com/download.php
hxxp://totalvirusdestroyer.com/install/installpv.exe
hxxp://totalvirusdestroyer.com/install/ws.zip

VirusTotal - 18/38 (47.37%)
VirusTotal - 10/38 (26.32%)
VirusTotal - 18/38 (47.37%)

91.212.65.55

Code: [Select]

hxxp://globalsecurityscan.com/download.php
hxxp://globalsecurityscan.com/install/installpv.exe
hxxp://globalsecurityscan.com/install/ws.zip

VirusTotal - 11/40 (27.5%)
VirusTotal - 7/40 (17.5%)
VirusTotal - 11/40 (27.5%)

[SysAdMini]

195.88.81.74

Code: [Select]

files.scanner-antispy-av-files.com/exe/setup_200002.exe
http://www.virustotal.com/analisis/7cc2a0083ed4c8c466656b9a70fb7b2f 9/39

[Malware-Web-Threats]

209.44.126.14

Redirectors:

Code: [Select]

hxxp://fastviruscleaner.com/hitin.php
hxxp://fastviruscleaner.com/in.php
hxxp://fastviruscleaner.com/page.php

Payloads:

Code: [Select]

hxxp://fastviruscleaner.com/download.php
hxxp://fastviruscleaner.com/install/installpv.exe
hxxp://fastviruscleaner.com/install/ws.zip

VirusTotal - 9/40 (22.50%)
VirusTotal - 6/40 (15%)
VirusTotal - 11/40 (27.5%)

Redirectors:

Code: [Select]

hxxp://destroyvirusnow.com/hitin.php
hxxp://destroyvirusnow.com/in.php
hxxp://destroyvirusnow.com/page.php

Payloads:

Code: [Select]

hxxp://destroyvirusnow.com/download.php
hxxp://destroyvirusnow.com/install/installpv.exe
hxxp://destroyvirusnow.com/install/ws.zip

VirusTotal - 13/40 (32.5%)
VirusTotal - 12/40 (30%)
VirusTotal - 16/40 (40%)

Redirectors:

Code: [Select]

hxxp://totalvirusdestroyer.com/hitin.php
hxxp://totalvirusdestroyer.com/in.php
hxxp://totalvirusdestroyer.com/page.php

Payloads:

Code: [Select]

hxxp://totalvirusdestroyer.com/download.php
hxxp://totalvirusdestroyer.com/install/installpv.exe
hxxp://totalvirusdestroyer.com/install/ws.zip

VirusTotal - 10/40 (25%)
VirusTotal - 6/40 (15%)
VirusTotal - 21/40 (52.5%)

66.197.154.199

Code: [Select]

hxxp://scanany6.info/download/install.php

Anubis report
VirusTotal - 8/40 (20%)

[Malware-Web-Threats]

Trojan FakeSpyguard - TDSS

211.95.73.189

Redirectors:

Code: [Select]

hxxp://dlsg09.com/sysgd09/setup.php
hxxp://dlsg09.com/maldef09/setup.php
hxxp://dlsgd3.com/sysgd09/setup.php
hxxp://dlsgd3.com/maldef09/setup.php
hxxp://getsgd3.com/sysgd09/setup.php
hxxp://getsgd3.com/maldef09/setup.php
hxxp://getsysgd09.com/sysgd09/setup.php
hxxp://getsysgd09.com/maldef09/setup.php
hxxp://dlmaldef092.com/maldef09/install.php
hxxp://dlmaldef092.com/sysgd09/install.php
hxxp://gomaldef092.com/sysgd09/setup.php
hxxp://gosgd3.com/sysgd09/setup.php
hxxp://systemguard2009.com/download/
hxxp://malwaredefender2009.com/download/

211.95.73.189

Fake scanner page:

Code: [Select]

hxxp://scan.systemcleaner22.com

84.16.243.169 / 78.159.122.59 / 84.16.251.222

Payload:

