Wednesday, January 30, 2008

New Zlob Trojan Distributing Site

New Zlob Trojan Distributing Site


Site Name: pvgadget.com
IP address: 85.255.118.181
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.pvgadget.com [85.255.118.181
ns2.pvgadget.com [85.255.118.182]

The Zlob Trojan stealthy installs VirusProtect 3.9 [virusprotectpro(dot)com] (a well documented rogue security application)

The installer from the site was scanned and here are the results:

Virustotal Scan Result: 7/32 (21.88%)

AntiVir 7.6.0.57 2008.01.29 DR/Zlob.Gen
AVG 7.5.0.516 2008.01.30 Downloader.Zlob.RN
BitDefender 7.2 2008.01.30 DeepScan:Generic.Zlob.7.E65C926C
ClamAV 0.91.2 2008.01.29 Trojan.Dropper-2529
F-Prot 4.4.2.54 2008.01.29 W32/Zlob.I.gen!Eldorado
Microsoft 1.3109 2008.01.28 TrojanDownloader:Win32/Zlob.gen!AL
Webwasher-Gateway 6.6.2 2008.01.29 Trojan.Dropper.Zlob.Gen

Sunbelt Sandbox analysis here

Stay away from this site.

Bharath M N

Wednesday, January 23, 2008

Another Set of Malicious Domains

Another Set of Malicious Domains

Zlob Trojan Distributing Sites:

Site Name: Tuvcompany.com
IP address: 85.255.120.106
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.tuvcompany.com [85.255.120.106]
ns2.tuvcompany.com [85.255.120.107]


Site Name: Garfirm.com
IP address: 85.255.118.179
Registrar: ESTDOMAINS, INC
Name Servers:
ns1.garfirm.com [85.255.118.179
ns2.garfirm.com [85.255.118.180]


The installers from these two sites were scanned and here are the results:

Virustotal Scan Result: 6/32 (18.75%)

AVG 7.5.0.516 2008.01.22 Downloader.Zlob.RN
BitDefender 7.2 2008.01.22 DeepScan:Generic.Zlob.7.883E035E
ClamAV 0.91.2 2008.01.22 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2008.01.22 Trojan.Popuper.origin
F-Prot 4.4.2.54 2008.01.22 W32/Zlob.I.gen!Eldorado
Microsoft 1.3109 2008.01.22 TrojanDownloader:Win32/Zlob.gen!AL

The component sites associated with Zlob Trojan:

Scam Internet Security Page:

Site Name: Allsecuritypage.com
IP Address: 85.255.116.210
Registrar: ESTDOMAINS, INC
Name Servers:
ns1.allsecuritypage.com [85.255.116.210
ns2.allsecuritypage.com [85.255.116.211]

This site promotes well documented Rogue Security applications.

404Errorpage Scam:

Site Name: Errorbrowser.com
IP Address: 85.255.118.246
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.errorbrowser.com [85.255.118.246]
ns2.errorbrowser.com [85.255.118.242]

This is a 404errorpage scam advertising AntiSpywareSuite a well documented Rogue security application.

Security Guide Scam Page:

Site Name: Protectionstack.com
IP Address: 85.255.118.212
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.protectionstack.com [85.255.118.212]
ns2.protectionstack.com [85.255.118.213]

AdServer-Gate Pages:

Site Name: Gatehe.com
IP Address: 85.255.118.214
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.gatehe.com [85.255.118.214]
ns2.gatehe.com [85.255.118.34]


Site Name: Gatepo.com
IP address: 85.255.118.34
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.gatepo.com [85.255.118.34]
ns2.gatepo.com [85.255.118.35]

Protection Center Scam Page:

Site Name: Asafetyalways.com
IP address: 85.255.118.213
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.asafetyalways.com [85.255.118.213]
ns2.asafetyalways.com [85.255.118.214]
Other Malicious domain:

Site Name: Websoft-b.com
IP Address: 202.71.102.101
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.websoft-b.com [202.71.102.101]
ns2.websoft-b.com [202.71.102.101]

The installer from the site was scanned and here are the results:

Virustotal Scan Result: 6/32 (18.75%)

