Wednesday, February 27, 2008

Bakasoftware Expanding their List

Bakasoftware Expanding their List

A month ago a new group called Bakasoftware (Bakasoftware.com) aka Pandora-Software released three Rogue security applications. The list of applications is as follows:

Site Name: EasySpywareCleaner.com
IP Address: 216.240.138.201

Screenshot of EasySpywareCleaner Application

Site Name: Spy-Rid.com
IP Address: 216.240.138.201

Screenshot of Spy-Rid Application


Site Name: InfeStop.com
IP Address: 216.240.138.201

Screenshot of InfeStop Application

Now the group has decided to expand their list and here are the new entries:

Site Name: WinIFixer.com
IP Address: 216.240.138.201

Screenshot of WinIFixer Application

Currently the detection of this application is really poor. Sunbelt has this rogue in their latest detection.

Site Name: I-kerberos.com
IP Address: 216.240.138.201

Currently the installer files are not available on this site. Two more sites shares the same IP address they are:

Tobesoftware.com and On-linelist.com but these two sites are not functional yet. Also the site Bakadialer.com belongs to the same group.

Be aware of this group and stay away from these sites.

Bharath M N

Thursday, February 21, 2008

DNS Changer Trojan Distributing Sites

DNS Changer Trojan Distributing Sites


Site Name: Ixcodec.net
IP Address: 216.255.179.228
Registrar: ESTDOMAINS, INC.


Site Name: Operacodec.net
IP Address: 216.255.179.229
Registrar: ESTDOMAINS, INC.


Site Name: Codec-the.com
IP Address: 216.255.179.230
Registrar: ESTDOMAINS, INC.

All these sites distribute DNS Changer Trojan. Stay away from these sites.

Bharath M N

Wednesday, February 20, 2008

New List of Malicious Domains

New List of Malicious Domains

Site Name: xpdownloadings.com
IP Address: 69.50.183.50

The site xpdownloadings.com is a malicious site sharing its IP with xpantiviruspro.com. Both the sites distribute xpantiviruspro Rogue security application.

The installer from xpdownloadings.com was scanned and here are the results:

VirusTotal Scan Result: 5/32 (15.63%)
AVG 7.5.0.516 2008.02.19 Downloader.Purityscan.AA
eSafe 7.0.15.0 2008.02.17 suspicious Trojan/Worm
Kaspersky 7.0.0.125 2008.02.19 Heur.Trojan.Generic
McAfee 5232 2008.02.18 New Malware.bl
Sophos 4.26.0 2008.02.19 Troj/FakeAV-D

Site Name: online-nude-videos.com
IP Address: 74.50.97.51

The site online-nude-videos.com uses a fake warning error message and instructs the user to download a file named “install_player_3xxx3912941.exe” to view the porn online. This site is also belongs to the group which distributes IE-Defender a well documented Rogue Security application.

The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 13/32 (40.62%)

AntiVir - - TR/Dldr.Delf.etj
AVG - - Downloader.Zlob
CAT-QuickHeal - - TrojanDownloader.Agent.ium
eSafe - - Suspicious File
eTrust-Vet - - Win32/Burgspill!generic
F-Prot - - W32/Heuristic-MU3!Eldorado
F-Secure - - Trojan-Downloader.Win32.Delf.etj
Kaspersky - - Trojan-Downloader.Win32.Delf.etj
Microsoft - - Trojan:Win32/Delflob.I
Panda - - Suspicious file
Prevx1 - - Generic.Dropper.xCodec
Sophos - - Mal/DelpDldr-E
Webwasher-Gateway - - Trojan.Dldr.Delf.etj


Site Name: Gt-websoftcodec.com
Site Name: Gt-websoft.com
IP Address: 85.255.117.158

The site Gt-websoftcodec.com and Gt-websoft.com delivers Trojan files disguised as codec files. When a user tries to view video files on any of these sites Gt-funny.com, Gt-movies.com, Gt-stars.com the page comes up with a “Video ActiveX Object error” error message and then instructs the user to download the codec to view the video online.


