Monday, March 31, 2008

Update on XP AntiSpyware /XP AntiVirus Scam

Update on XP AntiSpyware /XP AntiVirus Scam

The WinSoftware, Inc aka LocusSoftware Inc aka Innovative Marketing is behind this scam has updated their fake scan script and layout.

As mentioned in the earlier the group indeed is quick to changing their active scam site to trick more users into purchasing their rogue security application.

The new scam site used by the group:

Site Name: XPAntivirussecurity.com
IP Address: 89.149.197.240


Screenshot of the new fake/scare scan pages

Screenshot of the new fake/scare scan pages


The site pushes “XPantivirus2008_v77002803.exe” file and detection of this file is really poor.

VirusTotal Scan Result: 1/32 (3.12%)
F-Prot 4.4.2.54 2008.03.30 W32/Downloader.F.gen!Eldorado

Other sites used by this group:

Antispycompani.com
Xp-protect-2008.com

Both these sites share the same IP address 67.228.137.29

Stay away from these sites.

Bharath M N

New set of SSH Zlob Trojan Family’s Component sites

New set of SSH Zlob Trojan Family’s Component sites


Scam Internet Security Page:
Site Name: Asecureforum.com
IP Address: 85.255.116.214

Screenshot of Asecureforum.com site:


404Errorpage Scam:
Site Name: Dnserrorpoll.com
IP Address: 85.255.118.246

Screenshot of Dnserrorpoll.com site:

Security Guide Scam Page:
Site Name: Aprotectiongear.com
IP Address: 85.255.118.210

Screenshot of Aprotectiongear.com/Soft site:

Screenshot of Aprotectiongear.com/Test site:

Ad-Server-Gate Pages:
Site Name: Gateuq.com
IP Address: 85.255.118.210

Site Name: Gatepj.com
IP Address: 85.255.118.37


The Ad-Server-Gate pages redirects to fake Security center site Securebowl.com which promotes Rogue security applications.

Site Name: Securebowl.com
IP Address: 85.255.118.34

Screenshot of Securebowl.com site:



All the above mentioned sites advertise well documented Rogue security applications. Stay away from these sites.

Bharath M N

Saturday, March 29, 2008

DNS Changer Trojan distributing Site

DNS Changer Trojan distributing Site


Site Name: Lightticket.net
IP Address: 64.28.184.163
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.lightticket.net [64.28.184.162]
ns2.lightticket.net [64.28.184.166]

The installers from these two sites were scanned and here are the results:

VirusTotal Scan Result: 11/31 (35.48%)

AntiVir 7.6.0.78 2008.03.28 TR/Zlob.72484
Avast 4.7.1098.0 2008.03.29 Win32:Zlob-ARJ
AVG 7.5.0.516 2008.03.28 Downloader.Zlob.TSF
BitDefender 7.2 2008.03.29 DeepScan:Generic.Zlob.7.1FED44BB
CAT-QuickHeal 9.50 2008.03.28 Win32.Trojan.DNSChanger.jc
FileAdvisor 1 2008.03.29 High threat detected
F-Prot 4.4.2.54 2008.03.28 W32/Zlob.F.gen!Eldorado
McAfee 5262 2008.03.28 Puper
Prevx1 V2 2008.03.29 Trojan.Zlob
TheHacker 6.2.92.258 2008.03.29 Trojan/DNSChanger.ik
Webwasher-Gateway 6.6.2 2008.03.29 Trojan.Zlob.72484

Stay away from this site.

Bharath M N

Wednesday, March 26, 2008

New Member to MalwareWipe Family

New Member to MalwareWipe Family

MalwareWar is new rogue security application from the MalwareWipe family. MalwareWar application is installed on the user system through Zlob Trojan programs, may be installed through exploits in the Windows Operating system and other dubious means.

Site Name: MalwareWar.com
IP Address: 85.255.117.206
Registrar: ESTDOMAINS, INC.