Authentium 4.93.8 2008.01.22 is a security risk or a \"backdoor\" program
Avast 4.7.1098.0 2008.01.22 -
AVG 7.5.0.516 2008.01.22 Downloader.Zlob.TQU
ClamAV 0.91.2 2008.01.22 Trojan.Zlob-961
F-Prot 4.4.2.54 2008.01.22 W32/ZlobN.J.gen
Microsoft 1.3109 2008.01.22 TrojanDropper:Win32/Zlob.gen!A
VBA32 3.12.2.5 2008.01.21 MalwareScope.Worm.Nuwar-Glowa.1

DNS Changer Trojan Distributing Site:

Site Name: Hqcodecvip.com
IP Address: 64.28.184.172
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.hqcodecvip.com [64.28.184.162]
ns2.hqcodecvip.com [64.28.184.168]

Stay away from these sites.

Bharath M N
Special Thanks to Patrick Jordan

Tuesday, January 22, 2008

More sites distributing Rogue Security applications

More sites distributing Rogue Security applications



Site Name: Securecleaner.com
IP Address: 69.50.166.142
Registrar: ESTDOMAINS, INC.
Name Servers:
ns.securecleaner.com [69.50.166.142]


This site distributes Rogue Security Application called SecureCleaner . The Rogue application this site promotes belongs to Spywareno\ SpySheriff Family.

Screenshot of SecureCleaner Website:

The installer from the site was scanned and here is the scan result:

VirusTotal Scan Result: 2/32 (6.25%)

AVG 7.5.0.516 2008.01.21 Adware Generic2.AALS
NOD32v2 2812 2008.01.21 a variant of Win32/Adware.SpySheriff


Site Name: Sys-cleaner.com
IP Address: 88.208.1.10
Registrar: GODADDY.COM, INC.
Name Servers:
ns39.domaincontrol.com [208.109.78.191]
ns40.domaincontrol.com [208.109.255.20]

This site distributes Rogue Security Application called Sys-Cleaner. The Rogue application this site promotes belongs to Ultimate Defender Family.

Screenshot of Sys-Cleaner Website:


Screenshot of Sys-Cleaner promoter:


The installer from the site was scanned and here is the scan result:

VirusTotal Scan Result: 6/32 (18.75%)

BitDefender 7.2 2008.01.22 Trojan.Adloader.JC
eSafe 7.0.15.0 2008.01.16 suspicious Trojan/Worm
Ikarus T3.1.1.20 2008.01.21 not-a-virus:.FraudTool.Win32.UltimateDefender.a
Panda 9.0.0.4 2008.01.21 Suspicious file
Prevx1 V2 2008.01.22 Heuristic: Suspicious File With Outbound Communications
Symantec 10 2008.01.22 EliteProtector


Site Name: Eliteprotector.com
IP Address: 88.208.1.11
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.eliteprotector.com [85.255.120.122]
ns2.eliteprotector.com [85.255.120.126]

This site distributes Rogue Security Application called EliteProtector. The Rogue application this site promotes belongs to Ultimate Defender Family.
Screenshot of EliteProtector Website:

The installer from the site was scanned and here is the scan result:

VirusTotal Scan Result: 17/32 (53.13%)

AhnLab-V3 2008.1.22.10 2008.01.21 Win-Trojan/Xema.variant
AntiVir 7.6.0.48 2008.01.21 TR/Crypt.XDR.Gen
Authentium 4.93.8 2008.01.21 W32/Dropper.gen6
CAT-QuickHeal 9.00 2008.01.21 FraudTool.UltimateDefender.v (Not a Virus)
eSafe 7.0.15.0 2008.01.16 suspicious Trojan/Worm
Fortinet 3.14.0.0 2008.01.21 Misc/UltimateDefender
F-Prot 4.4.2.54 2008.01.21 W32/Dropper.gen6
F-Secure 6.70.13260.0 2008.01.21 W32/Smalltroj.BRAP
Ikarus T3.1.1.20 2008.01.21 not-a-virus:.FraudTool.Win32.UltimateDefender.v
Kaspersky 7.0.0.125 2008.01.22 not-a-virus:FraudTool.Win32.UltimateDefender.v
Microsoft 1.3109 2008.01.22 Trojan:Win32/Anomaly.gen!A
Norman 5.80.02 2008.01.21 W32/Smalltroj.BRAP
Sophos 4.24.0 2008.01.22 Sus/Dropper-A
Sunbelt 2.2.907.0 2008.01.17 Trojan.Crypt.XDR.Gen
Symantec 10 2008.01.22 EliteProtector
TheHacker 6.2.9.193 2008.01.22 Aplicacion/UltimateDefender.v
Webwasher-Gateway 6.6.2 2008.01.21 Trojan.Crypt.XDR.Gen


