Author Topic: Rogue - Fake AV (Read 141548 times)

Malware-Web-Threats · April 21, 2009, 04:34:24 pm

66.206.17.28

hxxp://scandata6.info/download/install.php
hxxp://scan6data.info/download/install.php
hxxp://scanmini6.info/download/install.php
hxxp://scan6lead.info/download/install.php
hxxp://scanlead6.info/download/install.php
hxxp://scan6list.info/download/install.php
hxxp://scanlist6.info/download/install.php
hxxp://scan6ever.info/download/install.php
hxxp://scan6fan.info/download/install.php

File name: install.exe
File size: 53248 bytes
MD5: fbc81c9ec9452a5b000d84f05d3b122c

VirusTotal: Trojan TDSS - 21/40 (52.5%)

-----------------

66.206.17.28

Code: [Select]

hxxp://scanever6.info/download/xp/install.php
hxxp://scan6line.info/download/xp/install.php

File name: install.exe
File size: 40448 bytes
MD5: 5d254f2d27ff316097f76c76b8024fad

VirusTotal: Trojan TDSS - 22/40 (55.00%)

-----------------

63.146.2.92

Code: [Select]

hxxp://scan4data.info/download/xp/install.php

File name: install.exe
File size: 40448 bytes
MD5: fbe0f66d8ddeecee4a41ff91fabac126

VirusTotal: Trojan TDSS - 22/40 (55%)

-----------------

63.146.2.92

Code: [Select]

hxxp://scandata4.info/download/xp/install.php

File name: install.exe
File size: 40448 bytes
MD5: 746dfd581f5eb4ceca4a9825eec23e5a

VirusTotal: Trojan TDSS

-----------------

209.44.126.14

Code: [Select]

hxxp://basevirusscan.com/download.php
hxxp://basevirusscan.com/install/installpv.exe
hxxp://basevirusscan.com/install/ws.zip

VirusTotal: Trojan - 12/40 (30%)
VirusTotal: Trojan TDSS - 10/40 (25%)
VirusTotal: Trojan - 12/38 (31.58%)

Malware-Web-Threats · April 22, 2009, 06:02:16 pm

69.10.52.12

Code: [Select]

hxxp://plus5scan.com/download/install.php

VirusTotal: Trojan TDSS - 16/40 (40%)
Anubis Report

Second download:

Code: [Select]

hxxp://in5ik.com/download/file.exe
hxxp://in5ik.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS - 15/40 (37.5%)
VirusTotal: Fake Antivirus - 2/40 (5%)

Code: [Select]

hxxp://in5sk.com/download/file.exe
hxxp://in5sk.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS - 33/40 (82.5%)
VirusTotal: Fake Antivirus - 10/39 (25.65%)

Redirects to rogue

66.206.17.28

Code: [Select]

hxxp://gomixscan.com

Wepawet

91.212.41.111

Code: [Select]

hxxp://zyne4ka.com/in.cgi?6

Wepawet

91.212.41.110

Code: [Select]

hxxp://melodynew.cn/in.cgi?6

Wepawet

Malware-Web-Threats · April 22, 2009, 08:16:15 pm

209.44.126.14

Redirects:

Code: [Select]

hxxp://systemvirusscan.com/in.php
hxxp://systemvirusscan.com/hitin.php
hxxp://systemvirusscan.com/page.php

Fake scanner page:

Code: [Select]

hxxp://systemvirusscan.com/index.php
hxxp://systemvirusscan.com/scan.php

Payloads:

Code: [Select]

hxxp://systemvirusscan.com/download.php
hxxp://systemvirusscan.com/install/installpv.exe
hxxp://systemvirusscan.com/install/ws.zip

VirusTotal: Trojan - 11/40 (27.5%)
VirusTotal: Trojan - 4/40 (10%)
VirusTotal: Trojan - 10/40 (25%)

Redirects:

