HAPPY NEW YEAR 2008
I wish you all a Prosperous and Happy New Year 2008.
Bharath M N
Sunday, December 30, 2007
Wednesday, December 26, 2007
FILES-SECURE.COM
FILES-SECURE.COM
File –Secure is a new rogue Security application from the family of IE Defender.
File –Secure Rogue security application stealthily installs after installing a dubious codec installer called videomp3_setup*.
Snapshot of Files-Secure Application
The site details:
Registrar: ESTDOMAINS, INC.
IP Address: 85.255.119.92
Name Server: NS1.FILES-SECURE.COM
Name Server: NS2.FILES-SECURE.COM
Warning message from the app:
VirusTotal Scan Result: 2/32 (6.25%)
eSafe 7.0.15.0 2007.12.25 suspicious Trojan/Worm
Kaspersky 7.0.0.125 2007.12.26 not-a-virus:FraudTool.Win32.IeDefender.ag
Stay away from this Rogue security application.
Bharath M N
Saturday, December 22, 2007
Immunizr.com
Immunizr.com
Immunizr is another Rogue Security application. This is yet another rogue application from the spywareNo family of rogue security application.
The site uses the IP 69.50.166.50 and the setup file Immunizr is not detected as rogue security application from any of the scanners on VirusToal.
Stay away from Rogue security applications.
Bharath MN
WinSpykiller.com
WinSpykiller.com
WinSpykiller is a Rogue Security application. This is another rogue application from the spywareNo family of rogue security application.
This is the ninth rogue security application from spywareNo family in December. If you closely look at all the nine sites you will find the same information displayed on all the pages.
The site uses the IP 69.50.166.51 and the interesting factor is that none of the security applications in VirusTotal detects this rogue security application.
Stay away from Rogue security applications.
Bharath MN
This is the ninth rogue security application from spywareNo family in December. If you closely look at all the nine sites you will find the same information displayed on all the pages.
The site uses the IP 69.50.166.51 and the interesting factor is that none of the security applications in VirusTotal detects this rogue security application.
Stay away from Rogue security applications.
Bharath MN
Sunday, December 16, 2007
New Zlob Trojan Site
New Zlob Trojan Site
Site: Pmffprogram.com
IP: 85.255.113.234
Registrar: ESTDOMAINS, INC.
IP: 85.255.113.234
Registrar: ESTDOMAINS, INC.
Virustotal Scan Result: 10/32 (31.25%)
AntiVir 7.6.0.45 2007.12.14 DR/Zlob.Gen
Avast 4.7.1098.0 2007.12.15 Win32:Zlob-AHS
AVG 7.5.0.503 2007.12.15 Downloader.Zlob.LI
BitDefender 7.2 2007.12.15 Trojan.Zlob.BZM
ClamAV 0.91.2 2007.12.15 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2007.12.15 Trojan.Popuper.origin
Microsoft 1.3109 2007.12.15 TrojanDownloader:Win32/Zlob.gen!AL
Prevx1 V2 2007.12.15 Downloader.Zlob.LI
Sophos 4.24.0 2007.12.15 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2007.12.15 Trojan.Dropper.Zlob.Gen
Avast 4.7.1098.0 2007.12.15 Win32:Zlob-AHS
AVG 7.5.0.503 2007.12.15 Downloader.Zlob.LI
BitDefender 7.2 2007.12.15 Trojan.Zlob.BZM
ClamAV 0.91.2 2007.12.15 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2007.12.15 Trojan.Popuper.origin
Microsoft 1.3109 2007.12.15 TrojanDownloader:Win32/Zlob.gen!AL
Prevx1 V2 2007.12.15 Downloader.Zlob.LI
Sophos 4.24.0 2007.12.15 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2007.12.15 Trojan.Dropper.Zlob.Gen
Stay away from this site.
Bharath M N
Friday, December 14, 2007
wincodecdownload.com
Wincodecdownload.com
Another malicious domain. The setup file available on the site is malicious. The setup file installs a malicious BHO which displays the following image below the browser address bar.