Site Name: xpantiviruspro.com
IP Address: 69.50.183.50
Registrar: ESTDOMAINS, INC.
Name Servers:
managedns1.estboxes.com [69.50.182.20]
managedns2.estboxes.com [69.50.183.26]
managedns3.estboxes.com [69.50.182.22]
managedns4.estboxes.com [69.50.183.30]

This site distributes Rogue Security Application called XPantiviruspro.

Screenshot of XPantiviruspro Website:

Screenshot of XPantiviruspro fake scanner page


The installer from the site was scanned and here is the scan result:

VirusTotal Scan Result: 14/32 (43.75%)

AntiVir 7.6.0.48 2008.01.21 TR/Delphi.Downloader.Gen
DrWeb 4.44.0.09170 2008.01.21 Trojan.Fakealert.401
eSafe 7.0.15.0 2008.01.16 suspicious Trojan/Worm
Ewido 4.0 2008.01.21 Not-A-Virus.Downloader.Win32.XpAntivirus.c
F-Secure 6.70.13260.0 2008.01.21 W32/DLoader.EWBA
Ikarus T3.1.1.20 2008.01.21 not-a-virus:Downloader.Win32.XpAntivirus.c
Kaspersky 7.0.0.125 2008.01.22 not-a-virus:Downloader.Win32.XpAntivirus.c
McAfee 5212 2008.01.21 FakeAlert-AB.dldr
Norman 5.80.02 2008.01.21 W32/DLoader.EWBA
Panda 9.0.0.4 2008.01.21 Adware/Xpantivirus2008
Prevx1 V2 2008.01.22 Heuristic: Suspicious File With Outbound Communications
Sophos 4.24.0 2008.01.21 Sus/DelpDldr-A
Symantec 10 2008.01.22 Downloader.MisleadApp
Webwasher-Gateway 6.6.2 2008.01.21 Trojan.Delphi.Downloader.Gen


Site Name: xpcleanerpro.com
IP Address: 69.50.183.51
Registrar: ESTDOMAINS, INC.
Name Servers:
managedns1.estboxes.com [69.50.182.20]
managedns2.estboxes.com [69.50.183.26]
managedns3.estboxes.com [69.50.182.22]
managedns4.estboxes.com [69.50.183.30]


This site distributes a bogus Drive Cleaner Application called XPcleanerpro. No proper download available for this bogus Drive Cleaner, only a notepad.exe file is available for download.

Screenshot of XPcleanerpro Website:

Stay away from all these sites.

Bharath M N

Saturday, January 19, 2008

Another Site distributing Fake codec

Another Site distributing Fake codec

Site Name: iwannaseeyounude.com
IP Address: 195.5.117.234
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.iwannaseeyounude.com [195.5.117.234]
ns2.iwannaseeyounude.com [195.5.117.234]

The installer from the site was scanned and here are the results:

Virustotal Scan Result: 11/32 (34.38%)
AntiVir 7.6.0.48 2008.01.18 HEUR/Malware
BitDefender 7.2 2008.01.18 Trojan.Downloader.Codec.C
eSafe 7.0.15.0 2008.01.16 Suspicious File
eTrust-Vet 31.3.5468 2008.01.18 Win32/Burgspill!generic
Fortinet 3.14.0.0 2008.01.18 W32/Zlob.EJC!tr.dldr
F-Secure 6.70.13260.0 2008.01.18 Suspicious:W32/Malware!Gemini
Microsoft 1.3109 2008.01.18 Trojan:Win32/Delflob.I
Panda 9.0.0.4 2008.01.18 Suspicious file
Sophos 4.24.0 2008.01.18 Mal/DelpDldr-E
VBA32 3.12.2.5 2008.01.15 suspected of Win32.Trojan.Downloader
Webwasher-Gateway 6.6.2 2008.01.18 Heuristic.Malware

