Saga of IE Defender Family
This group started of with IE Defender rogue security application and then released AntiSpy-Pro followed by Files-Secure.
Currently the group is again active releasing two new rogues MalwareBell and IE AntiVirus
Site Name: MalwareBell.com
IP Address: 89.149.227.195
Currently the group is again active releasing two new rogues MalwareBell and IE AntiVirus
Site Name: MalwareBell.com
IP Address: 89.149.227.195
Screenshot of MalwareBell.com site
Screenshot of MalwareBell Application
Installer of MalwareBell was scanned and here are the results
VirusTotal Scan Result: 10/32 (31.25%)
AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.MalwareBell.F
DrWeb 4.44.0.09170 2008.04.26 Trojan.Fakealert.525
Fortinet 3.14.0.0 2008.04.26 Misc/MalwareBell
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.MalwareBell.F
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.MalwareBell.f
NOD32v2 3057 2008.04.26 Win32/Adware.IeDefender.NDG
Prevx1 V2 2008.04.26 Generic.Malware
Sophos 4.28.0 2008.04.26 Troj/FakeVir-AY
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.MalwareBell.F
AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.MalwareBell.F
DrWeb 4.44.0.09170 2008.04.26 Trojan.Fakealert.525
Fortinet 3.14.0.0 2008.04.26 Misc/MalwareBell
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.MalwareBell.F
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.MalwareBell.f
NOD32v2 3057 2008.04.26 Win32/Adware.IeDefender.NDG
Prevx1 V2 2008.04.26 Generic.Malware
Sophos 4.28.0 2008.04.26 Troj/FakeVir-AY
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.MalwareBell.F
Site Name: IEAntiVirus.com
IP address: 89.149.227.195
Screenshot of IEAntiVirus.com site
Screenshot of IE AntiVirus Application
Installer of IE AntiVirus was scanned and here are the results
VirusTotal Scan Result: 6/30 (20%)
AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.IeDefender.CJ
Fortinet 3.14.0.0 2008.04.26 Misc/IeDefender
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.IeDefender.CJ
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.IeDefender.cj
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.IeDefender.CJ
The following are the two sites that work as a repository for these rogue applications.
Site Name: MalwareBellAgreement.com
Site Name: IEAntiAVDownload.com
IP Address: 89.149.227.195
Sample URL’s:
malwarebellagreement(dot)com/mb.exe
malwarebellagreement(dot)com/ieav.exe
ieantiavdownload(dot)com/ieav.exe
ieantiavdownload(dot)com/mb.exe
Following site also belongs to this group
Site Name: Verifiedpaymentsolutionsonline.com
IP Address: 89.149.227.195
VirusTotal Scan Result: 6/30 (20%)
AntiVir 7.8.0.10 2008.04.25 DR/FraudTool.IeDefender.CJ
Fortinet 3.14.0.0 2008.04.26 Misc/IeDefender
Ikarus T3.1.1.26 2008.04.26 Downloader.FraudTool.IeDefender.CJ
Kaspersky 7.0.0.125 2008.04.26 not-a-virus:FraudTool.Win32.IeDefender.cj
Symantec 10 2008.04.26 MalwareBell
Webwasher-Gateway 6.6.2 2008.04.26 Trojan.Dropper.FraudTool.IeDefender.CJ
The following are the two sites that work as a repository for these rogue applications.
Site Name: MalwareBellAgreement.com
Site Name: IEAntiAVDownload.com
IP Address: 89.149.227.195
Sample URL’s:
malwarebellagreement(dot)com/mb.exe
malwarebellagreement(dot)com/ieav.exe
ieantiavdownload(dot)com/ieav.exe
ieantiavdownload(dot)com/mb.exe
Following site also belongs to this group
Site Name: Verifiedpaymentsolutionsonline.com
IP Address: 89.149.227.195
Screenshot of verifiedpaymentsolutionsonline.com site
Stay away from all these sites.
Bharath M N