BHO Details:
Filename: IECodec.dll
Hijack this entry:
O2 - BHO: IECodecBHO - {4507C219-24AA-4813-9561-A2003F9920C3} - C:\Program Files\IECodec\IECodec.dll
Screeenshot taken after installing the malicious setup file.
Once you click on the link provided in the image it takes you to privacy-tower.com website. The site uses a scare scan tactics to scare the users into purchasing a rogue security application.
The site privacy-tower.com uses the IP address 206.161.200.43, which then redirects users into downloading Anti-Virus-Pro (from anti-virus-pro.com) a well documented Rogue security application.
The Privacy-Scanner.com and PrivacyTower.com are clone sites of privacy-tower.com which also redirects users into downloading Anti-Virus-Pro
Privacy-Scanner.com\PrivacyTower.com\Privacy-Tower.com Scare scan page 
Further site vscodecsupport.com (203.121.111.143) works as a data repository for wincodecdownload.com.
Currently none of the security applications on Virustotal flags the setup file as malicious.
Only two scanners detect the BHO as malicious.
Virustotal scan Result: 2/32 (6.25%)
AntiVir 7.6.0.45 2007.12.13 HEUR/Malware
Webwasher-Gateway 6.6.2 2007.12.13 Heuristic.Malware
Currently none of the security applications on Virustotal flags the setup file as malicious.
Only two scanners detect the BHO as malicious.
Virustotal scan Result: 2/32 (6.25%)
AntiVir 7.6.0.45 2007.12.13 HEUR/Malware
Webwasher-Gateway 6.6.2 2007.12.13 Heuristic.Malware
Stay away from these sites.
Bharath M N
Spyware-Sweeper.Net
Spyware-Sweeper.Net
Yet another Spysheriff Clone. This site distributes Rogue security application. The application exploits “Webroot” Spy-sweeper name.
Snapshot of Spyware-Sweeper Application
Vitustotal Scan Result: 10/32 (31.25%)
AhnLab-V3 2007.12.14.10 2007.12.13 Win-Trojan/Bravesent.39424
CAT-QuickHeal 9.00 2007.12.13 FraudTool.SpySheriff.f (Not a Virus)
Ikarus T3.1.1.15 2007.12.13 Application.Win32.AdWare.SpySheriff
Kaspersky 7.0.0.125 2007.12.13 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.13 Program:Win32/SpySheriff
NOD32v2 2721 2007.12.13 a variant of Win32/Adware.SpySheriff
Panda 9.0.0.4 2007.12.13 Suspicious file
Prevx1 V2 2007.12.13 ADWARE.SPYSHERIFF.E
Sophos 4.24.0 2007.12.13 Troj/Spywad-Gen
VirusBuster 4.3.26:9 2007.12.13 Adware.SpySherif.Gen.2
Stay away from Rogue security applciations.
Bharath M N
Monday, December 10, 2007
Scanner Pages are Live now!!!
Scanner Pages are Live now!!!
The malware scanner page for the Rogue security applications Dr-Protection, Guard-Center, Killspy, Liveantispy, LiveProtection, Online-Guard and Stopingspy are Live. The scanner page uses the scare tactics to scare the users into purchasing the Rogue security application. Don’t fall into the cheap trick and loose your money. All the scan pages share the same IP address 58.65.238.131.
Dr-Protection Fake Scanner Page
Guard-Center Fake Scanner Page
Killspy Fake Scanner Page
Liveantispy Fake Scanner Page
Liveprotection Fake Scanner Page
Online-Guard Fake Scanner Page
Stopingspy Fake Scanner Page
Virustotal Scan Result: 7/32 (21.88%)
AVG 7.5.0.503 2007.12.10 Downloader.Small.BAP
DrWeb 4.44.0.09170 2007.12.10 Trojan.Fakealert
Kaspersky 7.0.0.125 2007.12.10 Heur.Trojan.Generic
Microsoft 1.3007 2007.12.10 TrojanDownloader:Win32/Renos.gen!Y
NOD32v2 2713 2007.12.10 probably unknown NewHeur_PE virus
Panda 9.0.0.4 2007.12.09 Suspicious file
Prevx1 V2 2007.12.10 Downloader.Drev.A
Stay away from Rogue security applications
Bharath M N
(Thanks to Patrick Jordan)
Saturday, December 8, 2007
freemoviepro.com
Freemoviepro.com
A malicious domain that spams, the download available on the site installs a malicious BHO.
The image displayed on the site:
BHO Details:
Filename: wbspark.dll
Hijack this entry: O2-BHO: wbspark - (BC42164F-2C53-1B42-1563-1A7624A24C11) - C: \WINDOWS\system32\wbspark.dll
SunBelt SandBox Result
Virustotal Scan Result: 18/32 (56.25%)
Stay away from this site.
Bharath M N
Thursday, December 6, 2007
Three More Malicious Domains
More Malicious Domains
Three More Malicious Domains on 58.65.238.130
Killspy.org
Liveprotection.net
Stopingspy.com
A few days back I had written about the four malicious sites on the server 58.65.238.130. Link
Now the server is hosting seven malicious sites distributing Rogue Security applications. The entire list:
1. Dr-protection.com
2. Guard-center.com
3. Killspy.org
4. Liveantispy.com
5. Liveprotection.net
6. Online-guard.net
7. Stopingspy.com
The download from three new sites was submitted to visrutotal.com and here are the results:
Virustotal Scan Result: 5/32 (15.63%)
AhnLab-V3 2007.12.6.2 2007.12.06 Win-Trojan/Spyshield.51200
Kaspersky 7.0.0.125 2007.12.06 not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft 1.3007 2007.12.06 Program:Win32/SpySheriff
Sophos 4.24.0 2007.12.06 Troj/DrProt-Gen
VirusBuster 4.3.26:9 2007.12.06 Adware.SpySherif.Gen.2
As you can see the detections are poor stay away from all these sites.
Bharath MN
AntiSpy-Pro.com
AntiSpy-Pro.com
This is a new rogue security application which is successor of IE Defender Rogue security application. The AntiSpy-Pro is an exact clone of IE Defender rogue security application.IE Defender has a history of stealthily installing on the user system when they install Zlob codec. So AntiSpy-Pro will be the next Rogue security application that will be advertised through Zlob Trojans.
Snapshot of AntiSpy-Pro Application
The site details:
IP Address: 85.255.121.149
created on 2007-11-15
Name Servers: ns1.antispy-pro.com
ns2.antispy-pro.com
Warning message from the app:
If AntiSpy-Pro stealthily installs on your system then it’s sure that your system is infected by Zlob Trojan.
VirusTotal Scan Result: 3/32 (9.38%)
ClamAV - - Adware.Fakealert-21
Kaspersky - - not-a-virus:FraudTool.Win32.IeDefender.j
VBA32 - - suspected of Backdoor.Delf.180 (paranoid heuristics)
Stay away from this Rogue security application.
Bharath M N
Saturday, December 1, 2007
List of Malicious Domains
List of Malicious Domains
ghktoolkit.com - > Zlob trojan distributing site
zxcsolution.com -> Zlob trojan distributing site
codectime.com -> DNS Changer distributing site
codecvids.com -> Zlob trojan distributing site
217.20.122.32 -> a bunch of malicious files hosted on the site
Detection of the malicious files distributed by these sites are really poor.
Stay away from these sites...
Bharath M N
Tuesday, November 27, 2007
Yet another bunch of Rogue Security applications
Yet another bunch of Rogue Security applications
Currently there are four websites distributing clone of SpySheriff Rogue Security application. All the domains share the same IP address 58.65.238.130
Dr-protection.com
Application Screen Shot of Dr-protection
Guard-center.com
Application Screen Shot of Guard-center
Liveantispy.com
Application Screen Shot of Liveantispy
Online-guard.net
Application Screen Shot of Online-guard
Virus total Scan Results:
AhnLab-V3 2007.11.27.1 2007.11.27 Win-Trojan/Spyshield.51200
Kaspersky 7.0.0.125 2007.11.27 not-a-virus:FraudTool.Win32.SpySheriff.f
VirusBuster 4.3.26:9 2007.11.26 Adware.SpySherif.Gen.2
Detection of these Rogue security applications are poor, Stay away from these sites.
Bharath M N
AhnLab-V3 2007.11.27.1 2007.11.27 Win-Trojan/Spyshield.51200
Kaspersky 7.0.0.125 2007.11.27 not-a-virus:FraudTool.Win32.SpySheriff.f
VirusBuster 4.3.26:9 2007.11.26 Adware.SpySherif.Gen.2
Detection of these Rogue security applications are poor, Stay away from these sites.
Bharath M N
Tuesday, November 20, 2007
Deuscleaneronline.com
Deuscleaneronline.com
Another Rogue Security application which looks similar to Drive Cleaner Application; The site uses the scare scan tactics to scare the user into purchasing the rogue application. The site registrar is ESTDOMAINS and it uses the IP 24.244.171.69 which is used by other malicious sites.
Detection of the Rogue is really poor. Avoid it at all cost...
Bharath M N
Detection of the Rogue is really poor. Avoid it at all cost...
Bharath M N
Monday, November 19, 2007
Another List of Zlob distributing Sites
Another List of Zlob Trojan distributing Sites
Stvfirm.com (85.255.118.179)
Ictmanufacture.com (85.255.113.234)
Ocnservice.com (85.255.115.178)
Xvsenterprise.com (85.255.115.179)
Bsplaycodec.com (64.28.184.180)
Ictmanufacture.com (85.255.113.234)
Ocnservice.com (85.255.115.178)
Xvsenterprise.com (85.255.115.179)
Bsplaycodec.com (64.28.184.180)
Detection of the installer from these sites is poor. Stay away from these sites.
Bharath M N
Bharath M N
Saturday, November 17, 2007
ElseIf.biz
ElseIf.biz
Yet another site that is used to distribute Zlob Trojan; The site main page states that the domain is suspended; but surely is working as an active repository of Trojan files.
Usually the porn sites use the following fake alert to goad the user into downloading the fake video decoder.
Screenshot of the fake Error Message Box
ElseIf.biz uses the IP Address: 85.255.121.148; Detection of the download from this site is really poor. Stay away from malicious porn sites.
Avoid the site and all its downloads…
The website's name reminds me of the collage days where in we coded in C-language :-)
Code:
if(You are sensible not to download and install codec promoted by porn site)
{
Your system is safe and you need not worry about the Zlob Trojan infection
Exit from the porn trap;
}
else if(you install the codec)
{
Welcome to the world of Zlob infected PC's;
The Trojan will make sure to make you have a terrible experience;
Use tool to remove the infection;
Make a promise never to install a codec pushed from a porn site;
Finally exit from the porn trap;
}
else
{
Wait until the bad guys comes up with a new trick to trap you;
goto CODE
}
Isn’t it a funny code :-)
Bharath MN
Wednesday, November 14, 2007
VirProtect.com
VirProtect.com
Yet another Rogue Security application from SpyLocked group of Rogue security application.
VirProtect is the latest entry to the list; This Rogue is currently advertised by the latest Zlob Trojan. The site uses the IP 85.255.119.126 which is also used by virusray.com (Previous rogue security application released from this group)
Screenshot of the application.
Detection of the rogue is poor.
VirusTotal Scan Result: 7/31 (22.59%)
Avast 4.7.1074.0 2007.11.13 Win32:Spycrush-B
BitDefender 7.2 2007.11.13 Adware.SpyLocked.C
Ikarus T3.1.1.12 2007.11.13 Virus.Win32.Spycrush.B
Kaspersky 7.0.0.125 2007.11.13 not-a-virus:FraudTool.Win32.VirusProtectPro.h
Microsoft 1.3007 2007.11.12 Program:Win32/VirusLocker
Rising 20.18.11.00 2007.11.13 Hack.Win32.VirusProtectPro.a
VBA32 3.12.2.4 2007.11.11 Application.Win32.Adware.VirusProtectPro
Avoid it at all cost…
Bharath M N
Sunday, November 11, 2007
ErrorInspector.com
ErrorInspector.com
A hoax site distributing Rogue Security Application; webpage doesn’t provide any link to download the Application. This rogue Security application is also advertised through the Mediaplex(owned by ValueClick).