There are two more sites sharing the same IP address:

Site Name: Mymysticporn.com
Name Servers:
ns1.mymysticporn.com [195.5.117.234]
ns2.mymysticporn.com [195.5.117.234]

Site Name: Somenudefuck.com
Name Servers:
ns1.somenudefuck.com [195.5.117.234]
ns2.somenudefuck.com [195.5.117.234]

Sites Registrar is ESTDOMAINS, INC. well-known for their association with Scam and malicious sites. Well the registrant for these sites is hidden behind PrivacyProtect.org.

Stay away from the above mentioed sites.

Bharath M N

Friday, January 18, 2008

Malicious Sites

More Malicious Sites To Block

Here is a list of malicious porn that you have to block.

Sites sharing IP: 66.232.127.128

Cepugy(dot)com
Lizuqa(dot)com
Nufude(dot)com
Pemise(dot)com
Pihynu(dot)com
Tyfiji(dot)com
Vejyqy(dot)com
Vybylo(dot)com
Wamuvi(dot)com
Wifype(dot)com
Xigeta(dot)com
Xxx-er(dot)com
Ymynan(dot)com

Sites sharing IP: 74.50.99.245

Bafuje(dot)com
Bujiwe(dot)com
Bynute(dot)com
Bytohu(dot)com
Ciwulo(dot)com
Cupevu(dot)com
Cylozo(dot)com
Cyvypo(dot)com
Dahuba(dot)com
Dexija(dot)com
Fabyqa(dot)com
Fesesa(dot)com
Frestheapple(dot)info
Hehepu(dot)com
Hosting-fastest(dot)com
Kemyny(dot)com
Keweli(dot)com
Kosoze(dot)com
Lyxano(dot)com
Nuwefi(dot)com
Piloka(dot)com
Pukuda(dot)com
Qumuqe(dot)com
Quveni(dot)com
Raqylu(dot)com
Riguwy(dot)com
Rumuby(dot)com
Sigumu(dot)com
Sivipo(dot)com
Tejeki(dot)com
Tuqexi(dot)com
Vafygi(dot)com
Wequxe(dot)com
Wicihe(dot)com
Wotyhi(dot)com
Xaloke(dot)com
Xaxosi(dot)com
Zobose(dot)com
Zunaku(dot)com

Sites sharing IP: 66.232.114.56

Bifowy(dot)com
Firaja(dot)com
Kabity(dot)com
Popyjo(dot)com
Punyte(dot)com
Qusetu(dot)com

Sites sharing IP: 66.232.126.212

Fetaby(dot)com
Hupano(dot)com
Hycefo(dot)com
Kijahe(dot)com
Kytowa(dot)com
Wibek(dot)com

Sites sharing IP: 66.232.113.57

043340(dot)com
Allxlive(dot)com
Arkdo(dot)com
Efpor(dot)com
Erdba(dot)com
Eresitio(dot)com
Etyec(dot)com
Ez3re(dot)com
Ezghf(dot)com
Eztyt(dot)com
Freeefs(dot)com
Freefty(dot)com
Freefyt(dot)com
Fsiiw(dot)com
Gotfs(dot)com
Gufuvu(dot)com
Gugto(dot)com
Guufs(dot)com
Hotghg(dot)com
Iesfe(dot)com
Infgt(dot)com
Iredg(dot)com
Ishga(dot)com
Jitrs(dot)com
Kithg(dot)com
Koddirect(dot)com
Leehg(dot)com
Mabuty(dot)com
Me5rt(dot)com
Menwe(dot)com
Moretyt(dot)com
My3ed(dot)com
Myfty(dot)com
Myfyt(dot)com
Myghgty(dot)com
Nydas(dot)com
Officialghgty(dot)com
Ofsam(dot)com
Ongil(dot)com
Onlinetyt(dot)com
Paskalsite(dot)com
Piuwi(dot)com
Planettyt(dot)com
Pukezi(dot)com
Rsqwf(dot)com
Rwtci(dot)com
Safyki(dot)com
Sdsob(dot)com
Search-now-best(dot)com
Thekeyse(dot)com
Tytahi(dot)com
Tytnation(dot)com
Tytot(dot)com
Urlfg(dot)com
Verynews-syte(dot)com
Wifsc(dot)com
Yamfe(dot)com
Yepcar(dot)com
Yourfyt(dot)com
Bvboo(dot)com
Iasdf(dot)com
Gofjf(dot)com
Myfd4(dot)com