Code: [Select]

hxxp://pcguardscan.com/in.php
hxxp://pcguardscan.com/hitin.php
hxxp://pcguardscan.com/page.php

Fake scanner page:

Code: [Select]

hxxp://pcguardscan.com/index.php
hxxp://pcguardscan.com/scan.php

Payloads:

Code: [Select]

hxxp://pcguardscan.com/download.php
hxxp://pcguardscan.com/install/installpv.exe
hxxp://pcguardscan.com/install/ws.zip

VirusTotal: Trojan - 11/40 (27.5%)
VirusTotal: Trojan - 4/40 (10%)
VirusTotal: Trojan - 10/40 (25%)

91.212.65.55

Redirects:

Code: [Select]

hxxp://justwebsecurity.com/in.php
hxxp://justwebsecurity.com/hitin.php

Fake scanner page:

Code: [Select]

hxxp://justwebsecurity.com/index.php
hxxp://justwebsecurity.com/scan.php

Payloads:

Code: [Select]

hxxp://justwebsecurity.com/download.php
hxxp://justwebsecurity.com/install/installpv.exe
hxxp://justwebsecurity.com/install/ws.zip

VirusTotal: Trojan - 9/40 (22.5%)
VirusTotal: Trojan - 4/40 (10%)
VirusTotal: Trojan - 10/40 (25%)

Malware-Web-Threats · April 24, 2009, 08:49:46 am

66.206.17.32

Code: [Select]

hxxp://leadscan6.info/download/install.php
hxxp://list6scan.info/download/install.php
hxxp://litescan6.info/download/install.php
hxxp://listscan6.com/download/xp/install.php
hxxp://listscan6.info/download/xp/install.php
hxxp://scanever6.info/download/xp/install.php
hxxp://scan6line.info/download/xp/install.php
hxxp://scan6data.info/download/install.php
hxxp://scan6lead.info/download/install.php
hxxp://scan6fan.info/download/install.php
hxxp://scanlead6.info/download/install.php
hxxp://scanlist6.info/download/install.php
hxxp://scandata6.info/download/install.php
hxxp://scanlite6.info/download/install.php
hxxp://scanmini6.info/download/install.php

Quote

Size: 52736 bytes,
MD5: f5fcb03a6743e02e1978a0baa05e77fe

VirusTotal: Trojan InternetAntivirus (TDSS) - 13/40 (32.5%)
Anubis

Malware-Web-Threats · April 24, 2009, 09:28:33 am

Rootkit TDSS

64.146.2.92

Code: [Select]

hxxp://basescan4.info/download/install.php
hxxp://base4scan.info/download/xp/install.php
hxxp://bestscan4.info/download/install.php
hxxp://fastscan4.info/download/xp/install.php
hxxp://fast4scan.info/download/install.php
hxxp://scanany4.info/download/install.php
hxxp://scanbest4.info/download/install.php
hxxp://scan4ever.info/download/install.php
hxxp://scan4data.info/download/xp/install.php
hxxp://scandata4.info/download/install.php
hxxp://scan4fast.info/download/xp/install.php
hxxp://scanfast4.info/download/install.php
hxxp://scanever4.info/download/install.php
hxxp://scanuser4.info/download/xp/install.php
hxxp://scanzoom4.info/download/install.php
hxxp://plus4scan.info/download/xp/install.php
hxxp://plusscan4.info/download/install.php
hxxp://user4scan.info/download/install.php

Quote

Size: 40448 bytes,
MD5: 4b440cd5a8999d7088103279cda8786e

VirusTotal - 13/40 (32.5%)
Anubis

Malware-Web-Threats · April 25, 2009, 07:19:35 pm

63.146.2.92

Code: [Select]

hxxp://scan4fuse.info/download/install.php
hxxp://scanfuse4.info/download/install.php
hxxp://fuse4scan.info/download/install.php
hxxp://fusescan4.info/download/install.php