Screenshot of ads displayed for ErrorInspector by Mediaplex.
This site also uses the IP 84.243.253.220 which is used by many other Sellmosoft Inc Rogue Security Application.Some of the other Rogue security applications that used/uses this IP are:
1. Performanceoptimizer.com
2. Antivirussecuritypro.com
3. Cryptdrive.com
4. Windefender.com
5. ErrorDigger.Com
and many more. Detection on Virustotal is really poor. The application is related to winantivirus(dot)com family of Rogue Security Applications.
Sunbelt CWSandbox Analysis
Avoid it at all cost...
Bharath M N
Another bunch of Zlob Trojan distributing sites
Another bunch of Zlob Trojan distributing sites
Fresh list of sites distributing Zlob Trojans
1. Gneprogram.com (85.255.118.181)
2. Ndcperformance.com (85.255.113.238)
3. Mzdsoftware.com (85.255.113.235)
4. Pkbsolution.com (85.255.118.179)
Avoid download from these sites to keep your system safe.
Bharath M N
Friday, November 9, 2007
ErrorDigger.Com
ErrorDigger.Com
Definitely this Rogue Security Application will dig up a hole in your pocket. The webpage doesn’t provide any link to download the Application. The rogue Security application is advertised through the Mediaplex(owned by ValueClick).
Screenshot of ads displayed for ErrorDigger by Mediaplex .
The site uses the IP 84.243.253.220 which is also used by many other Sellmosoft Inc Rogue Security Application.
Some of the other Rogue security applications that used/uses this IP are:
1. Performanceoptimizer.com
2. Antivirussecuritypro.com
3. Cryptdrive.com
4. Windefender.com
and many more. Detection on Virustotal is really poor.
Avoid it at all cost...
Bharath M N
Sunday, November 4, 2007
AVSystemCare crazily spreading on Internet
AVSystemCare crazily spreading on Internet
AVSystemCare a well know Rogue security application is wildly spreading on the internet. The application was first sited around May 2007.
Screenshot of AVSystemCare application
The application is aggressively advertised by Zlob Trojans. When a System gets infected by a Zlob Trojan you might receive the following warning message or a similar warning message luring /confusing/goading users to purchase any one of the many AVSystemcare clone application.
Fake security alert displayed Zlob trojan
AVSystemcare scammers are busy cloning their website. Currently they have more than 300 cloned website that shares the same IP-ddress.
Below is the complete list of sites:
http://www.flickr.com/photos/39438024@N00/1848774276/
http://www.flickr.com/photos/39438024@N00/1848776720/
http://www.flickr.com/photos/39438024@N00/1848776720/
[EDIT]
New Scam page of AVSystemCare
Avoid all the sites...
Bharath M N
Saturday, November 3, 2007
Fresh Pack of Zlob Trojan distributing sites
Fresh Pack of Zlob Trojan distributing sites
Few new codec sites distributing Zlob trojans.
zsvcompany(dot)com
bcnproduction(dot)com
mojtechnology(dot)com
vaulimited(dot)com
Typically the download form these sites pretends as a video codec\Image codec for viewing porn on-line but instead installs Zlob trojan\DNS changer trojan on the system.
Usually some porn sites display a message stating that you need to download a special codec to view the porn on-line. Once the user accepts to install the codec the Trojan starts performing its dirty task of downloading Adware’s nagging the users with fake security warning messages.
The fake security warning message informs the user that the system is infected and is vulnerable to Trojan attacks luring the user into running a scan or downloading a security application to remove the infection. The application that the Trojan suggests will definitely be rogue security application.
The main cause of the Zlob Trojan is to goad users into purchasing Rogue security application. New rogue security application and Zlob developers deploy new installer and jump domains constantly in order to prevent the anti-spyware \malware \virus application from detecting them.
Till now the scammers are successful in winning the battle against the Security provided by the anti-malware \spyware \virus products.
Be a bit cautious about the thing you are downloading on a porn site. Always prevention is better than cure.
Bharath MN
Typically the download form these sites pretends as a video codec\Image codec for viewing porn on-line but instead installs Zlob trojan\DNS changer trojan on the system.
Usually some porn sites display a message stating that you need to download a special codec to view the porn on-line. Once the user accepts to install the codec the Trojan starts performing its dirty task of downloading Adware’s nagging the users with fake security warning messages.
The fake security warning message informs the user that the system is infected and is vulnerable to Trojan attacks luring the user into running a scan or downloading a security application to remove the infection. The application that the Trojan suggests will definitely be rogue security application.
The main cause of the Zlob Trojan is to goad users into purchasing Rogue security application. New rogue security application and Zlob developers deploy new installer and jump domains constantly in order to prevent the anti-spyware \malware \virus application from detecting them.
Till now the scammers are successful in winning the battle against the Security provided by the anti-malware \spyware \virus products.
Be a bit cautious about the thing you are downloading on a porn site. Always prevention is better than cure.
Bharath MN
Tuesday, October 30, 2007
MessengerBlocker
Messenger-blocker.com
This is a new scam that uses the windows Messenger Service to exploit the users into purchasing the rogue security application.
“The scam popup indicates that your computer is vulnarable to pop-ups, viruses, hackers, crackers, unwanted advertisement, spam, etc.”
This scam is directed to scare the users into purchasing the unwanted application to solve the problem.
CA and Symantec have a detail description about the rogue security application.
Avoid the sites and the application that it promotes.
Bharath M N
End-Ads
End-Ads.com
Funny the website is named End-ads and advertises a well documented rogue security application. So the website does the reverse of its name; After installing the application advertised on this webpage you will definitely start receiving ads stating that your system is infected blah blah...
Currently it is advertising SystemDoctor a well known rogue security application.
Site registration details:
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Expiration Date: 2008-07-13
Creation Date: 2005-07-13
Last Update Date: 2007-03-18
Different domains that share the same IP are listed below:
Blockmessengerspam.com “clone of end-ads.com”
Blockthesepopups.com
Endmessenger.com
Error-safe.org
Escapeads.com
Fightpopups.net “clone of end-ads.com”
Messenger-blocker.com
Messengerservice.info
Messengersoft.com
Messengerstopper.net “clone of end-ads.com”
Phoenixcitylights.com
Stopmessengerads.com
Stoppornads.com
Systemdoctor2008.com
Winantispyware.org
Winantivirus2007pro.com
Looking into the domain one can easily make out that all the websites are malicious. Most of the websites are actively advertising or redirecting to SystemDoctor.
Avoid all these sites and the application that it promotes.
Bharath M N
Friday, October 5, 2007
Protecthips.com! Does this Protects your System?
Protecthips.com
This is a malicious Website which promotes Rogue Security application.
Usually all the users cannot access this website, the system infected by Zlob Trojan usually come up with website mimicking the online/windows security center luring /confusing/goading users to purchase any one of the Rogue Security application advertised in this website.
The website has a test page looks like windows troubleshooting/windows help page which mimics the troubleshooting steps and then finally ask users to use of the Rogue Security application to displayed in the page to fix the issue that they are facing.
This website promotes the following Rogue Security applications:
WinAntiVirus
AntiSpyGolden
VirusHeal
Menace Rescue
Trojans Filter
Antispyware Suite
Drive Cleaner
System Doctor
AntiWorm 2008
GoldenAntiSpy
The Domain shares its IP with the following websites:
asafetyguide.com
ddgate.com
rhgate.com
safeinformations.com
securitysteps.com
All the above listed sites are phony and distribute Rogue Security application.
Avoid all these sites and the application that it promotes.
Bharath M N
Subscribe to:
Posts (Atom)