Sites sharing IP: 66.232.120.110

Besateg(dot)com
Bivydur(dot)com
Cacocyx(dot)com
Cawunyj(dot)com
Cuhadiq(dot)com
Fahujav(dot)com
Fesesak(dot)com
Fokatyz(dot)com
Fresthebus(dot)info
Fyfyhal(dot)com
Gebosuc(dot)com
Hewerij(dot)com
Hilecyf(dot)com
Hypertz(dot)com
Keramum(dot)com
Kixitiv(dot)com
Ludoby(dot)com
Luxivej(dot)com
Majefem(dot)com
Norifyc(dot)com
Nypibyw(dot)com
Nytyfij(dot)com
Pihizi(dot)com
Pudocaq(dot)com
Pyvevas(dot)com
Qanadoz(dot)com
Qycuho(dot)com
Sapisyk(dot)com
Sywebeb(dot)com
Syzilys(dot)com
Telabov(dot)com
Tenykyg(dot)com
Tikiwe(dot)com
Tuffik(dot)com
Tusixyh(dot)com
Tyzyfiz(dot)com
Vinoheq(dot)com
Wohotim(dot)com

Please do not visit any of the sites. These sites are involved in spreading Rogue security applications, fake alert Trojan and Fake codec installers.

Some of these above mentioned sites redirects the user to other malicious porn site (most of the times to the sites in the above mentioned list itself).

Some of the sites links or redirects to other pages where in the site asks the user to download codec to view porn online (same old trick to push Trojan and Rogue security applications).

Some of the sites have a script written to open up a fake scanner page when you close the website.

maxing-search(dot)com/s.php -> is one of the page that opens up when you close the Porn site. The php script (I.E. maxing-search(dot)com/s.php) opens up fake scanner page, AntiSpywareBoss fake scanner page is the latest one that this PHP script redirects.


Stay safe and don’t visit any of the above mentioned sites.

Bharath M N

Thursday, January 17, 2008

AntiSpywareBoss.com

AntiSpywareBoss.com


AntiSpywareBoss is a yet another Rogue Security application. The site also uses fake scan pages to scare users into purchasing the application.

Screenshot of AntiSpywareBoss Website:

Site Name: AntiSpywareBoss.com
IP Address: 216.255.188.108
Registrar: ESTDOMAINS, INC.
Registrant: Hidden behind PrivacyProtect.org
Name Servers:
ns1.antispywareboss.com [216.255.188.108]
ns2.antispywareboss.com [216.255.188.109]

Screenshot of Fake Scan page

Screenshot of Fake Scan page

More Scare scan page Screenshots:

I scanned the installer file from the site and none of the scan engine detects this Rogue security application.
ThreatExpert Report here

Stay away from this site.

Bharath M N

Wednesday, January 16, 2008

New Pack of Malicious sites

New Pack of Malicious sites

Site Name: siiprogram.com
IP Address: 85.255.118.180
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.siiprogram.com [85.255.118.180]
ns2.siiprogram.com [85.255.118.181]

Site Name: sisperformance.com
IP Address: 85.255.120.110
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.sisperformance.com [85.255.120.110]
ns2.sisperformance.com [85.255.120.106]
The installers from these two sites were scanned and here are the results:

Virustotal Scan Result: 7/32 (21.88%)

Avast 4.7.1098.0 2008.01.15 Win32:Zlob-AHS
AVG 7.5.0.516 2008.01.15 Downloader.Zlob.RN
BitDefender 7.2 2008.01.15 Trojan.Downloader.Zlob.ABGS
ClamAV 0.91.2 2008.01.15 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2008.01.15 Trojan.Popuper.origin
F-Prot 4.4.2.54 2008.01.14 W32/Zlob.I.gen!Eldorado
Microsoft 1.3109 2008.01.15 TrojanDownloader:Win32/Zlob.gen!AL

