Sunday, December 30, 2007



I wish you all a Prosperous and Happy New Year 2008.

Bharath M N

New Scam Strategy


Removed this blog

Wednesday, December 26, 2007



File –Secure is a new rogue Security application from the family of IE Defender.

File –Secure Rogue security application stealthily installs after installing a dubious codec installer called videomp3_setup*.

Snapshot of Files-Secure Application

The site details:
IP Address:

Warning message from the app:

VirusTotal Scan Result: 2/32 (6.25%)

eSafe 2007.12.25 suspicious Trojan/Worm
Kaspersky 2007.12.26

Stay away from this Rogue security application.

Bharath M N

Saturday, December 22, 2007

Immunizr is another Rogue Security application. This is yet another rogue application from the spywareNo family of rogue security application.

The site uses the IP and the setup file Immunizr is not detected as rogue security application from any of the scanners on VirusToal.
Stay away from Rogue security applications.
Bharath MN

WinSpykiller is a Rogue Security application. This is another rogue application from the spywareNo family of rogue security application.

This is the ninth rogue security application from spywareNo family in December. If you closely look at all the nine sites you will find the same information displayed on all the pages.

The site uses the IP and the interesting factor is that none of the security applications in VirusTotal detects this rogue security application.

Stay away from Rogue security applications.

Bharath MN

Sunday, December 16, 2007

New Zlob Trojan Site

New Zlob Trojan Site


Virustotal Scan Result: 10/32 (31.25%)
AntiVir 2007.12.14 DR/Zlob.Gen
Avast 4.7.1098.0 2007.12.15 Win32:Zlob-AHS
AVG 2007.12.15 Downloader.Zlob.LI
BitDefender 7.2 2007.12.15 Trojan.Zlob.BZM
ClamAV 0.91.2 2007.12.15 Trojan.Dropper-2529
DrWeb 2007.12.15 Trojan.Popuper.origin
Microsoft 1.3109 2007.12.15 TrojanDownloader:Win32/Zlob.gen!AL
Prevx1 V2 2007.12.15 Downloader.Zlob.LI
Sophos 4.24.0 2007.12.15 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2007.12.15 Trojan.Dropper.Zlob.Gen

Stay away from this site.

Bharath M N

Friday, December 14, 2007

Another malicious domain. The setup file available on the site is malicious. The setup file installs a malicious BHO which displays the following image below the browser address bar.

BHO Details:

Filename: IECodec.dll
Hijack this entry:
O2 - BHO: IECodecBHO - {4507C219-24AA-4813-9561-A2003F9920C3} - C:\Program Files\IECodec\IECodec.dll

Screeenshot taken after installing the malicious setup file.

Once you click on the link provided in the image it takes you to website. The site uses a scare scan tactics to scare the users into purchasing a rogue security application.

The site uses the IP address, which then redirects users into downloading Anti-Virus-Pro (from a well documented Rogue security application.

The and are clone sites of which also redirects users into downloading Anti-Virus-Pro\\ Scare scan page
Further site ( works as a data repository for

Currently none of the security applications on Virustotal flags the setup file as malicious.

Only two scanners detect the BHO as malicious.

Virustotal scan Result: 2/32 (6.25%)

AntiVir 2007.12.13 HEUR/Malware
Webwasher-Gateway 6.6.2 2007.12.13 Heuristic.Malware

Stay away from these sites.

Bharath M N



Yet another Spysheriff Clone. This site distributes Rogue security application. The application exploits “Webroot” Spy-sweeper name.

Snapshot of Spyware-Sweeper Application

Vitustotal Scan Result: 10/32 (31.25%)

AhnLab-V3 2007.12.14.10 2007.12.13 Win-Trojan/Bravesent.39424
CAT-QuickHeal 9.00 2007.12.13 FraudTool.SpySheriff.f (Not a Virus)
Ikarus T3.1.1.15 2007.12.13 Application.Win32.AdWare.SpySheriff
Kaspersky 2007.12.13 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.13 Program:Win32/SpySheriff
NOD32v2 2721 2007.12.13 a variant of Win32/Adware.SpySheriff
Panda 2007.12.13 Suspicious file
Prevx1 V2 2007.12.13 ADWARE.SPYSHERIFF.E
Sophos 4.24.0 2007.12.13 Troj/Spywad-Gen
VirusBuster 4.3.26:9 2007.12.13 Adware.SpySherif.Gen.2

Stay away from Rogue security applciations.