Code: [Select]

hxxp://84.16.243.169/sysgd09/setup.php
hxxp://84.16.243.169/maldef09/setup.php
hxxp://78.159.122.59/sysgd09/setup.php
hxxp://78.159.122.59/maldef09/setup.php
hxxp://84.16.251.222/sysgd09/install.php
hxxp://84.16.251.222/maldef09/setup.php

SystemGuard2009.exe

File size: 2674176 bytes
MD5: f36cfbf9d5d5489776564044645b70ef

VirusTotal 20/40 (50%)

[Malware-Web-Threats]

TDSS variants

66.206.17.28

Code: [Select]

hxxp://scandata6.com/download/xp/install.php
VirusTotal - 7/40 (17.5%)

63.146.2.92

Code: [Select]

hxxp://scan4easy.info/download/xp/install.php
VirusTotal - 5/40 (12.5%)

Code: [Select]

hxxp://scan6atom.info/download/install.php
VirusTotal - 10/40 (25%)

[Malware-Web-Threats]

66.206.17.28

Same file: Anubis Report

File size: 40960 bytes
MD5: 231dec812f74b0b268d9370b89a7c491

Code: [Select]

hxxp://base6scan.info/download/install.php

VirusTotal: Trojan TDSS - 9/40 (22.5%)

Code: [Select]

hxxp://justscan6.info/download/install.php

VirusTotal: Trojan TDSS - 10/40 (25%)

Code: [Select]

hxxp://just6scan.info/download/install.php

VirusTotal: Trojan TDSS - 10/40 (25%)

[SysAdMini]

38.103.173.98

Code: [Select]

dwnld.offer-provider.com/secure/ecd53ab0b17e571df611d1ba513f2153/49eb89c9/srm/srm_free_setup.exe
174.36.195.17

Code: [Select]

dwnld.promotion-offer.com/secure/ecd53ab0b17e571df611d1ba513f2153/49eb89c9/srm/srm_free_setup.exe
http://www.virustotal.com/analisis/1a2775049bd5ccd487cafaa37545b041 7/40

[SysAdMini]

174.36.195.17

Code: [Select]

dwnld.toppromooffer.com/secure/3f46e898cbfe2f66fc3ca1d798f71ad8/49eb8fa5/vsm/vsm_free_setup.exehttp://www.virustotal.com/analisis/26be3f85286b0734f235f5fc95f80e26 30/39

Code: [Select]

dwnld.toppromooffer.com/secure/fc744120baa2682ca3a444edf14d187b/49eb889e/cln/cln_free_setup.exehttp://www.virustotal.com/analisis/041ffd652d6134c35eb65a6743b18196 2/40

Code: [Select]

dwnld.toppromooffer.com/secure/4c9abc6b3dd24601d386633223f70e35/49eb8e79/srm/srm_free_setup1603.exehttp://www.virustotal.com/analisis/8063e36751f873a510949769b1f839ef 13/40

Code: [Select]

dwnld.toppromooffer.com/secure/13e96273b72b50a4bb226d782f555124/49eb8e79/srm/srm_free_setup1602.exehttp://virscan.org/report/797db2b5fcd0354f6fe88c0d15f6ba87.html 7/38

Code: [Select]

dwnld.toppromooffer.com/secure/c5c929bd78d623f3c8e2a68a7d0fb5f1/49eb82c1/sec/sec_free_setup.exehttp://www.virustotal.com/analisis/39bb1fca3de4e29d1cd294f5af935afc 18/40

[Malware-Web-Threats]

66.206.17.28

Same file

File name: install.exe
File size: 40960 bytes
MD5: 231dec812f74b0b268d9370b89a7c491

Code: [Select]

hxxp://scanjust6.info/download/install.php
hxxp://scan6just.info/download/install.php

VirusTotal: Trojan TDSS - 10/40 (25%)
VirusTotal: Trojan TDSS - 10/40 (25%)

[Malware-Web-Threats]

Redirects to rogue websites (change every 72 hours)