Site Name: websoft-a.com
IP Address: 79.143.178.30
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.websoft-a.com [79.143.178.30]
ns2.websoft-a.com [79.143.178.30]

The installer from the site was scanned and here are the results:

Virustotal Scan Result: 7/32 (21.88%)

AntiVir 7.6.0.48 2008.01.15 TR/Dldr.Zlob.KA
BitDefender 7.2 2008.01.15 Trojan.Peed.ISW
CAT-QuickHeal 9.00 2008.01.15 (Suspicious) - DNAScan
eSafe 7.0.15.0 2008.01.15 Suspicious File
Ikarus T3.1.1.20 2008.01.15 MalwareScope.Worm.Nuwar-Glowa.1
VBA32 3.12.2.5 2008.01.15 MalwareScope.Worm.Nuwar-Glowa.1
Webwasher-Gateway 6.6.2 2008.01.15 Trojan.Dldr.Zlob.KA

Few more sites that are distributing malicious codes:

216.40.219.141
77.91.227.194
77.91.228.186

The installers from these sites were scanned and here are the results:

Virustotal Scan Result: 4/32 (12.5%)
Avast 4.7.1098.0 2008.01.15 Win32:Agent-LTS
AVG 7.5.0.516 2008.01.15 Downloader.Zlob
CAT-QuickHeal 9.00 2008.01.15 Win32.AdWare.Boran.ah
Microsoft 1.3109 2008.01.15 TrojanDownloader:Win32/Zlob.gen!L
Stay away from these sites…

Bharath M N

Thursday, January 10, 2008

AntiSpyCheck.com

AntiSpyCheck.com
AntiSpyCheck is another classic example of rogue security application. AntiSpyCheck is a successor of AdProtect Rogue security application.

Screenshot of AntiSpyCheck Website

I must mention that AntiSpyCheck.com has done lot of work on their website, especially copying and removing a few contents of AdProtect.com website. :-)

As the site AntiSpyCheck uses most of the files used by AdProtect but they have changed the names.

Site name: AntiSpyCheck.com
IP address: 85.255.121.178
Registrar: ESTDOMAINS, INC.
Registrant: Hidden behind PrivacyProtect.org


Screenshot of AntiSpyCheck Application

Screenshot of AntiSpyCheck Application nagging message box

The trial version of the application detects many false threats (usually legitimate registry keys) on the system and nags the user to purchase the full version in order to remove the threats detected.

I scanned the installer file from the site:

VirusTotal Scan Result: 3/32 (9.38%)

Avast 4.7.1098.0 2008.01.08 Win32:MailBot-N
Microsoft 1.3109 2008.01.08 Program:Win32/SpyAxe
NOD32v2 2775 2008.01.08 Win32/Adware.AdProtect

I also scanned the main exe file of the application:

Virustotal Scan Result: 6/32 (18.75%)

Avast 4.7.1098.0 2008.01.08 Win32:MailBot-N
F-Prot 4.4.2.54 2008.01.08 W32/HackTool.CNX
Ikarus T3.1.1.20 2008.01.09 Virus.Win32.Mailbot.N
Panda 9.0.0.4 2008.01.08 Suspicious file
Prevx1 V2 2008.01.09 Heuristic: Suspicious Self Modifying EXE
Webwasher-Gateway 6.6.2 2008.01.08 Riskware.Fake.SpywareAxe

Stay away from this rogue security application.

Bharath M N

Wednesday, January 9, 2008

MalwareCrush.com

MalwareCrush.com

MalwareCrush is a Rogue Security application. From the SSH Family (As termed by Webhelper). Well a bit late on writing about this Rogue security application :-)

Does this icon look familiar, Bingo!!! yes this is the same old icon used by the predecessor of MalwareCrush. The application is a clone of VirusBurst, SpywareQuake, SpyAxe, and so on.




