Sunday, April 13, 2008

Week End Updates

Week End Updates

New Member of SpywareNo\ SpySheriff Family

AntiVirProtect is new rogue security application from the SpywareNo\ SpySheriff Family. The application is installed on the user system through various Trojan horse programs and other dubious means.

Site Name: AntiVirProtect.com
IP Address: 69.50.190.14
Registrar: ESTDOMAINS, INC.

Screenshot of site AntiVirProtect.com

Once you install AntiVirProtect trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.

The scammers are just changing the file, application and site names to push this rogue security application. They are following this method to avoid detection from Security applications.

Screenshot of AntiVirProtect application

The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 7/32 (21.88%)

Avast 4.8.1169.0 2008.04.13 Win32:FraudLoad-P
AVG 7.5.0.516 2008.04.12 Downloader.Webinstall.B
DrWeb 4.44.0.09170 2008.04.13 Adware.Spysheriff
Ikarus T3.1.1.26.0 2008.04.13 Virus.Win32.FraudLoad.P
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:FraudTool.Win32.SpySheriff.ad
NOD32v2 3021 2008.04.12 a variant of Win32/Adware.SpySheriff
Prevx1 V2 2008.04.13 AntiSpywareShield:Spyware-a

VipAntiSpyware

VipAntiSpyware A new rogue security applciation installed on the user system through dubious means.

Site Name: Vipantispyware.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.

Screenshot of site Vipantispyware.com

Once you install VipAntiSpyware trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.

The rogue also uses the following scam site to trick user into downloading/purchasing this rogue security application.

Site Name: Vipantiscanner.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.

Screenshot of Fake/Scare Scan Page Vipantiscanner.com


Screenshot of VipAntiSpyware Application

The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 5/32 (15.63%)

CAT-QuickHeal 9.50 2008.04.12 FraudTool.SpywareIsolator.a (Not a Virus)
Ewido 4.0 2008.04.13 Not-A-Virus.PUP.SpywareIsolator
Ikarus T3.1.1.26.0 2008.04.13 not-a-virus:.FraudTool.Win32.SpywareIsolator.a
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:FraudTool.Win32.SpywareIsolator.a
Prevx1 V2 2008.04.13 SpywareIsolator:Spyware-a

As you can see the detection of the rogues are poor. Stay away from these rogue distributing sites.

Bharath MN

blog comments powered by Disqus