Week End Updates
New Member of SpywareNo\ SpySheriff Family
AntiVirProtect is new rogue security application from the SpywareNo\ SpySheriff Family. The application is installed on the user system through various Trojan horse programs and other dubious means.
Site Name: AntiVirProtect.com
IP Address: 69.50.190.14
Registrar: ESTDOMAINS, INC.
AntiVirProtect is new rogue security application from the SpywareNo\ SpySheriff Family. The application is installed on the user system through various Trojan horse programs and other dubious means.
Site Name: AntiVirProtect.com
IP Address: 69.50.190.14
Registrar: ESTDOMAINS, INC.
Screenshot of site AntiVirProtect.com
Once you install AntiVirProtect trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.
The scammers are just changing the file, application and site names to push this rogue security application. They are following this method to avoid detection from Security applications.
The scammers are just changing the file, application and site names to push this rogue security application. They are following this method to avoid detection from Security applications.
Screenshot of AntiVirProtect application
The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 7/32 (21.88%)
Avast 4.8.1169.0 2008.04.13 Win32:FraudLoad-P
AVG 7.5.0.516 2008.04.12 Downloader.Webinstall.B
DrWeb 4.44.0.09170 2008.04.13 Adware.Spysheriff
Ikarus T3.1.1.26.0 2008.04.13 Virus.Win32.FraudLoad.P
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:FraudTool.Win32.SpySheriff.ad
NOD32v2 3021 2008.04.12 a variant of Win32/Adware.SpySheriff
Prevx1 V2 2008.04.13 AntiSpywareShield:Spyware-a
VipAntiSpyware
VipAntiSpyware A new rogue security applciation installed on the user system through dubious means.
Site Name: Vipantispyware.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.
VipAntiSpyware A new rogue security applciation installed on the user system through dubious means.
Site Name: Vipantispyware.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.
Screenshot of site Vipantispyware.com
Once you install VipAntiSpyware trial version on the system, the application mimics a system scan and reports large number of imaginary spyware infection. It then offers the user to buy the full version to remove the reported risks.
The rogue also uses the following scam site to trick user into downloading/purchasing this rogue security application.
Site Name: Vipantiscanner.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.
The rogue also uses the following scam site to trick user into downloading/purchasing this rogue security application.
Site Name: Vipantiscanner.com
IP Address: 217.150.254.4
Registrar: ESTDOMAINS, INC.
Screenshot of Fake/Scare Scan Page Vipantiscanner.com
Screenshot of VipAntiSpyware Application
The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 5/32 (15.63%)
CAT-QuickHeal 9.50 2008.04.12 FraudTool.SpywareIsolator.a (Not a Virus)
Ewido 4.0 2008.04.13 Not-A-Virus.PUP.SpywareIsolator
Ikarus T3.1.1.26.0 2008.04.13 not-a-virus:.FraudTool.Win32.SpywareIsolator.a
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:FraudTool.Win32.SpywareIsolator.a
Prevx1 V2 2008.04.13 SpywareIsolator:Spyware-a
As you can see the detection of the rogues are poor. Stay away from these rogue distributing sites.
Bharath MN
VirusTotal Scan Result: 5/32 (15.63%)
CAT-QuickHeal 9.50 2008.04.12 FraudTool.SpywareIsolator.a (Not a Virus)
Ewido 4.0 2008.04.13 Not-A-Virus.PUP.SpywareIsolator
Ikarus T3.1.1.26.0 2008.04.13 not-a-virus:.FraudTool.Win32.SpywareIsolator.a
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:FraudTool.Win32.SpywareIsolator.a
Prevx1 V2 2008.04.13 SpywareIsolator:Spyware-a
As you can see the detection of the rogues are poor. Stay away from these rogue distributing sites.
Bharath MN