66.96.131.13

Code: [Select]

hxxp://texasvino.com

Wepawet

88.214.204.180

Code: [Select]

hxxp://info4us.info/in.php?v=28

Wepawet

88.214.198.241

Code: [Select]

hxxp://onlyfind.net/in.cgi?3

Wepawet

91.212.41.110 / 91.212.41.111

Code: [Select]

hxxp://liteauction.cn/in.cgi?6
hxxp://newtransfer.cn/in.cgi?6
hxxp://workfuse.cn/in.cgi?6

Wepawet
Wepawet
Wepawet

87.248.163.58

Code: [Select]

hxxp://87.248.163.58/in.php?s=texasvino.com

Wepawet

87.248.163.58

Code: [Select]

hxxp://098765.com/in.php
hxxp://999666999.com/in.php
hxxp://berrousmark2009.com/in.php
hxxp://dbytedelicious.com/in.php
hxxp://dbytedelicious.net/in.php
hxxp://dbytedelicious.org/in.php
hxxp://hola-aloha.net/in.php
hxxp://infidelirium.com/in.php
hxxp://infidelirium.info/in.php (not responding)
hxxp://infidelirium.net/in.php
hxxp://infidelirium.org/in.php
hxxp://lastpoher.ru/in.php
hxxp://massmarker2009.com/in.php
hxxp://murtinreid.com/in.php
hxxp://murtinreid.net/in.php
hxxp://sendsometraff.com/in.php
hxxp://x-more-x.net/in.php
hxxp://zerromark2009.com/in.php
hxxp://zorroless.com/in.php

Example:

Code: [Select]

hxxp://dbytedelicious.com/in.php

Wepawet

[Malware-Web-Threats]

Trojan TDSS variant on 66.206.17.28

Code: [Select]

hxxp://datascan4.info/download/install.php
hxxp://data4scan.info/download/install.php
hxxp://data6scan.info/download/install.php
hxxp://easyscan4.info/download/install.php
hxxp://easy4scan.info/download/xp/install.php
hxxp://ever4scan.info/download/install.php
hxxp://everscan4.info/download/install.php
hxxp://ever6scan.info/download/install.php
hxxp://everscan6.info/download/xp/install.php
hxxp://scaneasy4.info/download/install.php
hxxp://scaneasy6.info/download/xp/install.php

VirusTotal - 7/40 (17.50%)
VirusTotal - 7/40 (17.50%)
VirusTotal - 7/40 (17.50%)
VirusTotal - 5/40 (12.50%)
VirusTotal - 5/40 (12.50%)
VirusTotal - 7/40 (17.50%)
VirusTotal - 4/40 (10.00%)
VirusTotal - 7/40 (17.50%)
VirusTotal - 7/40 (17.50%)
VirusTotal - 7/40 (17.50%)
VirusTotal - 7/40 (17.50%)

[SysAdMini]

205.252.24.226

Redirects to onlinespywarescanner.net

Code: [Select]

http://selectusers.com/tds3/in.cgi?6&camp=ron&cid=C8B673339383D26882AF488DB6B969329BCA7A4C7F5C7BE6&aid=4113&version=1.4.3
Fake AV

Code: [Select]

http://www.onlinespywarescanner.net/online-scan.html?ewmid=234&pwebmid=4113
82.98.193.102

Code: [Select]

http://tds1.onlineredirsystem.com/tds/in.cgi?22&cid=C8B673339383D26882AF488DB6B969329BCA7A4C7F5C7BE6&aid=4113redirects to
60.29.232.32

Code: [Select]

http://managesystem32.com/file/3896/4c933a7c5bf131de422b01ba3fe07b12/last.exehttp://www.virustotal.com/analisis/d4068c22f4b4d4845801489b5104be1a 27/40


85.17.254.158

Code: [Select]

http://toppromooffer.com/vsm/adv/5/?a=cspyock-sst&l=373&f=cs_2185226204&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM