Thursday, December 3, 2009



Here Comes the 50th rogue from WiniGuard rogue Family.

Screenshot of AntiKeep application

The first variant of the family was WiniGuard which was seen in wild around October 2008. Initially this family came under Innovagest 2000 SL group. They also had plans to come up with rogues for Mac but was never seen live in wild.

You can see the traces of the file installed by this first variant on Lavasoft Malware Lab's page here

We saw a very quiet period and no activity from this rogue family for a long time and a second variant was out in April 2009 and the third in June 2009. Later, they started mimicking Kaspersky Online Scanner 7.0 to scare and push their rogue application.

Later we also observed that they used almost all fake/scare scanner page templates which is/was used by different family of rogue security applications to push their crap. Then after this we saw a steady stream of clones from this family. The family also left a message to Sunbelt research team. Reports here and here

With TRE AntiVirus they changed GUI of the rogue application for the first time. Later they changed the GUI again with AntiAID .

Here is the complete list of rogue security application from WiniGuard family.

Wini Fighter
Save Keep
Save Soldier
Trust Ninja
Save Defense
Block Defense
System Cop
Quick Heal Cleaner
Save Keeper
Safety Keeper
Soft Safeness
Trust Warrior
Save Defender
Save Armor
Security Fighter
Security Soldier
Secure Veteran
Secure Fighter
Secure Warrior
Trust Cop
Safe Fighter
Trust Soldier
Trust Fighter
Soft Soldier
Soft Cop
Soft Veteran
Soft Stronghold
Shield Safeness
Soft Barrier
Block Watcher
Block Scanner
Block Keeper
Block Protector
System Veteran
System Fighter
System Warrior
TRE AntiVirus
Anti AID
Site Villain
Link Safeness
Secure Keeper

In MDL we keep the list of clones from this family updated. Follow this link here

Will this gang end their malicious activity here?

Bharath M N

blog comments powered by Disqus