Screenshot of MalwareWar.com Site

Once you install MalwareWar trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.

Screenshot of MalwareWar Application:


The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 3/32 (9.38%)

Avast 4.7.1098.0 2008.03.24 Win32:Spycrush
Kaspersky 7.0.0.125 2008.03.25 not-a-virus:FraudTool.Win32.MalwareWipe.q
Sophos 4.27.0 2008.03.25 Sus/ComPack-C

Detection of the rogue is really poor stay away from this site.

Bharath M N

Tuesday, March 25, 2008

New Member of SpywareNo\ SpySheriff Family

New Member of SpywareNo\ SpySheriff Family


DataHealer is new rogue security application from the SpywareNo\ SpySheriff Family. The application is installed on the user system through various Trojan horse programs and other dubious means.

Site Name: DataHealer.com
IP Address: 69.50.166.140
Registrar: ESTDOMAINS, INC.


Screenshot of DataHealer.com Site



Once you install DataHealer trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.

The scammers are just changing the file, application and site names to push this rogue security application. They are following this method to avoid detection from Security applications.


Screenshot of DataHealer application



The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 9/32 (28.12%)

AhnLab-V3 2008.3.26.0 2008.03.25 Win-Trojan/Bravesent.39424
Ikarus T3.1.1.20 2008.03.25 Application.Win32.AdWare.SpySheriff
Kaspersky 7.0.0.125 2008.03.25 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3301 2008.03.25 Program:Win32/SpySheriff
NOD32v2 2971 2008.03.25 a variant of Win32/Adware.SpySheriff
Norman 5.80.02 2008.03.25 SpywareLocker.A
Panda 9.0.0.4 2008.03.25 Suspicious file
Prevx1 V2 2008.03.25 Trojan.Downloader.Gen
VirusBuster 4.3.26:9 2008.03.25 Adware.SpySherif.Gen.2

Detection of the rogue is poor, Stay away from these scammer sites.

Bharath M N

List of New Malicious Sites

List of New Malicious Sites


Site Name: Moonticket.net
IP Address: 64.28.184.162
Registrar: ESTDOMAINS, INC.

This site distributes DNS Changer Trojan and an impressive detection on VirusTotal 28 engines detects the installer from this site as malicious.

VirusTotal Scan Result: 28/31 (90.32%)

Screenshot of Moonticket.net site:


Site Name: Movperformance.com
IP Address: 85.255.120.110
Registrar: ESTDOMAINS, INC.

Site Name: Mpggadget.com
IP Address: 85.255.118.181
Registrar: ESTDOMAINS, INC.

Both the above mentioned sites distribute Zlob Trojan and 16 scanners on VirusTotal detect the installer from this site as malicious.

VirusTotal Scan Result: 16/32 (50%)

Stay away from these sites.

Bharath M N

Saturday, March 22, 2008

XP AntiSpyware /XP AntiVirus Scam

XP AntiSpyware /XP AntiVirus Scam


Last week there was a comment spam on various blogs, the comment contains a link which redirects the user to a fake/scare scan page of the infamous XP AntiSpyware /XP AntiVirus rogue security applications.

The WinSoftware, Inc aka LocusSoftware Inc aka Innovative Marketing is behind this scam. They are using many sites to redirect the users to their fake/scare scan pages.

Screenshot of fake/scare scan pages Screenshot of fake/scare scan pages

Screenshot of XPAntivirus Application


The gang is quick in changing their active scam site, over a period of 15 days they have created many sites and here is the list of sites

1. XpAntivirusonline.com
2. XPOnlinescanner.com
3. XPSecuritycenter.com
4. XPAntispyware.com
5. XPAntiviruspro.com
6. XPAntivirus2008.com
7. XPAntivirus-scanner.com
8. XPAntivirus.com
9. XPAntivirussite.com
10.XPCleanerpro.com ==> Fake clean-up software.

I am sure that the list will keep growing. Below are the set of sites that are also involved in the scams.