The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 11/32 (34.38%)

AntiVir 7.6.0.67 2008.02.19 TR/Crypt.XPACK.Gen
CAT-QuickHeal 9.50 2008.02.18 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.02.19 Trojan.Zlob-1501
eSafe 7.0.15.0 2008.02.17 Suspicious File
Fortinet 3.14.0.0 2008.02.19 W32/Stration!tr.dldr
Ikarus T3.1.1.20 2008.02.19 MalwareScope.Worm.Nuwar-Glowa.1
Microsoft 1.3204 2008.02.19 TrojanDropper:Win32/Nuwar.gen!lds
Sophos 4.26.0 2008.02.19 Mal/EncPk-CG
Sunbelt 3.0.884.0 2008.02.19 VIPRE.Suspicious
VBA32 3.12.6.1 2008.02.17 suspected of Downloader.Zlob.8
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Crypt.XPACK.Gen

Zlob Trojan distributing sites:

Site Name: viewutility.com
IP Address: 85.255.120.107

Site Name: videoadaptation.com
IP Address: 85.255.118.179

The above mentioned site distributes Zlob Trojans, The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 7/32 (21.88%)

AntiVir 7.6.0.67 2008.02.19 TR/Drop.Fakes.71985
BitDefender 7.2 2008.02.19 Trojan.Downloader.Zlob.ABKX
ClamAV 0.92.1 2008.02.19 Trojan.Dropper-2529
Microsoft 1.3204 2008.02.19 TrojanDownloader:Win32/Zlob.gen!AL
Panda 9.0.0.4 2008.02.19 Adware/MultiMedia
VBA32 3.12.6.1 2008.02.17 suspected of Downloader.Zlob.3
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Drop.Fakes.71985


DNS Changer Distributing Site:

Site Name: codecmoon.com
IP Address: 64.28.184.181

The above mentioned site distributes DNS Changer Trojan, The installer from the site was scanned and here are the results:

VirusTotal Scan Result: 7/30 (23.34%)

AntiVir 7.6.0.67 2008.02.19 DR/Dldr.DNSChanger.Gen
Avast 4.7.1098.0 2008.02.18 Win32:DNSChanger-SF
BitDefender 7.2 2008.02.19 Trojan.Downloader.Zlob.ABLE
eSafe 7.0.15.0 2008.02.17 Suspicious File
F-Secure 6.70.13260.0 2008.02.19 Trojan.Win32.DNSChanger.arn
Sophos 4.26.0 2008.02.19 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Dropper.Dldr.DNSChanger.Gen


Stay away from all the malicious sites listed in the post.

Bharath M N

Sunday, February 17, 2008

Week End Update

Week End Update on Malicious Domains


Rogue Security Applications:
Antivirus-Scan.Net

Antivirus-Scan.Net is a clone site of Antivermins (A well documented Rogue Security application). The Site still doesn’t have an active link to download the software.

The scammers are so lazy that they have forgotten to put up the ordering pages on their server. The cost of the Product as mentioned on the website is 49.95$ much costly than a genuine Anti-Spyware software.

So I would say be aware of this company and if in future if your browser is redirected to this site, then assume that your system is infected by spyware. The scammers are related to SSH family so they might push this software through Zlob Trojan. Beware of the site and don’t purchase this software.

SpyBurner.com

Another Rogue security application, this website is making use of copyrighted text from the PC Tools website. Nosirrah has posted this information on PC tool Discussion Forum here is the link.

This application is also like the SSH Rogue family and the application is pushed/advertised through fake warning messages.

Currently none of the scanners on Virustotal Picks up this rogue. So beware of this site and don’t waste your money purchasing this application.

The application is also distributed through pcsecuritycenter.net. The site pcsecuritycenter.net also distributes SystemErrorFixer (a clone of AVSystemCare Rogue) and AdvancedCleaner which are all well documented rogue security applications.