Screenshot of MalwareCrush Website:

Fake Scan Page

Fake Scan Page

Screenshot of MalwareCrush Application


Site name: malwarecrush.com
IP Address: 207.226.175.54
Name Servers:
ns2.malwarecrush.com
ns1.malwarecrush.com
Registrant: Hidden behind PrivacyProtect.org
I scanned the setup file from MalwareCrush.com

VirusTotal Scan Result: 1/32 (3.13%)
Kaspersky - -not-a-virus:FraudTool.Win32.MalwareCrush.a

I also scanned the Installer file from Scan.MawareCrush.com (fake scan page)

VirusTotal Scan Result: 14/32 (43.75%)

AntiVir - - DR/FakeAlert.PG.4
AVG - - SHeur.AKJJ
BitDefender - - Dropped:Trojan.FakeAlert.PG
ClamAV - - Trojan.Downloader-19777
Ewido - - Downloader.Agent.eyv
Fortinet - - Misc/Renos
F-Prot - - W32/Downldr2.AUXO
Ikarus - - Trojan.Fakealert.PG
Kaspersky - - Trojan-Downloader.Win32.Agent.hat
Prevx1 - - Heuristic: Suspicious Self Modifying File
Sunbelt - - ContraVirus (v)
Symantec - - ExpertAntiVirus
VBA32 - - Trojan-Downloader.Win32.Agent.gyl
Webwasher-Gateway - - Trojan.Dropper.FakeAlert.PG.4

Stay away from this rogue security application.

Bharath M N

Saturday, January 5, 2008

New Zlob Trojan Distributing Sites

New Zlob Trojan Distributing Sites



Site Name: bkvcompany.com
IP Address: 85.255.120.106
Registrar: ESTDOMAINS, INC.
Name Servers: ns1.bkvcompany.com
ns2.bkvcompany.com

Site Name: mvvproduction.com
IP Address: 85.255.118.180
Registrar: ESTDOMAINS, INC.
Name Servers: ns1.mvvproduction.com
ns2.mvvproduction.com


The registrant of both the sites is hidden behind PrivacyProtect.org.


Virustotal Scan Result: 6/32 (18.75%)
Avast 4.7.1098.0 2008.01.04 Win32:Zlob-AHS
BitDefender 7.2 2008.01.04 Trojan.Downloader.Zlob.ABGP
ClamAV 0.91.2 2008.01.04 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2008.01.04 Trojan.Popuper.origin
Microsoft 1.3109 2008.01.04 TrojanDownloader:Win32/Zlob.gen!AL
NOD32v2 2765 2008.01.04 Win32/TrojanDownloader.Zlob.BNE



Avoid the sites at all cost...


Bharath M N

Friday, January 4, 2008

New Batch of Rogue Security Applications

New Batch of Rogue Security Applications

Winfixer Group has already started their dirty work this year. The scammers might be very busy creating new Scam sites to distribute clones of avsystemcare/Winfixer (A well documented Rogue security application)

Filterprogram.com is one of the several websites that the scammers have created.

Screenshot of filterprogram.com website

Fake scanner page of filterprogram.com website:



Filterprogram.com uses the IP 72.52.225.11 which is also shared by 28 other clones websites.

The list of sites that shares the IP 72.52.225.11 are:

1. Alfaantivirus.com
2. Antivirusalmassimo.com
3. Barrevirus.com
4. Computervagt.com
5. Digitalerschutz.com
6. Elmejorcuidado.com
7. Ferramentantivirus.com
8. Filterprogram.com
9. Filtredevirus.com
10. Geeninfectie.com
11. Harddrivefilter.com
12. Keineinfektionen.com
13. Longueviepc.com
14. Maseg.net
15. Nonstopantivirus.com
16. Pcantivirenloesung.com
17. Pcsystemschutz.com
18. Plutoantivirus.com
19. Psbeveiligingssysteem.com
20. Riendevirus.com
21. Securepcguard.com
22. Sekyuritikojo.com
23. Sistemadedefensa.com
24. Sumejorantivirus.com
25. Totaltrygghet.com
26. Viruscontrolleuer.com
27. Viruswacht.com
28. Votremeilleurantivirus.com
29. Zeusantivirus.com


I scanned the setup file from filterprogram.com.

Virustotal Scan Result: 1/32 (3.13%)
Microsoft 1.3109 2008.01.03 Program:Win32/WinFixer

As you can see the detections are really poor. Stay away from all these sites.

Bharath MN