The site XPDownloadings.com works as a repository for the rogue installers while the XP-Antivirus.com site is used for payment processing.



The scammers also avails a user to sign up for an upgrade to “File Shredder 2008FileShredder2008.com, which is again a crapware they are exploiting Lavasoft’s application name “File Shredder”.


Screenshot of FileShredder2008.com site

There is another site CleanerMaster.com which is silent for more that 15 days without any links to installer files. This site also belongs to the same scammer gang.
Screenshot of CleanerMaster.com site


Stay away from these sites.

Bharath M N

Wednesday, March 19, 2008

New set of sites from SSH Zlob Trojan Family

New set of sites from SSH Zlob Trojan Family

Site Name: Wmvappliance.com
IP Address: 85.255.120.108

Site Name: Avicoupler.com
IP Address: 85.255.118.181

The installers from the site were scanned and here are the results:

Virustotal Scan Result: 5/32 (15.63%)

AntiVir 7.6.0.75 2008.03.18 DR/Zlob.Gen
BitDefender 7.2 2008.03.18 Dropped:Trojan.Downloader.Zlob.ABOS
ClamAV 0.92.1 2008.03.18 Trojan.Dropper-2529
VBA32 3.12.6.3 2008.03.17 suspected of Downloader.Zlob.3
Webwasher-Gateway 6.6.2 2008.03.18 Trojan.Dropper.Zlob.Gen

Scam Internet Security Page:
Site Name: Securitypills.com
IP Address: 85.255.116.213

Screenshot of Securitypills.com site:


404Errorpage Scam:
Site Name: Dnsmserrors.com
IP Address: 85.255.118.244

Screenshot of Dnsmserrors.com site:
Security Guide Scam Page:
Site Name: Asafetyvalue.com
IP Address: 85.255.118.38

Screenshot of Asafetyvalue.com/Test site:
Screenshot of Asafetyvalue.com/Soft site:

Ad-Server-Gate Pages:
Site Name: Gateqy.com
IP Address: 85.255.118.212

Gateqy(dot)com/gatevc.php?pn=srch0p1total7s2&c=441048

Site Name: Gatewp.com
IP Address: 85.255.118.211

Gatewp(dot)com/gatevc.php?id=icn01

The Ad-Server-Gate pages redirects to fake Security center site Protectioncase.com which promotes Rogue security applications.

Site Name: Protectioncase.com
IP Address: 85.255.118.210

Screenshot of Protectioncase.com site:
Screenshot of Protectioncase.com site:

Other component sites

Site Name: Allcollisions.com
IP Address: 85.255.117.204

www(dot)allcollisions.com/get.php?partner=1012 -> downloads VirusHeat Rogue security applciation

Site Name: mspctoolbar.com
IP Address: 85.255.118.35

mspctoolbar(dot)com/go.php?step=1
mspctoolbar(d0t)com/go.php?step=2

The above mentioned URL’s redirect the request to site distributing Rogue security application.

Stay away fom all these sites.

Bharath M N

Saturday, March 15, 2008

Malicious sites:

Malicious sites

The following web sites contain Malware payloads:

1. 5yearscontract(dot)com
2. Bulletproofstuff(dot)com
3. Deluxenote(dot)com
4. Digitsdndletters(dot)com
5. Faxmonitoring(dot)com
6. Fklgjslkj(dot)com
7. Itsnotjoke(dot)com
8. Medicasntred(dot)com
9. Mynameisseller(dot)com
10. Polanddreams(dot)com
11. Toneandpulse(dot)com
12. Tredinsa(dot)com
13. Vertuslkj(dot)com
14. Warinmyarms(dot)com

All these sites share the same IP address 58.65.239.114 please make sure not to visit any of the sites as they uses Iframe and java scripts to push malwares on to your system.