Malicious Domains:

Zlob Trojan Distributing site:

Site Name: Encodeinstrument.com
IP Address: 85.255.120.109
Registrar: ESTDOMAINS, INC.
Name Servers:
ns2.encodeinstrument.com [85.255.120.110]
ns1.encodeinstrument.com [85.255.120.109]

Site Name: Viewdevice.com
IP Address: 85.255.118.180
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.viewdevice.com [85.255.118.180]
ns2.viewdevice.com [85.255.118.181]

A sample downloader from the site was scanned at VirusTotal and here are the results:

VirusTotal Scan Result: 3/30 (10%)

ClamAV 0.92.1 2008.02.16 Trojan.Dropper-2529
Microsoft 1.3204 2008.02.16 TrojanDownloader:Win32/Zlob.gen!AL
VBA32 3.12.6.1 2008.02.14 suspected of Downloader.Zlob.3

Detection of the Trojan is really poor.

DNS Changer Trojan Distributing Site:

Site Name: Blackcodec.com
IP Address: 64.28.184.180
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.blackcodec.com [64.28.184.162]
ns2.blackcodec.com [64.28.184.180]

Stay away from all these malicious domains.

Bharath M N

Wednesday, February 13, 2008

Storm Worm

Storm Worm


Collection of images Displayed on the malicious site!










The Spam emails sent from this gang directly link to the site that displays the one of the above image, after 5 seconds the site prompts you to download “valentine.exe” file.

The file “valentine.exe” is a High Risk file which might consist of a rootkit, a peer-to-peer client, and a mass-mailing worm component.

A few sites distributing the Storm Worm:




74.129.19.198
67.182.1.227
76.124.142.87
76.117.96.98
75.72.202.223
Moonstarfood(dot)com


Please do not visit any of the above mentioned sites.


VirusTotal Scan Result:

So be careful and don’t open any unknown emails that you might receive. Stay safe and have a wonderful Valentine’s Day.

Bharath M N

Monday, February 11, 2008

More Sites Pushing Crapware

More Sites Pushing Crapware

Winsoftpc.com

The following is a list of sites which distributes Crapware:
Killspy.net
Winflashmedia.com
Winsoftpc.com
Winxpperformance.com
Winxpspeedup.com

All these sites share the same IP Address 88.208.20.50. Also all these sites are identical. The application from Killspy.net has been flagged as Rogue by Spywarewarrior.com

ScreenShot of Windows Performance Application:

A sample installer from this group was was scanned at VirusTotal and here are the results:

VirusTotal Scan Result:

Stay away from these sites.
Bharath M N

Saturday, February 9, 2008

VirusHeat- A New Rogue Security Application

VirusHeat- A New Rogue Security Application

VirusHeat.com

VirusHeat a New Rogue Security application from the SSH Family. The Rogue application is distributed through Zlob Trojan.

The application is a clone of VirusProtectPro, SpyHeal, SpyLocked and many other Rogue security applications.



Site Name: VirusHeat.com
IP Address: 85.255.120.53
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.amigobore.com [85.255.117.205]
ns2.amigobore.com [91.192.106.1]
ns3.amigobore.com [85.255.117.202]
ns4.amigobore.com [195.3.144.77]


Screenshot of VirusHeat Application:

Detection of the rogue is really poor.

VirusTotal Scan Result: 5/32 (15.63%)

Avast 4.7.1098.0 2008.02.08 Win32:AntiVirGear
BitDefender 7.2 2008.02.09 Adware.Spyfalcon.G
Ikarus T3.1.1.20 2008.02.09 Virus.Win32.Spycrush.B
Kaspersky 7.0.0.125 2008.02.09 not-a-virus:FraudTool.Win32.SpyHeal.i
VBA32 3.12.6.0 2008.02.09 Win32.Adware.VirusProtectPro

VirusHeat removal Instruction here.

Another Component site from Zlob Trojan:

Site Name: Puresafetyhere.com
IP Address: 85.255.116.211
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.puresafetyhere.com [85.255.116.211]
ns2.puresafetyhere.com [85.255.116.212]

This site advertises well documented Rogue security applications. Stay away from these sites and the rogue application they advertise.

Bharath M N

Wednesday, February 6, 2008

New Zlob Trojan Distributing Sites

New Zlob Trojan Distributing Sites


The following are the two new domains that are currently distributing Zlob Trojans.