Bharath M N

Monday, December 10, 2007

Scanner Pages are Live now!!!

Scanner Pages are Live now!!!

The malware scanner page for the Rogue security applications Dr-Protection, Guard-Center, Killspy, Liveantispy, LiveProtection, Online-Guard and Stopingspy are Live. The scanner page uses the scare tactics to scare the users into purchasing the Rogue security application. Don’t fall into the cheap trick and loose your money. All the scan pages share the same IP address

Dr-Protection Fake Scanner Page

Guard-Center Fake Scanner Page

Killspy Fake Scanner Page

Liveantispy Fake Scanner Page

Liveprotection Fake Scanner Page

Online-Guard Fake Scanner Page

Stopingspy Fake Scanner Page

Virustotal Scan Result: 7/32 (21.88%)

AVG 2007.12.10 Downloader.Small.BAP
DrWeb 2007.12.10 Trojan.Fakealert
Kaspersky 2007.12.10 Heur.Trojan.Generic
Microsoft 1.3007 2007.12.10 TrojanDownloader:Win32/Renos.gen!Y
NOD32v2 2713 2007.12.10 probably unknown NewHeur_PE virus
Panda 2007.12.09 Suspicious file
Prevx1 V2 2007.12.10 Downloader.Drev.A

Stay away from Rogue security applications

Bharath M N
(Thanks to Patrick Jordan)

Saturday, December 8, 2007
A malicious domain that spams, the download available on the site installs a malicious BHO.
The image displayed on the site:

BHO Details:

Filename: wbspark.dll
Hijack this entry: O2-BHO: wbspark - (BC42164F-2C53-1B42-1563-1A7624A24C11) - C: \WINDOWS\system32\wbspark.dll

SunBelt SandBox Result

Virustotal Scan Result: 18/32 (56.25%)

Stay away from this site.
Bharath M N

Thursday, December 6, 2007

Three More Malicious Domains

More Malicious Domains

Three More Malicious Domains on

A few days back I had written about the four malicious sites on the server Link

Now the server is hosting seven malicious sites distributing Rogue Security applications. The entire list:


The download from three new sites was submitted to and here are the results:

Virustotal Scan Result: 5/32 (15.63%)

AhnLab-V3 2007.12.6.2 2007.12.06 Win-Trojan/Spyshield.51200
Kaspersky 2007.12.06 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.06 Program:Win32/SpySheriff
Sophos 4.24.0 2007.12.06 Troj/DrProt-Gen
VirusBuster 4.3.26:9 2007.12.06 Adware.SpySherif.Gen.2

As you can see the detections are poor stay away from all these sites.

Bharath MN

This is a new rogue security application which is successor of IE Defender Rogue security application. The AntiSpy-Pro is an exact clone of IE Defender rogue security application.

IE Defender has a history of stealthily installing on the user system when they install Zlob codec. So AntiSpy-Pro will be the next Rogue security application that will be advertised through Zlob Trojans.

Snapshot of AntiSpy-Pro Application

The site details:
IP Address:
created on 2007-11-15
Name Servers:

Warning message from the app:

If AntiSpy-Pro stealthily installs on your system then it’s sure that your system is infected by Zlob Trojan.

VirusTotal Scan Result: 3/32 (9.38%)

ClamAV - - Adware.Fakealert-21
Kaspersky - - not-a-virus:FraudTool.Win32.IeDefender.j
VBA32 - - suspected of Backdoor.Delf.180 (paranoid heuristics)

Stay away from this Rogue security application.

Bharath M N

Saturday, December 1, 2007

List of Malicious Domains

List of Malicious Domains - > Zlob trojan distributing site -> Zlob trojan distributing site -> DNS Changer distributing site -> Zlob trojan distributing site -> a bunch of malicious files hosted on the site
Detection of the malicious files distributed by these sites are really poor.
Stay away from these sites...
Bharath M N