Also reported by SecuBox Labs:

Also these sites were involved in the attack:

abc-powers.com -> the site dropped “ieupdater.exe” file
nt-users.com -> the site instructs the infected machine to download various files from the IP 58.65.239.42

58.65.239.42 -> downloads the following file
i5.exe
ldig0031242.exe
alexey.exe

fbceeefbdede.com -> instructs to download files from deborah2.biz
deborah2.biz- > drops “wssl54.exe

The malware does lots of damages to your system downloads zlob,vundo, rogue security applications, changes registry keys, changes host files and does many nasty things.

Please stay away from these sites.

Bharath M N

Monday, March 10, 2008

Misunderstanding ?

Misunderstanding ?

Last month I wrote about SpyBurner (Rogue security application) and the site that is promoting the rogue (pcsecuritycenter.net). Well “DONALD J BOURGEOIS JR” has totally misunderstood the information posted on the Blog page and thinks that I am pushing the Trojan on to his system.

This is the routine misinterpretation and all the Bloggers has to go through this phase. Well it’s my time to go through this phase.

I have contacted the user and tried to clarify him about the issue; hope that the user correctly understand the situation this time :-)

Bharath M N

Tuesday, March 4, 2008

Zlob Trojan Distributing sites

Zlob Trojan Distributing sites

Site Name: Viewmpgdevice.com
IP Address: 85.255.120.106

Site Name: Aviadaptation.com
IP Address: 85.255.118.181

As usual the site registrants for both the sites are ESTDOMAINS, INC. The installer from these sites were scanned and here are the results:

VirusTotal Scan Result: 10/32 (31.25%)

AntiVir 7.6.0.73 2008.03.04 DR/Zlob.Gen
AVG 7.5.0.516 2008.03.03 Downloader.Zlob.ABR
BitDefender 7.2 2008.03.04 Trojan.Downloader.Zlob.ABLJ
ClamAV 0.92.1 2008.03.04 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2008.03.04 Trojan.Popuper.5238
Ikarus T3.1.1.20 2008.03.04 Trojan-Downloader.Zlob.ABLJ
Microsoft 1.3301 2008.03.03 TrojanDownloader:Win32/Zlob
VBA32 3.12.6.2 2008.02.27 suspected of Downloader.Zlob.3
VirusBuster 4.3.26:9 2008.03.03 Trojan.DR.Zlob.CKW!Pac
Webwasher-Gateway 6.6.2 2008.03.04 Trojan.Dropper.Zlob.Gen

Stay away from these sites.

Bharath M N

Monday, March 3, 2008

NEW Rogue Apps

NEW Rogue Application



Another rogue using the name Pandora-Software is up live. This applciation is not from Bakasoftware but it is from the AntiSpyStorm family.

The rogue application is called SpyMaxx:
Site Name: Spymaxx.com
IP Address: 216.195.54.110

Screenshot of Spymaxx applciation:

The Installer from the site was scanned here are the results:

Virustotal Scan Result: 7/32 (21.88%)


Avast 4.7.1098.0 2008.03.02 Win32:VB-EIJ
DrWeb 4.44.0.09170 2008.03.03 BACKDOOR.Trojan
eSafe 7.0.15.0 2008.02.28 suspicious Trojan/Worm
Fortinet 3.14.0.0 2008.03.03 Adware/AntiSpyStorm
Ikarus T3.1.1.20 2008.03.03 Virus.Win32.VB.EIJ
McAfee 5242 2008.02.29 potentially unwanted program Adware-AntiSpyStorm
Microsoft 1.3301 2008.03.03 Program:Win32/AntispyStorm

Stay away from this site.


Bharath M N

New Scam Tactics

New Scam Tactics



Till now we have seen scammers using “Video ActiveX Object Error” and “Image ActiveX Object Error” bogus error to bait users into downloading Trojan horse disguised as codec.

Recently they have come up with a new tactic and started using “Virus Scanner ActiveX Object Error” well the scammers seems to directly dump the rogue security application rather than having the Trojan horse to do the dirty work.

The latest Rogue on the internet “LastDefender” has been seen using this tactic.