Quote

Size: 40448 bytes,
MD5: 3afeafaf42a9e9caea12da0a0770521a

VirusTotal: Trojan TDSS - 19/40 (47.5%)
Anubis Report

209.44.126.14 - FakeAV (Trojan Winwebsec)

Code: [Select]

hxxp://topwinsystemscan.com/download.php
hxxp://topwinsystemscan.com/install/installpv.exe
hxxp://topwinsystemscan.com/install/ws.zip

VirusTotal - 13/40 (32.5%)
VirusTotal - 12/40 (30%)
VirusTotal - 18/40 (45%)

Code: [Select]

hxxp://allvirusscannow.com/download.php
hxxp://allvirusscannow.com/install/installpv.exe
hxxp://allvirusscannow.com/install/ws.zip

VirusTotal - 14/40 (35%)
VirusTotal - 12/40 (30%)
VirusTotal - 19/40 (47.5%)

Malware-Web-Threats · April 26, 2009, 12:06:31 am

63.146.2.92

Code: [Select]

hxxp://scanbase4.info/download/install.php
hxxp://scan4base.info/download/install.php

Quote

Size: 40448 bytes,
MD5: 3afeafaf42a9e9caea12da0a0770521a

VirusTotal: Trojan TDSS - 20/40 (50%)

Malware-Web-Threats · April 26, 2009, 05:43:11 am

194.165.4.77

Fake scanner page:

Code: [Select]

hxxp://tubeontvgl.com/scan/
Fake error page (codec):

Code: [Select]

hxxp://tubeontvgl.com/tube/
Payload:

Code: [Select]

hxxp://uploadmoviez.com/codec/.exeVirusTotal: Trojan - 13/40 (32.5%)
Anubis Report

Redirects to rogue:

63.146.2.92

Code: [Select]

hxxp://goscanatom.com
91.207.61.48

Code: [Select]

hxxp://wovens.info/cgi-bin/counter?id=823509&k=if+i+could+tell+you+one+thing&refWepawet Report

Malware-Web-Threats · April 26, 2009, 02:30:52 pm

66.96.252.199

Code: [Select]

hxxp://now4scan.info/download/install.php
hxxp://nowscan4.info/download/install.php
hxxp://open4scan.info/download/install.php
hxxp://openscan4.info/download/install.php
hxxp://scan4now.info/download/install.php
hxxp://scan4open.info/download/install.php
hxxp://scan4step.info/download/install.php
hxxp://scan4tool.info/download/install.php
hxxp://scannow4.info/download/install.php
hxxp://scanopen4.info/download/install.php
hxxp://scanstep4.info/download/install.php
hxxp://step4scan.info/download/install.php
hxxp://stepscan4.info/download/install.php
hxxp://toolscan4.info/download/install.php

Quote

File size: 40448 bytes
MD5: 8b9e917f497c0de02f75785bba7c763d

VirusTotal: Trojan TDSS - 14/40 (35%)
Anubis Report

63.146.2.92

Code: [Select]

hxxp://any4scan.info/download/install.php
hxxp://anyscan4.info/download/install.php
hxxp://atom4scan.com/download/install.php
hxxp://atomscan4.com/download/install.php
hxxp://scan4any.info/download/xp/install.php
hxxp://scan4atom.com/download/xp/install.php
hxxp://scan4list.com/download/install.php
hxxp://scanstar4.com/download/xp/install.php
hxxp://zoom4scan.info/download/install.php

Quote

File size: 40448 bytes
MD5: 3afeafaf42a9e9caea12da0a0770521a

VirusTotal: Trojan TDSS - 21/40 (52.5%)
Anubis Report

69.10.52.11

Code: [Select]

hxxp://live5scan.info/download/install.php
hxxp://new5scan.info/download/install.php
hxxp://scan5best.info/download/install.php
hxxp://scan5live.info/download/install.php
hxxp://scan5new.info/download/install.php