Site Name: Gicoupler.com
IP address: 85.255.118.182
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.gicoupler.com [85.255.118.182]
ns2.gicoupler.com [85.255.118.178]


The installer was scanned at VirusTotal and here are the results:

VirusTotal Scan Result:


Site Name: Fapparatus.com
IP address: 85.255.120.106
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.fapparatus.com [85.255.120.106]
ns2.fapparatus.com [85.255.120.107]


The installer was scanned at VirusTotal and here are the results:

VirusTotal Scan Result:

Stay away from these sites.

Bharath M N

Monday, February 4, 2008

More Malicious Domains

More Malicious Domains

Here is a list of malicious websites that distributes Trojan Horse disguised as codec files.

Sites sharing the IP Address: 78.159.96.135

Somenudefuck.com
My-nude-girl.com
Spy-partners.com --> No malicious downloads Reported Yet.

The above listed sites distribute “install_player_xxx.exe” (except Spy-partners.com) file which was scanned at VirusTotal and here are the results:

VirusTotal Scan Result:


Sites sharing the IP Address: 202.83.212.233:

Creatonsoft.com
Greatprofit4you.com
Hyip-den.com
Investors-heaven.com

All these sites distributes “flash_player_XXXXXX.exe” file which was scanned at VirusTotal and here are the results:

VirusTotal Scan Result:


Stay away from these sites.

Bharath M N

Sunday, February 3, 2008

New Member to MalwareWipe Family

New Member to MalwareWipe Family


Time to introduce a new member of MalwareWipe family; MalwareCore is the latest entry to MalwareWipe family of Rogue security application.

Screenshot MalwareCore.com Website:




MalwareCore is new rogue security application and a clone of MalwareWipe family of rogue Security applications. MalwareCore application is installed on the user system through Zlob Trojan programs, may be installed through exploits in the Windows Operating system and other dubious means.

Other Rogue Security applications of this family:
-->MalwareWipe
-->
MalwareBurn


Site Name: MalwareCore.com
IP Address: 85.255.120.20
Registrar: ESTDOMAINS, INC.
Name Servers:
managedns1.esthost.com [69.50.182.18]
managedns2.esthost.com [69.50.183.26]
managedns3.esthost.com [69.50.182.18]
managedns4.esthost.com [69.50.183.26]


The site shares its IP with the following sites:

1. Malwareburn.com
2. Malwarewiped.com
3. Malwareray.com

All these sites distributes MalwareBurn Rogue security application.


Screenshot of MalwareCore Application:

Once you install MalwareCore trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.

The installer from the site was scanned and here are the results:

Virustotal Scan Result: 6/32 (18.75%)

Avast 4.7.1098.0 2008.02.02 Win32:Spycrush
Ikarus T3.1.1.20 2008.02.03 Virus.Win32.Spycrush.B
Kaspersky 7.0.0.125 2008.02.03 not-a-virus:FraudTool.Win32.MalwareWipe.q
Prevx1 V2 2008.02.03 Generic.Malware
Sophos 4.26.0 2008.02.03 Sus/ComPack-C
Symantec 10 2008.02.02 MalwareBurn

Stay away from these site.

Bharath M N

Saturday, February 2, 2008

New Member of AntiVirusGolden Family

New Member of AntiVirusGolden Family


AntiSpyKit.Com
AntiSpyKit is new rogue security application and a clone of AntiVirusGolden family of rogue Security applications. The application is installed on the user system through various Trojan horse programs and other dubious means.

Other Rogue Security applications of this family:
--> AntiVirusGolden
--> Antispygolden

Site Name: Antispykit.com
IP Address: 85.255.118.166
Registrar: ESTDOMAINS, INC.

AntiSpyKit application screenshot


Once you install AntiSpyKit trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.


The installer from the site was scanned and here are the results:

Virustotal Scan Result: 4/32 (12.5%)

Ikarus T3.1.1.20 2008.02.02 Virus.Win32.Spycrush.B
Prevx1 V2 2008.02.02 Generic.Malware
Sophos 4.26.0 2008.02.02 SpyFraud
Sunbelt 2.2.907.0 2008.02.02 AntiSpyKit


ThreatExpert Report here.

Stay away from these scammer sites.

BHARATH M N