Here is the list of screenshots of the "Scare scan"/"Fake scan" scam sites used by LastDefender

Bogus "Antivirus Software Error" message






The Rogue uses the following sites:

Site Name: Thelastdefender.com
IP Address: 78.31.211.57

This is the “LastDefender” home page

Site Name: LastDefender.net
IP Address: 78.31.211.45

This is the “LastDefender” scare scan/Fake scan pages.



Screenshot of the “LastDefender” Application



The installer from the site was scanned and here are the results:


Virustotal Scan Result: 10/32 (31.25%)

AVG 7.5.0.516 2008.03.02 Downloader.Generic6.AGDQ

CAT-QuickHeal 9.50 2008.03.01 TrojanDownloader.FraudLoad.h

Fortinet 3.14.0.0 2008.03.03 W32/Dloader.CDG!tr

F-Prot 4.4.2.54 2008.03.02 W32/Heuristic-217!Eldorado

F-Secure 6.70.13260.0 2008.03.03 W32/Downloader.JDU

Kaspersky 7.0.0.125 2008.03.03 Trojan-Downloader.Win32.FraudLoad.h

Microsoft 1.3301 2008.03.03 Trojan:Win32/Malagent

Norman 5.80.02 2008.02.29 W32/Downloader.JDU

Symantec 10 2008.03.03 Downloader.MisleadApp

Webwasher-Gateway 6.6.2 2008.03.03 Riskware.Fake.Lastdefe.3



Stay away from these sites.


Bharath M N

Saturday, March 1, 2008

Week End Updates

Week End Updates




Zlob Trojan Distributing Sites:

Site Name: wmvsolution.com
IP address: 85.255.120.109

Site Name: mpgapplication.com
IP address: 85.255.118.180

The component sites associated with Zlob Trojan:

Site Name: pageforsafety.com
IP address: 85.255.116.210
This is a Scam Internet Security Page advertising Rogue security applications.

Site Name: dnserrorslist.com
IP address: 85.255.118.246
This is a fake DNS Error Page; the site also advertises Rogue Security applications. (Currently it’s advertising WinSecureAV a Rogue Security application from Winfixer family)

Here is a list of sites directly connected to SSH Family.

Site Name: Entertainaround.com
Site Name: secureinformway.com
Site Name: Gatekl.com
Site Name: Gatecs.com
All the sites shares the IP address: 85.255.118.246

Site Name: gatexv.com
IP address: 85.255.118.214

Site Name: Gatenu.com
Site Name: Onlinehelptool.com
All the sites shares the IP address: 85.255.118.214


Site Name: gateqa.com
Site Name: asafetyoffice.com
Site Name: gateqa.com
All the sites shares the IP address: 85.255.118.213

Site Name: gatews.com
Site Name: securitybrochure.com
Site Name: Gatevj.com
Site Name: Gateow.com
Site Name: Entertainallday.com
All the sites shares the IP address: 85.255.118.35

All the above mentioned sites Registrar is ESTDOMAINS, INC. The above mentioned sites which belong to SSH family are created to run scam and lure user to purchase Rogue security application.




Site Name: Websoft-c.com
IP Address: 202.71.102.101
This site pushes Trojan horse disguised as Fake codec.

New Rogue Security applications:

Site Name: TheSpyBot.com
IP Address: 78.108.183.32



ScreenShot of TheSpyBot Application


Site Name: SpyWatchE.com
IP Address: 78.108.183.32


ScreenShot of SpyWatchE Application

TheSpyBot and SpyWatchE are Rogue Security applications. These are the new Rogue Security application from the spywareNo family of rogue security application.

This Group is busy again cloning their applications and spreading it on internet.



Site Name: Mastertools.us
IP Address: 85.255.121.76

ScreenShot of SpyKillerPro Application

The site distributes SpyKillerPro a well documented rogue Security applciation. More on the Rogue Security aplication here.

Stay safe and do not visit any of these sites.

Bharath M N