Quote

File size: 40448 bytes
MD5: 5b1212ac7029c3135331e2d7e1c70d82

VirusTotal: Trojan TDSS - 14/40 (35%)
Anubis Report

Second download:

Code: [Select]

hxxp://in5ih.com/download/file.exe
hxxp://in5ih.com/download/InternetAntivirusPro.exe

VirusTotal: Trojan TDSS - 13/40 (32.5%)
VirusTotal: Trojan InternetAntivirusPro - 7/40 (17.5%)

Malware-Web-Threats · April 26, 2009, 02:38:52 pm

69.10.52.11

Code: [Select]

hxxp://best5scan.info/download.php

69.10.52.12

Code: [Select]

hxxp://fast5scan.com/download/install.php

Quote

Size: 40448 bytes
MD5: 5b1212ac7029c3135331e2d7e1c70d82

VirusTotal: Trojan TDSS - 15/40 (37.5%)
Anubis Report

Malware-Web-Threats · April 28, 2009, 08:11:23 am

Redirects to rogue:

91.212.41.110

Code: [Select]

hxxp://lemmydislikes.com/in.cgi?6Wepawet

216.195.35.99

Code: [Select]

hxxp://seaarch.info/in.cgi?2&group=5&parameter=visual+basic+game+programsWepawet

87.248.163.58

Code: [Select]

hxxp://098765.com/in.php
hxxp://999666999.com/in.php
hxxp://berrousmark2009.com/in.php
hxxp://dbytedelicious.com/in.php
hxxp://dbytedelicious.net/in.php
hxxp://dbytedelicious.org/in.php
hxxp://infidelirium.net/in.php
hxxp://infidelirium.org/in.php
hxxp://lastpoher.ru/in.php
hxxp://massmarker2009.com/in.php
hxxp://murtinreid.com/in.php
hxxp://murtinreid.net/in.php
hxxp://sendsometraff.com/in.php
hxxp://x-more-x.net/in.php
hxxp://zerromark2009.com/in.php
hxxp://zorroless.com/in.php

Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet

Rogue Antivirus:
209.44.126.14

Code: [Select]

hxxp://totalvirushield.com/download.php
hxxp://totalvirushield.com/download/installpv.exe
hxxp://totalvirushield.com/download/ws.zip

VirusTotal - 16/40 (40%)
VirusTotal - 7/40 (17.5%)
VirusTotal - 3/40 (7.5%)

63.146.2.92

Code: [Select]

hxxp://home4scan.info/download/install.php
hxxp://scan4home.info/download/install.php
hxxp://scanhome4.info/download/install.php
hxxp://scan4gate.info/download/install.php
hxxp://scangate4.info/download/install.php
hxxp://gate4scan.info/download/install.php
hxxp://gatescan4.info/download/install.php

Quote

Size: 39936 bytes,
MD5: 126fa3ed7b131e8de7b4fee1b2ce0e21

VirusTotal - 10/40 (25.00%)

Redirects to rogue:

63.146.2.92

Code: [Select]

hxxp://goscanarea.com
hxxp://goscanelite.com
hxxp://goscanfile.com
hxxp://goscanfix.com
hxxp://goscangoal.com
hxxp://goscankey.com
hxxp://goscanmeta.com
hxxp://goscanmore.com
hxxp://goscannote.com
hxxp://goscantop.com
hxxp://goscanwork.com
hxxp://goareascan.com
hxxp://goelitescan.com
hxxp://gofilescan.com
hxxp://gofixscan.com
hxxp://gogoalscan.com
hxxp://gokeyscan.com
hxxp://gometascan.com
hxxp://gomorescan.com

Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet
Wepawet

Redirects to rogue:

66.96.252.199

Code: [Select]

hxxp://gonotescan.com
hxxp://goscanwork.com

Wepawet
Wepawet

Rogue Antivirus:

66.96.252.199

Code: [Select]

hxxp://nowscan4.info/download/install/php

VirusTotal - 9/40 (22.5%)
Anubis

RS-232 · April 28, 2009, 09:57:29 am

Quote

hxxp://ha-virus2009.com/install/Installer.exe

Have fun exploring the rest of rogue av-related domains there...
http://www.bfk.de/bfk_dnslogger.html?query=80.79.118.186#result
http://www.bfk.de/bfk_dnslogger.html?query=80.79.118.190#result
http://www.bfk.de/bfk_dnslogger.html?query=94.75.253.92#result
http://www.bfk.de/bfk_dnslogger.html?query=124.217.238.169#result
http://www.bfk.de/bfk_dnslogger.html?query=212.95.53.246#result

SysAdMini · May 02, 2009, 09:01:46 am

Code: [Select]

http://antivirus-powerful-scannerv2.com/download/Install_11-1.exehttp://www.virustotal.com/analisis/8ad4d65036ead9403f38442d5d5d8de8 7/40

Malware-Web-Threats · May 02, 2009, 10:56:32 am

78.159.115.215 - 78.159.115.215.internetserviceteam.com

freegechscan.info - Louis Hayes - nalatch@ gmail.com
gechscannow.info - John Aschinger - plutommy@ gmail.com
gescanch.info - Louis Hayes - nalatch@ gmail.com
gescanchnow.info - Frederick Arva - bosotlet@ gmail.com
nowscangech.info - Frederick Arva - bosotlet@ gmail.com
scan4lite.info - John Aschinger - plutommy@ gmail.com
scanlite4.info - John Aschinger - plutommy@ gmail.com
lead4scan.info - John Aschinger - plutommy@ gmail.com
linescan4.info - John Aschinger - plutommy@ gmail.com
lite4scan.info - John Aschinger - plutommy@ gmail.com
litescan4.info - John Aschinger - plutommy@ gmail.com
listscan4.info - John Aschinger - plutommy@ gmail.com
list4scan.info - John Aschinger - plutommy@ gmail.com
livescan4.info - John Aschinger - plutommy@ gmail.com
scan4list.info - John Aschinger - plutommy@ gmail.com
scanlist4.info - John Aschinger - plutommy@ gmail.com
scan4lead.info - John Aschinger - plutommy@ gmail.com
scan4line.info - John Aschinger - plutommy@ gmail.com
scan4list.info - John Aschinger - plutommy@ gmail.com
scan4lite.info - John Aschinger - plutommy@ gmail.com
scanlite4.info - John Aschinger - plutommy@ gmail.com
scanlive4.info - John Aschinger - plutommy@ gmail.com

64.20.33.156

fuse6scan.info - George Fults - sigratzie@ gmail.com
fusescan6.info - George Fults - sigratzie@ gmail.com
scan6fuse.info - George Fults - sigratzie@ gmail.com
scanfuse6.info - George Fults - sigratzie@ gmail.com
step6scan.info - George Fults - sigratzie@ gmail.com
stepscan6.info - George Fults - sigratzie@ gmail.com
scanstep6.info- George Fults - sigratzie@ gmail.com
scan6step.info- George Fults - sigratzie@ gmail.com
scan6ray.info - George Fults - sigratzie@ gmail.com
scan6star.info - George Fults - sigratzie@ gmail.com
star6scan.info - George Fults - sigratzie@ gmail.com
ray6scan.info - George Fults - sigratzie@ gmail.com

CkreM · May 03, 2009, 11:53:37 am

Fake AV:

Code: [Select]

system-protector.org
av-lookup.com
srv-scan.us
srv-scan.biz
Ms-scan.biz
Ms-scan.info
Ms-scan.net
ms-scan.org

Author Topic: Rogue - Fake AV (Read 141548 times)

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

RS-232

Re: Rogue - Fake AV

SysAdMini

Re: Rogue - Fake AV

Malware-Web-Threats

Re: Rogue - Fake AV

CkreM

Re: Rogue - Fake AV